DSA: how do I disable routing on one port?

OpenWrt r19482, Linksys WRT1900AC v1
The router has a DSA switch with 5 external ports: 4 LAN and 1 WAN.

I'm trying to create a second LAN connected to router port #4. I want this LAN to NOT have internet access. How do I do it?

I tried:

  • remove port 4 from bridge
  • create a new interface ("no_inet_if") on this port with static private IP
  • create a new firewall zone ("no_inet_fw") and assign "no_inet_if" to it
  • set the new zone to accept input and output, but reject forward
    This didn't work. There is still internet access on port #4. Ping works, TCP connect works, router even does it's normal masquerading.
  • I also tried creating a traffic rule to reject packets from "no_inet_fw" to "wan", but it didn't have any effect.
    What else should I try?

Preventing internet access on a network is really simple:
in the firewall, do not allow forwarding from your second LAN > wan.

For more specific help, we'll need to understand what the second LAN should be able to do (i.e. should the 2 LANs be able to talk to each other, any other requirements aside from not having WAN access) and if it is for wired, wireless, or both. We also need to see your config:

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Let's not focus on other requirements. For the moment I just want this LAN to have access to router ports (GUI, SSH), but not internet access.

root@GRAPHRT:/# cat /etc/config/network

config device 'wan_wan_dev'
        option name 'wan'
        option macaddr 'b4:75:0e:5f:f0:ea'
	...

config device 'lan_lan1_dev'
        option name 'lan1'
        option macaddr 'b4:75:0e:5f:f0:ea'
	...

config device 'lan_lan2_dev'
        option name 'lan2'
	...

config device 'lan_lan3_dev'
        option name 'lan3'
	...

config device 'lan_lan4_dev'
        option name 'lan4'
	...

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '172.27.143.1'
	...

config interface 'no_inet_if'
        option device 'lan4'
        option proto 'static'
        option ipaddr '172.27.142.1'
        option defaultroute '0'

...[some wan and wireguard connections]...

root@GRAPHRT:/# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option drop_invalid '1'
        option synflood_protect '1'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option input 'REJECT'
        list network 'RDS'
        list network 'RDS_6'
        list network 'USB_RNDIS'
        list network 'Static'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'noinet'
        list device 'lan4'
        list network 'no_inet_if'
        option family 'ipv4'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option auto_helper '0'

config rule
        option name 'Restrict'
        list proto 'all'
        option src 'noinet'
        option dest 'wan'
        option target 'REJECT'
...

DHCP and wireless are not required on second LAN.
I can post the entire configuration if needed, but it's a very long list of port forwards. I prefer not to list WAN ip addresses and all those services here.

Knowing the requirements is the name of the game if you want to configure things the correct way for your needs. Why don't you want to discuss those?

you don't need this... but you've only given a small part of your files, so not sure if you might have other stuff going on.

You didn’t even include the actual “forward between zones” rules, they are below your

And are called config forwards
You only have included your “inter interface in zone” rules

1 Like

OK, this is all contents of /etc/config/firewall. I didn't remove anything except names and ports.

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option drop_invalid '1'
        option synflood_protect '1'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option input 'REJECT'
        list network 'RDS'
        list network 'RDS_6'
        list network 'USB_RNDIS'
        list network 'Static'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name '...'
        option src 'wan'
        option dest_port '...'
        option target 'ACCEPT'

config rule
        option name '...'
        option src 'wan'
        option target 'ACCEPT'
        option dest_port '...'

config rule
        option name '...'
        list proto 'tcp'
        option src 'wan'
        option dest_port '...'
        option target 'ACCEPT'

config rule
        option name 'GRE'
        option src 'wan'
        option target 'ACCEPT'
        list proto 'gre'

config rule
        option name '...'
        option src 'wan'
        option dest_port '...'
        option target 'ACCEPT'

config rule
        option name '...'
        list proto 'tcp'
        option src 'wan'
        option dest_port '...'
        option target 'ACCEPT'

config rule
        list proto 'tcp'
        option src '...'
        option dest_port '...'
        option target 'ACCEPT'
        option name '...'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option src 'wan'
        option proto 'udp'
        option family 'ipv6'
        option target 'ACCEPT'
        option name 'Allow-DHCPv6 '
        option src_port '546-547'
        option dest_port '546-547'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config redirect
        option src 'wan'
        option name '...'
        option src_dport '...'
        option target 'DNAT'
        option dest_ip '172.27.143.2'
        option dest 'lan'
        list proto 'tcp'
        option enabled '0'

config redirect
        option src 'wan'
        option name '...'
        option src_dport '...'
        option target 'DNAT'
        option dest_ip '172.27.143.2'
        option dest 'lan'
        list proto 'tcp'
        option enabled '0'

config redirect
        option src 'wan'
        option name '...'
        option src_dport '...'
        option target 'DNAT'
        option dest_ip '172.27.143.2'
        option dest 'lan'
        list proto 'tcp'

config redirect
        option src 'wan'
        option name '...'
        option src_dport '...'
        option target 'DNAT'
        option dest_ip '172.27.143.2'
        option dest 'lan'
        list proto 'tcp'

config redirect
        option src 'wan'
        option name '...'
        option src_dport '...'
        option target 'DNAT'
        option dest_ip '172.27.143.2'
        option dest 'lan'
        list proto 'tcp'

config redirect
        option src 'wan'
        option name '...'
        option src_dport '...'
        option target 'DNAT'
        option dest_ip '172.27.143.2'
        option dest 'lan'

config redirect
        option src 'wan'
        option name 'foobar'
        option src_dport '20056'
        option target 'DNAT'
        option dest_ip '172.27.143.2'
        option dest 'lan'

config redirect
        option reflection '0'
        option src 'wan'
        option name '...'
        option src_dport '...'
        option target 'DNAT'
        option dest_ip '172.27.143.2'
        option dest 'lan'

config redirect
        option reflection '0'
        option src 'wan'
        option name '...'
        option src_dport '...'
        option target 'DNAT'
        option dest_ip '172.27.143.2'
        option dest 'lan'

config redirect
        option target 'DNAT'
        option name '...'
        option src 'wan'
        option src_dport '...'
        option dest 'lan'
        option dest_ip '172.27.143.2'
        option enabled '0'

config redirect
        option target 'DNAT'
        option name '...'
        list proto 'tcp'
        option src 'wan'
        option src_dport '...'
        option dest 'lan'
        option dest_ip '172.27.143.99'
        option dest_port '22'
        option enabled '0'

config rule
        option name 'WireGuard'
        option src 'wan'
        option dest_port '...'
        option target 'ACCEPT'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option name 'Braila'
        list network 'Braila'
        list network 'WG'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option auto_helper '0'
        list device 'lan4'
        option family 'ipv4'
        option name 'noinet'
        list network 'no_inet_if'

config rule
        option name 'Restrict'
        list proto 'all'
        option dest 'wan'
        option target 'REJECT'
        option src 'noinet'

/etc/firewall.user

iptables -A input_rule -i ppp+ -j ACCEPT
iptables -A output_rule -o ppp+ -j ACCEPT

# This rule will allow traffic towards internet
iptables -A forwarding_rule -i ppp+ -j ACCEPT
iptables -A forwarding_rule -o ppp+ -j ACCEPT

iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 1723 -j ACCEPT
iptables        -A input_rule      -i $WAN -p tcp --dport 1723 -j ACCEPT
iptables        -A output_rule             -p 47               -j ACCEPT
iptables        -A input_rule              -p 47               -j ACCEPT

This is a snapshot that uses nftables, so your custom iptables rules in /etc/firewall.user should be useless.

Try these rules to see if there will be a difference:

nft insert rule inet fw4 forward ip saddr 172.27.142.0/24 counter reject

or

nft insert rule inet fw4 forward iifname lan4 counter reject

If the traffic is still not blocked, check the counters:

nft list chain inet fw4 forward
1 Like

I didn't switch to the new firewall yet.

root@GRAPHRT:~# grep -i firewall /etc/build.config
CONFIG_PACKAGE_firewall=y
# CONFIG_PACKAGE_firewall4 is not set
CONFIG_PACKAGE_luci-app-firewall=y
1 Like

Try these rules:

iptables -A forwarding_rule -s 172.27.142.0/24 -j REJECT

or

iptables -A forwarding_rule -i lan4 -j REJECT

Check the hit count:

iptables -nvL forwarding_rule

I already reset some counters and I think I found the problem. I was wrong. It's not the DSA switch at fault.

iptables -A forwarding_rule -o ppp+ -j ACCEPT

I think it's this rule. I added it for PPTP. Does "ppp+" apply to PPPoE too?

ppp+ is a wildcard that covers everything starting with ppp

1 Like

Any advice how to write that rule to match pptp connections, but not pppoe?
Thanks.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.