I'm a new OpenWrt user, and I would like to ask for suggestions on firewall configuration and block access to the upstream ISP router, but allow ipv4+ipv6 internet.
Both IPv4 and IPv6 are available from my ISP, and it adds complexity to firewall configuration since I would like to keep IPv6 traffic.
My network:
====|ISP router (192.168.100.1)|---LAN=====WAN---|OpenWrt router (192.168.1.1)|
ISP router: used for IOT devices connection only.
OpenWrt Router: there are 2 VLANs on the OpenWrt router: LAN and Guest
Requirements:
Guest vlan should be totally blocked with access to the LAN.
Guest vlan should be totally blocked with access to the ISP router (incl. IOT devices)
Guest vlan should have unrestricted access to the ipv4+ipv6 internet.
Here is my current firewall config, but I'm not sure if it's correct/optimal and if it really blocks ipv6 traffic with upstream router (seems like I'm blocking only link-local, but I do not know how to block access to ULA, and probably GUA addresses to the devices from ISP router).
config rule
option name 'Block-Guest-to-Upstream devices'
option src 'GUEST'
list proto 'all'
list dest_ip '192.168.100.0/24'
list dest_ip 'fe80::/10'
option dest 'wan'
option target 'DROP'
config rule
option name 'Allow-Guest-to-Internet'
list proto 'all'
option src 'GUEST'
option dest 'wan'
option target 'ACCEPT'
config rule
option name 'Block-Guest-to-All_networks'
list proto 'all'
option src 'GUEST'
option dest '*'
option target 'DROP'
So, any suggestions for the firewall configuration are highly appreciated.
but why you're blocking ULA from Guest to the main network only (fd88::/64)?
Shouldn't you block ULA to the modem as well, like fc00::/7 instead of fd88::/64 in your example?
Also, why are you not blocking Link-local fe80::/10 ?
config rule
option name 'Allow-Guest-to-Internet'
list proto 'all'
option src 'GUEST'
option dest 'wan'
option target 'ACCEPT'
config rule
option name 'Block-Guest-to-All_networks'
list proto 'all'
option src 'GUEST'
option dest '*'
option target 'DROP'
do I need "'Block-Guest-to-All_networks'" firewall rule if I have restriction on the Zones level already:
But I guess, you also don't want your guest to access your modem's ULA addresses, right? But I do not see you block this somehow.
Moreover, fc00::/7 should cover all the ULA range (incl. your fd88::/64), isn't it?
ok, based on the discussion above, I think that I can replace all my 3 initial firewall rules for Guest network by this one (thanks @openwrtforever for the idea):
I do not have any proof that its a best-practice rule (feel free to correct me if I'm wrong).
But at least this rule looks elegant and explicitly blocks:
access to the modem network via ipv4 (192.168.100.0/24),
access to the main network via ipv4 (192.168.1.0/24),
access to any ipv6 ULA addresses regardless of where and on what network they exist outside of Guest network (fc00::/7),
access to any ipv6 link-local addresses (fe80::/10)