Block Guest Wi-Fi from Accessing LuCI Login?

Hi folks!

Been chasing tutorials here, on YT, etc. trying to build out an isolated guest Wi-Fi network that can use internet but not interact with other machines on my network. What I can't seem to figure out how to do is block users on the Guest Wi-Fi from having access to the LuCI login page... It seems to be visible despite the universal block on the Firewall rules.

Below is my setup. Any ideas?

image

image

In addition, I don't know how to create an bridge device that is just my two guest Wi-Fi virtual radios, which is why this is only set up with my 5GHz radio right now... Would love to know how to set up these rules just once for both 2.4GHz and 5GHz...

Thanks for the help and advice!

1 Like

while not beutiful but you could try blocking it by source ip address for that guest wifi

with your fw config, your Guest vlans should be already isolated with access to anywhere except the internet.
Please try /etc/init.d/firewall reload , and if that doesn't help, post the output for the following:

  • ubus call system board; uci export network; uci show wireless;
    do not forget to mask sensitive information
2 Likes

Is this your main/only router, or do you have another router in the network? That affects how this would be configured and even the physics connections.

2 Likes

Main router - connected to cable internet modem with no routing capability (single ethernet port, no wi-fi) for internet thru "wan" interface. Plan to have privileged devices on "lan" interface (ethernet and non-guest wi-fi) and most everything else on "guest" unless I need special exceptions for "iot". How does that change things?

Ok. So your guest network should generally work. Remove the extra firewall rule “guest-block-input” as it is not necessary.

Your guest network should have normal connectivity but it will not be able to reach the lan.

Is it not working properly?

Ability to get to the LuCI login from my phone while on the Guest Wi-Fi persisted after a router reboot... Haven't tried @alexq's reload command yet.

In short, the blocking of the login page (when keying in the IP directly into browser) isn't working - I still get the login prompt.

Are you positive you are on the right network?

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Just re-confirmed via guest wi-fi on my phone - can log in and access LuCI... I appreciate the help!

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'REDACTED'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'GUEST'
        option proto 'static'
        option ipaddr '10.20.30.40'
        option netmask '255.255.255.0'
        option device 'wlan1-1'

config interface 'IOT'
        option proto 'static'
        option ipaddr '172.16.0.1'
        option netmask '255.255.255.0'
        option device 'br-lan'
root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/18000000.wmac'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option country 'US'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option encryption 'psk2'
        option key 'REDACTED'
        option ssid 'Broken Arrow 2.4GHz'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1a143000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '36'
        option band '5g'
        option htmode 'HE80'
        option country 'US'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option encryption 'psk2'
        option key 'REDACTED'
        option ssid 'Broken Arrow 5GHz'

config wifi-iface 'wifinet2'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Broken Arrow Guest 2.4GHz'
        option encryption 'psk2'
        option network 'GUEST'
        option key 'REDACTED'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid 'Broken Arrow Guest 5GHz'
        option encryption 'psk2'
        option network 'GUEST'
        option key 'REDACTED'
root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        list server '/use-application-dns.net/'
        list server '127.0.0.1#5054'
        option noresolv '1'
        option doh_backup_noresolv '-1'
        list doh_backup_server '/use-application-dns.net/'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'GUEST'
        option interface 'GUEST'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'IOT'
        option interface 'IOT'
        option start '100'
        option limit '150'
        option leasetime '12h'
root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'guest'
        option output 'ACCEPT'
        option forward 'REJECT'
        option input 'REJECT'
        list network 'GUEST'

config zone
        option name 'iot'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'IOT'

config forwarding
        option src 'lan'
        option dest 'iot'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option name 'Guest-DHCP-DNS'
        option src 'guest'
        option dest_port '53 67 68'
        option target 'ACCEPT'

config rule
        option name 'Guest-Block-Input'
        option src 'guest'
        option target 'REJECT'

Tried the reload, but no dice... Assume your ubus/uci calls are getting the same info I provided to @psherman if that provides any additional clues. Thanks for the suggestions...

Since you have the guest network on two radios (radio0 and radio1), you need it to be part of a bridge.

Create the following bridge for your guest network

config device
        option name 'br-guest'
        option type 'bridge'

The option device wlan1-1 should not be used in the network config (ever -- it doesn't belong there in general)... instead, replace it with br-guest:

config interface 'GUEST'
        option proto 'static'
        option ipaddr '10.20.30.40'
        option netmask '255.255.255.0'
        option device 'br-guest'

The IOT network should not be bridged against the br-lan. Remove that line.

If you want t your IOT network to also be unable to access the router itself, change the input rule below to REJECT.

This rule can be removed. It is not necessary.

I don't see the IOT network active on a wireless network. How do IoT devices connect? Is it via ethernet? Or a future wireless network configuration?

After making the recommended changes, restart your router and then test again.

3 Likes

Appreciate the recommendations! Clarifying question:

For the br-guest bridge, do I need to list ports for the two guest Wi-Fi radios (wlan0-1 and wlan1-1)? These are my public names for the guest Wi-Fi at 2.4GHz and 5GHz...

config device
        option name 'br-guest'
        option type 'bridge'
        list ports 'wlan0-1'
        list ports 'wlan1-1'

The IOT stuff was incomplete - I was trying to get Guest Wi-Fi working first... The 'iot' interface was going to handle stuff like Wi-Fi switches, security cameras, and other smart-home type things. Might need access to a home server on 'lan' in future if I self-host.

No. Never here. Create the bridge exactly as I described earlier.

1 Like

Ok, done and it... works?

It seems it knows to connect the guest radios to the bridge because GUEST network is specified in the settings for the wireless... I don't fully understand why we needed, essentially, a "dumb" device to make this work, but I will take it! Thank you for your help!

Glad it is working!

I don't know the history or technical reasons behind why the radios are not specified in the network file in a bridge or interface definition, but instead, OpenWrt's config has you specify the network to which the radio should attach in the wireless config file.

Regarding the 'dumb device' bridge -- A bridge is basically the software equivalent of a switch... without it you can only make a single logical connection. If you want to connect just a single radio and no ethernet ports (or no radios and only a single logical ethernet port), you don't need to even define a bridge. But if you want to connect multiple radios or radio + ethernet, you must create a bridge for this to function. That bridge, in turn, allows the radios to both connect to the same network.

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.