Block luci & ssh access from zones

Hello together,

I’m just learning OpenWRT and definitely fall in love with all its possibilities. I have been testing on my TP-Link AC1750 (OpenWrt 21.02.2 r16495-bf0c965af0) a lot of things and most of them worked pretty well.

But now I’m a bit confused:
Why can I access from my “IOT” wifi my Openwrt-Router? ( either over web-browser as well as ssh)
=> of course I rejected Input in the correct firewall-zone (IOT_Zone)
I also found out that my firewall-settings are not working properly (actually not affecting anything). e.g. I also can access the internet, although I do NOT have any forwarding to the wan-zone.

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'
        option metric '100'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 3 4 5'
        option description 'vlan_main'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 1'
        option vid '2'
        option description 'vlan_wan'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0t 2'
        option vid '3'
        option description 'vlan_remote'

config device
        option name 'eth0.3'
        option type '8021q'
        option ifname 'eth0'
        option vid '3'
        option macaddr 'E8:48:B8:E1:8A:93'

config device
        option name 'eth0.1'
        option type '8021q'
        option ifname 'eth0'
        option vid '1'
        option macaddr 'E8:48:B8:E1:8A:91'


config interface 'IOT'
        option proto 'static'
        option ipaddr '10.5.20.1'
        option netmask '255.255.255.0'

config defaults
        option synflood_protect '1'
        option forward 'REJECT'
        option input 'REJECT'
        option output 'REJECT'

config zone
        option name 'Main'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list device 'radio1.network1'
        list device 'wlan1'
        list device 'br-lan'
        list network 'lan'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option input 'REJECT'
        option forward 'REJECT'
        list network 'wan'
        list network 'wan6'

config forwarding
        option dest 'wan'
        option src 'Main'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option proto 'icmp'
        option family 'ipv6'
        option target 'ACCEPT'
        list src_ip 'fe80::/10'
        option src 'wan'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option proto 'esp'
        option target 'ACCEPT'
        option dest 'Main'


config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option dest 'Main'

config include
        option path '/etc/firewall.user'

config zone
        option name 'IOTZone'
        option input 'REJECT'
        option output 'REJECT'
        option forward 'REJECT'
        list network 'IOT'

How are you even accessing that IoT network? It is not associated with any devices (unless it is wifi only), and since it has all of the zone rules set to reject, it shouldn't work at all (you won't get a DHCP address, and it will not have access to any networks or the internet).

IoT network is only for wifi.
correct, actually it shouldn't even get any IP, and it shouldn't have access to the internet
but it does! That's why I'm so confused.

What IP address info (IP, subnet mask, router/gateway, dns) do you see on the device that is connected to the IOT network? Are there any other connections on that device (such as wired ethernet or a secondary wifi radio)?

inet 10.5.20.111/24 brd 10.5.20.255 scope global dynamic noprefixroute wlan0

let's see the /etc/config/wireless config file

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0'
        option cell_density '0'
        option htmode 'VHT40'
        option txpower '20'
        option channel 'auto'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option encryption 'psk2'
        option key '...'
        option ieee80211r '1'
        option ft_over_ds '1'
        option ft_psk_generate_local '1'
        option ssid 'Stevo-Main-5G'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11g'
        option path 'platform/ahb/18100000.wmac'
        option htmode 'HT20'
        option cell_density '0'
        option txpower '5'
        option country 'DE'
        option channel 'auto'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'Stevo-IOT'
        option encryption 'psk2'
        option key '...'
        option network 'IOT'
        option ieee80211r '1'
        option ft_over_ds '1'
        option ft_psk_generate_local '1'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid 'Test'
        option encryption 'psk2'
        option key 'testtest'

I have added another wifi "test". In this case everything works as described!

remove these from the Main firewall zone.

thanks, nice

What was my mistake? did i add all wlans to the "main" firewall zone?

I think you can look at it as adding all the networks associated with the radio1 device (which includes your IOT network) to the main firewall zone. In general, it usually is best to define networks (not devices) in the firewall zones (there are some exceptions, but those are typically for things like VPNs).

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.