Block Guest access to the upsteam router, but allow ipv4+ipv6 internet

Hi,

I'm a new OpenWrt user, and I would like to ask for suggestions on firewall configuration and block access to the upstream ISP router, but allow ipv4+ipv6 internet.
Both IPv4 and IPv6 are available from my ISP, and it adds complexity to firewall configuration since I would like to keep IPv6 traffic.

My network:
====|ISP router (192.168.100.1)|---LAN=====WAN---|OpenWrt router (192.168.1.1)|

  • ISP router: used for IOT devices connection only.
  • OpenWrt Router: there are 2 VLANs on the OpenWrt router: LAN and Guest

Requirements:

  1. Guest vlan should be totally blocked with access to the LAN.
  2. Guest vlan should be totally blocked with access to the ISP router (incl. IOT devices)
  3. Guest vlan should have unrestricted access to the ipv4+ipv6 internet.

Here is my current firewall config, but I'm not sure if it's correct/optimal and if it really blocks ipv6 traffic with upstream router (seems like I'm blocking only link-local, but I do not know how to block access to ULA, and probably GUA addresses to the devices from ISP router).

config rule
	option name 'Block-Guest-to-Upstream devices'
	option src 'GUEST'
	list proto 'all'
	list dest_ip '192.168.100.0/24'
	list dest_ip 'fe80::/10'
	option dest 'wan'
	option target 'DROP'

config rule
	option name 'Allow-Guest-to-Internet'
	list proto 'all'
	option src 'GUEST'
	option dest 'wan'
	option target 'ACCEPT'

config rule
	option name 'Block-Guest-to-All_networks'
	list proto 'all'
	option src 'GUEST'
	option dest '*'
	option target 'DROP'

So, any suggestions for the firewall configuration are highly appreciated.

Its easy I already do it with my router. Go to firewall > Traffic Rules, then create a new rule
2022-09-22 00.51.43 router.saudiqbal.com da7350c44923

10.88 is the main network
192.168.100.0 is the ip of modem
fd is the IPv6 of main network.
Easy.

but why you're blocking ULA from Guest to the main network only (fd88::/64)?
Shouldn't you block ULA to the modem as well, like fc00::/7 instead of fd88::/64 in your example?

Also, why are you not blocking Link-local fe80::/10 ?

Also, what about this: :thinking:

config rule
	option name 'Allow-Guest-to-Internet'
	list proto 'all'
	option src 'GUEST'
	option dest 'wan'
	option target 'ACCEPT'

config rule
	option name 'Block-Guest-to-All_networks'
	list proto 'all'
	option src 'GUEST'
	option dest '*'
	option target 'DROP'

do I need "'Block-Guest-to-All_networks'" firewall rule if I have restriction on the Zones level already:

Guys, please suggest.

Its because my fd88::/64 ULA has servers running on it and I don't want guest to access any of my servers.

I never thought of adding it to the firewall, it is there now :grinning:

But I guess, you also don't want your guest to access your modem's ULA addresses, right? But I do not see you block this somehow.
Moreover, fc00::/7 should cover all the ULA range (incl. your fd88::/64), isn't it?

ok, based on the discussion above, I think that I can replace all my 3 initial firewall rules for Guest network by this one (thanks @openwrtforever for the idea):


I do not have any proof that its a best-practice rule (feel free to correct me if I'm wrong).
But at least this rule looks elegant and explicitly blocks:

  • access to the modem network via ipv4 (192.168.100.0/24),
  • access to the main network via ipv4 (192.168.1.0/24),
  • access to any ipv6 ULA addresses regardless of where and on what network they exist outside of Guest network (fc00::/7),
  • access to any ipv6 link-local addresses (fe80::/10)

I would suggest REJECT instead of DROP since it immediately terminates the connection instead of waiting for couple of minutes to timeout.

For the main LAN network - agree.
But for the Guest network - not. It's a goal to intricate and to limit a Guest network as much as possible. :slightly_smiling_face: