Blocking traffic on physical port (but changing client mac address)

Installing and Using OpenWrt Network and Wireless Configuration
1

I want to block all traffic (with the exception of 80 and 443) on a physical port (LAN).
AFAIK the built-in firewall only allows those blocks when you know the MAC-address of the device.
What if I want to block all traffic to WAN except http/https on the device which is say plugged in the second LAN-port of the openwrt device?
Is it possible?

So here is a small pictogramm:


                                                    +---------+
+------------------------+                          |         |
|  Device with unknown  no access to WAN except 80/4|3        |
|     MAC-address        +--------------------------+Port 1   |
+------------------------+     all access to LAN    |         |
                                                    |         |
  +-------------------+                             | openwrt |                          +----------+
  |    device 2       |                             |         +------------------------->+Internet  |
  |                   +-----------------------------+Port 2   |                          +----------+
  +-------------------+                             |         |
                                                    |         |
  +-------------------+                             |         |
  |    device 3       |                             |         |
  |                   +-----------------------------+Port 3   |
  +-------------------+                             +---------+
2

Create a separate VLAN, assign it to a custom firewall zone and allow only specific traffic to forward from that zone to the WAN.

It should be similar to the following:

Just skip the wireless part and assign your guest VLAN interface to the guest network.

2 Likes
3

Is it possible to still communicate with the other devices on the LAN?

4

Add firewall forwardings between the LAN and guest zones.

2 Likes
5

I've called the VLAN "LAN_SECURE" as you can see on the picture (interface). I've given it a new subnet 192.168.179.0 (is this necessary?).
Now I've added new traffic rules but I cannot connect to the device in LAN_Secure.
Am I missing some routing issue? Does the gateway need to be changed (now it's not filled out and gray).

interfacest
interfacest956×446 28.5 KB
Traffic Rules
Traffic Rules953×253 19 KB

6

What do you mean by "I cannot connect" exactly? How are you trying to connect? And from where?

2 Likes
7

Ok, I need to correct myself. The device did not get an IP address. The status page lied to me :wink: It was from a former attempt.

@eduperez: I'm trying to connect from LAN and ssh into the device

Zone
Zone897×718 29.3 KB

8

Because you have INPUT set to REJECT, it cannot receive DHCP requests.

1 Like
9

Fix this first, everything else comes later.

1 Like
10

Repeat the guest Wi-Fi instructions, specifically the firewall part.
It should create a separate zone as well as the necessary rules for DNS and DHCP.
Make sure your guest network is assigned to the guest firewall zone.