I'm not really experienced with configuring OpenWRT, and alas, I didn't find any howto for what I want to do. Maybe, someone can point me in the right direction.
What I'd like to achieve is similar to the "Guest LAN" feature of the AVM Fritz-Box. An isolated LAN (not WLAN – for a guest WLAN, there are plenty instructions) which has access to the internet, in which all clients can communicate – but not reach the "real" LAN.
I have an Ubiquiti EdegeRouter X, with 5 LAN ports (that are accesible as different devices eth0 to eth4 if I see this correctly; no switch).
The default preset behavior is almost what I want:
The router fetches an IP address from the real router (192.168.178.0/24) when I plug a cable in the first (eth0) port. A device connected to one of the other ones (eth1 to eth4) gets an IP address of OpenWRT's default subnet (192.168.1.0/24) and is able to reach the internet.
What I would like to change (and don't know how) is:
The clients in this LAN should be isolated from the "real" LAN. At the moment, not only the internet is reachable, but e.g. also my "real" router (192.168.178.1). Only the internet shold be accessible.
The "sub"-router should be accessible from the "real" LAN (192.168.178.0/24), but not from the internet, and not from the isolated sub-LAN (192.168.1.0/24).
What's the most elegant/easy way to do this? Thanks for all help!
I think such a split is already the default setup: The WAN interface refers to the first (eth0) port, and the LAN interface is a bridge for the other ports (eth1–eth4).
Thus I wonder if I need a VLAN? Can I use the default setup (by only tweaking the firewall settings)?
As far as I can tell, you have already separate cabling for your LANs. A VLAN would not offer further separation advantages. A firewall rule blocking the guest to access the main LAN should suffice. Depending how it’s configured you may want to leave dhcp and dns protocols open…
This model has a switch, but it is configured by DSA. The DSA system for the most part hides that there actually is a switch, and for a simple use case like this one you can treat it as separate Ethernet ports.
If you want exactly one Ethernet port to be guest, you could put an interface directly on it, but it would be better to make the guest network a bridge. Additional ports can then be added.
config device
option name 'br-guest'
option type 'bridge'
list ports 'eth4'
config interface 'guest'
option device 'br-guest'
option proto 'static'
option ipaddr '192.168.3.1/24'
Remove eth4 from the lan bridge.
The DHCP and firewall setup for guest is the same as for a wireless guest network.
Then guest definitely needs to be a bridge. Leave lan as it is in case you want to go back to it. There's no noticeable performance loss from having an empty unused bridge left around.
The typical guest firewall blocks guests from attempting to log into the router. If you detach all ports from the regular LAN that leaves no way to log into the router (other than serial). You would need to either leave one port as LAN or open the firewall on the WAN side and log in from WAN. Since WAN is your upstream LAN, it is trusted and there's no issue with opening the firewall.
So if I open the firewall so that the router will be accessible from the WAN side (which is my upstream LAN), the router still can't be accessed from "outside", as the real router won't route port 80 requests to the "guest" router, right?
So … if I get this correctly, I simply have to change the firewall settings for the existing WAN (eth0) and the existing LAN (eth1–eth4 bridge) and I'm done?!
config rule
option name isolate-LAN-from-real-LAN
option src lan
option dest *
list dest_ip 192.168.178.0/24
list proto all
option target DROP
I can prevent a LAN client to access my real LAN.
With this:
config rule
option name reject-LAN-ssh
option src lan
list proto tcp
option dest_port 22
option target DROP
I can prevent a LAN client to access the router via SSH.
But despite having those:
config rule
option name reject-LAN-http
option src lan
list proto tcp
option dest_port 80
option target DROP
config rule
option name reject-LAN-https
option src lan
list proto tcp
option dest_port 443
option target DROP
a LAN client still can access luci. How do I prevent that?
As was mention4ed before, you need to use 3 ports for a guest network. Create an interface for them and a firewall zone. Leave one port as a regular lan, etc. It is how I see what you want.
So it's not possible to use all 4 remaining ports for this setup? I do have to keep one for the normal LAN interface?
It seems to work with the firewall changes I posted above, I'd only like to additionally block luci access for the LAN interface and only allow it from the WAN … with this firewall settings, I almost have what I want: A LAN client can access the internet, but not my real LAN. Also, ssh access to the router is rejected. Only luci is still accessible …
Sure, but if I allow this through the WAN interface (as posted above), I can access the router through it's "external" IP in my "real" LAN. This way, I thought I could simply make the whole LAN the "guest" LAN.
So is the firewall setting posted above okay for this (maybe a bit special) setup? If so, why do the DROP rules prevent LAN access to the router's SSH server, but not to it's HTTP server?
I am bumping this post because it's the first google results. @mk24 and @Pilot6 have already make their best to explain how to set up a guest LAN (not WLAN), but OP seems to have no experience configuring firewall zone thus making an easy story difficult.
For the best of others (also the future me in case I need it), I am sharing my no-code-and-GUI-only method to achieve guest LAN via 23.05:
first, add bridge device "br-guest" for lan1 (then delete lan1 from br-lan)
This is not the recommended method for blocking the guest access to the router...
Instead, the preferred configuration is to set the firewall zone input rule to reject or drop. This will prevent all access from the guest network to the router, so typically an additional rule is created to accept DHCP and DNS from the guest zone.
This is fine as long as the guest network is needed exclusively on lan1, and not on any other ports, and conversely the lan is not required on lan1. If, however, the goal is to setup VLANs and to create a trunk (a single ethernet cable carrying multiple networks), lan1 should be left in br-lan and then bridge-vlan filtering should be used to configure the VLANs as desired on each port.
