Hi there!
Since this still has no proper answer I decided to post what I did.
My config is different, more complex, but works nonetheless.
I am running trunk/snapshot on a TP-LINK ARCHER C7 AC1750 v4.
My config is setting 4 VLANs, while also using the original LAN and WiFi networks.
So we have these interfaces:
-
LAN: Port1 Eth + main dual WIFI (WiFi2.4GHz + WiFi5GHz) (10.0.0.1)
-
guest: secondary dual WIFI (WiFi2.4GHz + WiFi5GHz) (10.0.95.1)
-
VLAN_ETH2: Port2 Eth (10.0.20.1)
-
VLAN_ETH3: Port3 Eth (10.0.30.1)
-
VLAN_ETH4: Port4 Eth (10.0.40.1)
Each of those interfaces has its own DHCP server and firewall rule. I will not describe how to configure that here as it is out of scope. Also, I had problems when setting this through Luci on trunk, so I had to do it from cli by editing the /etc/config files (network, firewall, dhcp, etc). After editing from CLI, all went fine and Luci was also showing the proper info.
I wanted to leave Luci and SSH only available to the LAN interface and block it on all else.
Easiest solution for me required 2 steps:
- Blocked "everything" on firewall ZONES
- Check
reject
for both input
and forward
- Check
accept
on Output
Did that for all VLANs (guest, VLAN_ETH2, VLAN_ETH3, VLAN_ETH4).
This is enough to block Luci and SSH for all VLANs, but now we have no internet or even a valid IP because the DNS and DHCP ports are also blocked. The solution is to just open the needed ports for those interfaces/zones.
DNS uses port 53
DHCP uses ports 67 and 68
Easiest way is to edit the file /etc/config/firewall
.
You may also add the firewall zones directly to this file.
Example of firewall zone definitions
Note the input-reject / output-accept / forward-reject
config zone
option name 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option network 'guest'
option input 'REJECT'
config zone
option name 'VLAN_ETH4'
option output 'ACCEPT'
option network 'VLAN_ETH4'
option forward 'REJECT'
option input 'REJECT'
config zone
option name 'VLAN_ETH3'
option output 'ACCEPT'
option network 'VLAN_ETH3'
option forward 'REJECT'
option input 'REJECT'
config zone
option name 'VLAN_ETH2'
option output 'ACCEPT'
option network 'VLAN_ETH2'
option forward 'REJECT'
option input 'REJECT'
Example of DNS and DHCP rules
Interface names (src) ARE IMPORTANT
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'Guest DNS'
option src 'guest'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '67-68'
option name 'Guest DHCP'
option src 'guest'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'VLAN_ETH2 DNS'
option src 'VLAN_ETH2'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '67-68'
option name 'VLAN_ETH2 DHCP'
option src 'VLAN_ETH2'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'VLAN_ETH3 DNS'
option src 'VLAN_ETH3'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '67-68'
option name 'VLAN_ETH3 DHCP'
option src 'VLAN_ETH3'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'VLAN_ETH4 DNS'
option src 'VLAN_ETH4'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '67-68'
option name 'VLAN_ETH4 DHCP'
option src 'VLAN_ETH4'
I have more rules because I have four VLANs.
A single VLAN would obviously make the config 4 times easier/smaller.
Hopefully it is not too confusing for people to understand.
Edit: Be careful not to lock yourself out of the router (soft-brick). Leave at least one interface with SSH/Luci access for you to use.
Cheers!
Gus