OpenWrt r19482, Linksys WRT1900AC v1
The router has a DSA switch with 5 external ports: 4 LAN and 1 WAN.
I'm trying to create a second LAN connected to router port #4. I want this LAN to NOT have internet access. How do I do it?
I tried:
remove port 4 from bridge
create a new interface ("no_inet_if") on this port with static private IP
create a new firewall zone ("no_inet_fw") and assign "no_inet_if" to it
set the new zone to accept input and output, but reject forward
This didn't work. There is still internet access on port #4. Ping works, TCP connect works, router even does it's normal masquerading.
I also tried creating a traffic rule to reject packets from "no_inet_fw" to "wan", but it didn't have any effect.
What else should I try?
Preventing internet access on a network is really simple:
in the firewall, do not allow forwarding from your second LAN > wan.
For more specific help, we'll need to understand what the second LAN should be able to do (i.e. should the 2 LANs be able to talk to each other, any other requirements aside from not having WAN access) and if it is for wired, wireless, or both. We also need to see your config:
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
Let's not focus on other requirements. For the moment I just want this LAN to have access to router ports (GUI, SSH), but not internet access.
root@GRAPHRT:/# cat /etc/config/network
config device 'wan_wan_dev'
option name 'wan'
option macaddr 'b4:75:0e:5f:f0:ea'
...
config device 'lan_lan1_dev'
option name 'lan1'
option macaddr 'b4:75:0e:5f:f0:ea'
...
config device 'lan_lan2_dev'
option name 'lan2'
...
config device 'lan_lan3_dev'
option name 'lan3'
...
config device 'lan_lan4_dev'
option name 'lan4'
...
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '172.27.143.1'
...
config interface 'no_inet_if'
option device 'lan4'
option proto 'static'
option ipaddr '172.27.142.1'
option defaultroute '0'
...[some wan and wireguard connections]...
root@GRAPHRT:/# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option drop_invalid '1'
option synflood_protect '1'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option input 'REJECT'
list network 'RDS'
list network 'RDS_6'
list network 'USB_RNDIS'
list network 'Static'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'noinet'
list device 'lan4'
list network 'no_inet_if'
option family 'ipv4'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option auto_helper '0'
config rule
option name 'Restrict'
list proto 'all'
option src 'noinet'
option dest 'wan'
option target 'REJECT'
...
DHCP and wireless are not required on second LAN.
I can post the entire configuration if needed, but it's a very long list of port forwards. I prefer not to list WAN ip addresses and all those services here.