Since disabling input_rule to my guest WiFi can cause video streaming issue to me, I am wondering if there's a way to disable access to web interface or ssh from guest WiFi, while keep input_rule allowed?
Any ideas? Solution suggestions?
this shouldn't be an issue. Can you describe the specific problem?
The best/preferred method of securing the router with respect to a guest network is to set the firewall to drop or reject input on the guest zone, and then add 2 traffic rules: allow DHCP and DNS from the guest zone.
I am aware of the way you described.
My question is, what is the way of disable accessing to web interface and ssh while keep the input of the zone allowed?
Edit: As for the problem I've encountered is that, when I am playing back a online video in the browser, it would suddenly ceases for quite a while. Each time this issue happens, I am not able to get access to other websites neither, unless I disconnected the WiFi and re-connect to it.
Edit2: The WiFi access is a D-Link DIR-860L B1 running OpenWRT the latest release, which is configured as a AP only, connected to the main router via a real physical switch.
Here's my config files, just in case someone need to have a closer look:
network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'fd4c:28e0:xxxx::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config device
option name 'lan1'
option macaddr 'xx:xx:xx:xx:xx:90'
config device
option name 'lan2'
option macaddr 'xx:xx:xx:xx:xx:90'
config device
option name 'lan3'
option macaddr 'xx:xx:xx:xx:xx:90'
config device
option name 'lan4'
option macaddr 'xx:xx:xx:xx:xx:90'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.2.1'
option delegate '0'
option defaultroute '0'
config device
option name 'wan'
option macaddr 'xx:xx:xx:xx:xx:93'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'guest0'
option proto 'static'
option ipaddr '172.16.0.1'
option netmask '255.255.255.0'
option delegate '0'
option defaultroute '0'
option gateway '192.168.1.2'
config interface 'guest1'
option proto 'static'
option ipaddr '172.16.1.1'
option netmask '255.255.255.0'
option delegate '0'
option defaultroute '0'
option gateway '192.168.1.2'
config interface 'guest2'
option proto 'static'
option ipaddr '172.16.2.1'
option netmask '255.255.255.0'
option delegate '0'
option defaultroute '0'
option gateway '192.168.1.2'
config interface 'GATE'
option proto 'dhcp'
option device 'lan1'
option delegate '0'
firewall:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config zone
option name 'lan1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'GATE'
config zone
option name 'guest0'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest0'
option input 'ACCEPT'
config zone
option name 'guest1'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
list network 'guest1'
config zone
option name 'guest2'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest2'
option input 'ACCEPT'
config forwarding
option src 'guest0'
option dest 'lan1'
config forwarding
option src 'guest1'
option dest 'lan1'
config forwarding
option src 'guest2'
option dest 'lan1'
config rule
list proto 'udp'
option target 'ACCEPT'
option name 'Allow DHCP for Guest0'
option src 'guest0'
option direction 'in'
option device 'wlan0'
option family 'ipv4'
option src_port '67-68'
option dest_port '67-68'
config rule
option name 'Allow DHCP for Guest1'
list proto 'udp'
option src 'guest1'
option target 'ACCEPT'
option family 'ipv4'
option direction 'in'
option device 'wlan1'
option dest_port '67-68'
option src_port '67-68'
config rule
option name 'Allow DHCP for Guest2'
list proto 'udp'
option src 'guest2'
option target 'ACCEPT'
option family 'ipv4'
option device 'wlan1-1'
option direction 'in'
option src_port '67-68'
option dest_port '67-68'
config rule
option name 'Guest2 DNS'
option src 'guest2'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Guest1 DNS'
option src 'guest1'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Guest0 DNS'
option src 'guest0'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Allow Samba Access'
option src 'guest0'
option dest 'lan'
list dest_ip '192.168.1.3'
option dest_port '445'
option target 'ACCEPT'
config rule
option src 'guest0'
option dest 'lan'
option target 'REJECT'
option name 'Block Guest Access to Local Network'
list proto 'all'
/etc/firewall.user:
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
# Forbidden accessing private addresses
iptables -I forwarding_guest0_rule -d 0.0.0.0/8 -j REJECT
iptables -I forwarding_guest0_rule -d 10.0.0.0/8 -j REJECT
iptables -I forwarding_guest0_rule -d 127.0.0.0/8 -j REJECT
iptables -I forwarding_guest0_rule -d 169.254.0.0/16 -j REJECT
iptables -I forwarding_guest0_rule -d 172.16.0.0/12 -j REJECT
iptables -I forwarding_guest0_rule -d 192.0.0.0/24 -j REJECT
iptables -I forwarding_guest0_rule -d 192.0.2.0/24 -j REJECT
iptables -I forwarding_guest0_rule -d 224.0.0.0/3 -j REJECT
iptables -I forwarding_guest0_rule -d 198.18.0.0/15 -j REJECT
iptables -I forwarding_guest0_rule -d 198.51.100.0/24 -j REJECT
iptables -I forwarding_guest0_rule -d 203.0.113.0/24 -j REJECT
# reject 192.168.0.0/16 except for 192.168.1.0/24 which has already been handled (with NAS access allowed exception) in Traffic Rules
iptables -I forwarding_guest0_rule -d 192.168.0.0/24 -j REJECT
iptables -I forwarding_guest0_rule -d 192.168.2.0/23 -j REJECT
iptables -I forwarding_guest0_rule -d 192.168.4.0/22 -j REJECT
iptables -I forwarding_guest0_rule -d 192.168.8.0/21 -j REJECT
iptables -I forwarding_guest0_rule -d 192.168.16.0/20 -j REJECT
iptables -I forwarding_guest0_rule -d 192.168.32.0/19 -j REJECT
iptables -I forwarding_guest0_rule -d 192.168.64.0/18 -j REJECT
iptables -I forwarding_guest0_rule -d 192.168.128.0/17 -j REJECT
iptables -I forwarding_guest1_rule -d 0.0.0.0/8 -j REJECT
iptables -I forwarding_guest1_rule -d 10.0.0.0/8 -j REJECT
iptables -I forwarding_guest1_rule -d 127.0.0.0/8 -j REJECT
iptables -I forwarding_guest1_rule -d 169.254.0.0/16 -j REJECT
iptables -I forwarding_guest1_rule -d 172.16.0.0/12 -j REJECT
iptables -I forwarding_guest1_rule -d 192.0.0.0/24 -j REJECT
iptables -I forwarding_guest1_rule -d 192.0.2.0/24 -j REJECT
iptables -I forwarding_guest1_rule -d 224.0.0.0/3 -j REJECT
iptables -I forwarding_guest1_rule -d 192.168.0.0/16 -j REJECT
iptables -I forwarding_guest1_rule -d 198.18.0.0/15 -j REJECT
iptables -I forwarding_guest1_rule -d 198.51.100.0/24 -j REJECT
iptables -I forwarding_guest1_rule -d 203.0.113.0/24 -j REJECT
iptables -I forwarding_guest2_rule -d 0.0.0.0/8 -j REJECT
iptables -I forwarding_guest2_rule -d 10.0.0.0/8 -j REJECT
iptables -I forwarding_guest2_rule -d 127.0.0.0/8 -j REJECT
iptables -I forwarding_guest2_rule -d 169.254.0.0/16 -j REJECT
iptables -I forwarding_guest2_rule -d 172.16.0.0/12 -j REJECT
iptables -I forwarding_guest2_rule -d 192.0.0.0/24 -j REJECT
iptables -I forwarding_guest2_rule -d 192.0.2.0/24 -j REJECT
iptables -I forwarding_guest2_rule -d 224.0.0.0/3 -j REJECT
iptables -I forwarding_guest2_rule -d 192.168.0.0/16 -j REJECT
iptables -I forwarding_guest2_rule -d 198.18.0.0/15 -j REJECT
iptables -I forwarding_guest2_rule -d 198.51.100.0/24 -j REJECT
iptables -I forwarding_guest2_rule -d 203.0.113.0/24 -j REJECT
# Add a closing NewLine, otherwise the last command may be not interpreted correctly (e.g. because you did not use vi as editor).
This doesn't seem to me to be related to the input rule. Does it happen to coincide with something like the DHCP lease expiring?
You can allow input and then create traffic rules that drop or reject port 80 (and/or 443) and 22. You'll apply this rule to the zone(s) of interest as the source and the destination as this device (input).
Incidentally, I think you could probably clean up that configuration quite a bit -- for example: you have several guest networks that appear to be doing basically the same thing. You could put them all into a single zone and drop/reject forwarding. There are probably other things, too, but I only skimmed your configuration.
1 Like
Also, if this is a dumb AP + guest network configuration, the upstream network (in this case, it appears that it is "GATE" on zone "lan1") is typically masqueraded. That doesn't appear to be set on the lan1 zone, and it probably should be.
I am using static routes on the main router for this matter, save a NAT at the gate way.
Remove the gateways from the guest interfaces. They are wrong.
No way, if you have INPUT allowed, the router is wide open to any socket listening.
The problem you describe is not related to the firewall.
Finally for some housekeeping, you could combine all the guest interfaces into one zone. For the samba access you can use IP range to allow only guest0. The guest0_to_lan rule is not necessary, as there is no forwarding from guest0 to lan enabled.
Somehow Luci put the forwarding rules from guests to lan in the middle of firewall rules, you might have missed it.
Any idea how to combine guest networks into one zone?
It's for lan1, which is the wan in your case. More housekeeping, use more distinctive names in interfaces and zones.
config zone
option name 'guest0'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
list network 'guest0'
list network 'guest1'
list network 'guest2'
and delete the others.
1 Like