Hi to all,
I have 2 devices connected via wifi to my router, say one is 192.168.1.168 and the other is 192.168.1.239.
I don't like them to have access and/or to be accessible to the outside world but want them to be accessible and access the LAN.
How to do that;
Mind that I route all my traffic through nordvpn via the router.
Thank you.
1 Like
uci -q delete firewall.fwd_deny
uci set firewall.fwd_deny="rule"
uci set firewall.fwd_deny.name="Deny-LAN-Forward"
uci set firewall.fwd_deny.src="lan"
uci add_list firewall.fwd_deny.src_ip="192.168.1.168"
uci add_list firewall.fwd_deny.src_ip="192.168.1.239"
uci set firewall.fwd_deny.dest="*"
uci add_list firewall.fwd_deny.dest_ip="!192.168.1.0/24"
uci set firewall.fwd_deny.proto="all"
uci set firewall.fwd_deny.target="REJECT"
uci commit firewall
/etc/init.d/firewall restart
lepidas
February 9, 2021, 11:41am
3
It doesn't seem to work,
these 2 IPs are about TP-LINK Tapo ip cameras, I still have access to them via TP-LINK Tapo android app. I also put android IP
uci add_list firewall.fwd_deny.src_ip="192.168.1.214"
it still has internet connection
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config forwarding
option dest 'wan'
option src 'lan'
config zone
option name 'vpnfirewall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'nordvpntun'
config forwarding
option src 'lan'
option dest 'vpnfirewall'
config rule 'fwd_deny'
option name 'Deny-LAN-Forward'
option src 'lan'
list src_ip '192.168.1.168'
list src_ip '192.168.1.239'
list src_ip '192.168.1.214'
option dest '*'
list dest_ip '!192.168.1.0/24'
option proto 'all'
option target 'REJECT'
Better to replace src_ip
with src_mac
.
1 Like
system
Closed
February 19, 2021, 4:50pm
5
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.