Blocking wireless GUI access to router in AP mode

Using a openwrt router in simple AP mode as a LAN extender (wireless AP + 2 LAN port switch).
I'm trying to prevent router GUI access while connected through wireless (Had this built-in feature on DD-WRT).
I though that a simple firewall filtering was possible but in AP mode there is no way to differentiate the wireless data flow from the rest of the lan data flow (no interface name neither dedicated mac address).
Any suggestion

Why not?

You don't have a wlan0 in your device?

Yes I have it however in the LUCI fierewall interface differentiation for the source is made by firewall zone (wlan0 et eth0 are both LAN) IP address (wlan0 doesn't have) or MAC address (wlan0 and eth0 have the same)

If you don't wish to create another zone or second interface for it, then use the custom firewall page.

from what I understand (maybe wrong) creating a new interface doesnt solve because bridging makes macaddress common. Same problem would remain with the IP address of the new interface.

new zone ? do you suggest that while bridged, I can create in the wireless GUI page wireless/general_set_up a neaw network zone. Which I can control the flow to LAN zone using the firewall?

custom firewall page, dont know how to define the rule and manage the priority with built in rules (not an expert)

To differentiate between wireless and wired traffic reliably, then you need one firewall zone for each1. This allows you to make a decision based on which interface the traffic is associated with.

Both IP addresses and MAC addresses are trivially "forgeable" and are not considered reliable to split "good" from "bad" traffic.

1 Or to write the equivalent, topology-based filtering in custom rules.

1 Like

I never said to re-bridge anything if you created the Interfaces - perhaps that's the source of your confusion.

Then, you'd never get it to work:

iptables -t filter -A INPUT -i wlan0 -p tcp --dport 80 -j DROP


Maybe I misunderstand
from the standard current AP configuration I add your line in the firewall custom rules. No change in the behavior. Still can acces the router from wireless


  • Did you re apply the firewall?
  • Are you running the GUI on HTTP (80/tcp) or HTTPS (443/tcp)?
  • Is wlan0 the device you're trying to block traffic from?

Yes I applied (even did service firewall restart from the console as well as checking the content of the /etc/firewall.user file)

Simply running GUI normally (at first)

Yes wlan0 is the one I want to block the traffic from

OK i understand what you suggest but didn't succeed in setting it up. Could you give directions.

from what I've tried assigning wireless traffic to an other zone creates a new interface as well as breaks the initial wlan/lan bridge.
At first i've tried to reconnect this new interface to lan
easiest is to make firewall traffic all accept any direction between this new network and lan
However it is not enough, the new wlan interface is most probably not well configured (protocol??)
Therefore no wireless client to the AP can connect to the network (no IP alloc)

Then you enable the DHCP and assign a static IP/subnet to the new wifitest Interface. If DHCP jumped PHYs not bridged, so would connections to the web GUI! :wink:

This is already enabled by default on LAN with the FORWARD/ACCEPT rule for LAN Zone on the General Page.

Maybe use ebtables or enable net.bridge.bridge-nf-call-iptables (maybe dont use this one :sweat_smile:) or iptables physdev module ?

opkg update
opkg install iptables-mod-physdev

iptables -A INPUT -p tcp -m multiport --dports 80,443 -m physdev --physdev-in wlan0 -j DROP

Can this work?


Works for me with iptables-mod-physdev only, tried kmod-br-netfilter with net.bridge.bridge-nf-call-iptables=1 earlier without success.

Using net.bridge.bridge-nf-call-iptables=1 doesn't seem to be a good idea anyway.
For example, traffic between the bridge ports will be treated as forwarded traffic.
I think this isn't going well with the firewall zone setup/logic/concept and can break some things...?
But I'm not sure :sweat_smile:
Better use ebtables or iptables physdev module.

Can you please detail your interfaces config before using iptables-mod-physdev

just default configuration where wlanX is a part of br-lan

1 Like

Unable to make it working

while the custom rule is well inserted in the firewall (iptables -L)

root@OpenWrt:~# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere anywhere multiport dports www,https PHYSDEV match --physdev-in wlan0

lan bridge is as default (eth0.1 - wlan0), a new interface is covering wlan0 (protocol = none)
AP behaves as wlan0 traffic was not monitored by the firewall rule while using tcpdump wlan0 tcp port 80 is well trapped and monitored

iptables -I ....
instead of
iptables -A ....

I think, *-mod-physdev needs kmod-br-netfilter.

Indeed, physdev doesn't work. Does it also net.bridge.bridge-nf-call-iptables to be enabled?

So Jeff's suggestions would be the best options here.
Remove the wireless interfaces from the bridge and assign them into their own firewall zone.
But this will break things, like multicast for example?
So, the only option left is ebtables?

1 Like

I already did iptables -I.... because I suspected that this rule was better located at first than at last but with no more effect.