Block every connection from behind the router

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello,

on a well working OpenWRT/Lede Router (Reboot (17.01.4), TL-WR84LN/ND v9, fresh installation) I try to block every connections from behind the router (LAN, WLAN, one client connected per LAN, one per WLAN). But it doesnt work. I add a rule in Luci, the last entry from /etc/config/firewall is:

config rule
        option name 'Block-all-outgoing'
        option src 'lan'
        option dest 'wan'
        option target 'REJECT'
        option proto 'all'

but the clients can access the internet. Any ideas?

My goal is, to log every port, a client behind OpenWRT uses. I try to block everything and then i open every port, a application needs to work.

Wilfried

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda6:96e6:17c9::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0'
2

Likely one (or both) reasons:

  • Your default zone configurations still allows LAN-to-WAN forwarding, in this case, that rule was met first
  • You have higher rules in /etc/config/firewall that were met, above this rule

iptables rules are encountered and processed by the Kernel IN ORDER.

OK, this should work, as long as your default forwarding is disabled.

And...might I suggest using softflowd. Using that, you can simply permit traffic you wish, and you can see any and all traffic, on IP-based datagrams reaching the selected interface (e.g. br-lan). This may be less CPU-intensive than using iptables for the logging.

1 Like
3

Thank you very much, softflowd is the best solution.

1 Like