So I 3 network interfaces namely LAN, Restricted and Strict. I have created a wireless AP that is connected to these 3 network interfaces.
Now I want to specify which network interface a device connecting to my Wifi AP can connect to.
LAN IPv4 address is 192.168.1.1
Restricted IPv4 address is 192.168.2.1
Strict IPv4 address is 192.168.3.1
I tried working around with firewall rules to implement this, but it did not seem to work . Any way this can be done ?
Hi @alphaol7
if you wan to use only one SSID and then, based on wifi client IP, want to restrict access to specified network, you should make 4 networks, to be specific
default for OpenWRT is that WIFI is connected with LAN, maybe this is your problem
so, create a network nr4, assigni it to WIFI (remove WIFI from LAN), bring up DHCP for wifi client, assign static IPs and make firewall rules which will allow certain devices to access certain networks
For now I have set my wireless AP to connect to Restricted and Strict network interfaces. I went into DHCP configuration and defined a static ip(192.168.3.123) for my device(mac: 88:03:E9:31:22:5B).
Even now when I connect to the wireless AP , my device is assigned a different IP.(192.168.2.222).
/etc/config/wireless:
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/10300000.wmac'
option band '2g'
option htmode 'HT20'
option cell_density '0'
option channel '1'
config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'
option network 'Restricted Strict'
/etc/config/dhcp/
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'Restricted'
option interface 'Restricted'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'Strict'
option interface 'Strict'
option start '100'
option limit '150'
option leasetime '12h'
config host
option name 'oppo'
option mac '88:03:E9:31:22:5B'
option ip '192.168.3.123'
from my point of view, you are mixing things badly
to have a separate IP networks, you first need to have separate L2 networks
you could not expect that everything will be in one bridge, and some "miracle" will happen to assign different IPs
i am affraid that you did not create 3 networks, at least, you not separate them on L2 level
so, try this way
reset your router to factory settings
by default, you will have LAN network
then, create bridge for Restricted network
on this bridge, create dhcp server (if you need it for this network)
then, create bridge for Strict network
on this bridge, create dhcp server (if you need it for this network)
create bridge for WIFI
put wifi interface in this bridge, create dhcp server
this way, lan,restricted,strict and wifi will be separated on L2 level
then you need to create firewall rules (it is L3 layer) to allow/disallow certain WIFI clients to reach certain networks
and again, if you put everything in one L2 domain, there is NO firewall rule which will help you because firewall operate on L3 layer and will not stop devices to communicate on L2
that is the reason to make separate L2 first
1 Like