Client, allow local access, deny external

Hi to all,

I have 2 devices connected via wifi to my router, say one is 192.168.1.168 and the other is 192.168.1.239.
I don't like them to have access and/or to be accessible to the outside world but want them to be accessible and access the LAN.
How to do that;
Mind that I route all my traffic through nordvpn via the router.

Thank you.

1 Like
uci -q delete firewall.fwd_deny
uci set firewall.fwd_deny="rule"
uci set firewall.fwd_deny.name="Deny-LAN-Forward"
uci set firewall.fwd_deny.src="lan"
uci add_list firewall.fwd_deny.src_ip="192.168.1.168"
uci add_list firewall.fwd_deny.src_ip="192.168.1.239"
uci set firewall.fwd_deny.dest="*"
uci add_list firewall.fwd_deny.dest_ip="!192.168.1.0/24"
uci set firewall.fwd_deny.proto="all"
uci set firewall.fwd_deny.target="REJECT"
uci commit firewall
/etc/init.d/firewall restart

It doesn't seem to work,
these 2 IPs are about TP-LINK Tapo ip cameras, I still have access to them via TP-LINK Tapo android app. I also put android IP

uci add_list firewall.fwd_deny.src_ip="192.168.1.214"

it still has internet connection

root@OpenWrt:~# cat /etc/config/firewall 

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'



config forwarding
	option dest 'wan'
	option src 'lan'

config zone
	option name 'vpnfirewall'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'nordvpntun'

config forwarding
	option src 'lan'
	option dest 'vpnfirewall'

config rule 'fwd_deny'
	option name 'Deny-LAN-Forward'
	option src 'lan'
	list src_ip '192.168.1.168'
	list src_ip '192.168.1.239'
	list src_ip '192.168.1.214'
	option dest '*'
	list dest_ip '!192.168.1.0/24'
	option proto 'all'
	option target 'REJECT'

Better to replace src_ip with src_mac.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.