Firewall block all except allowed IPs on LAN side

Using OpenWrt 22.03.0 and NFT-QOS I would like to restrict total access to only the IP's that have been controlled by NFT-QOS. I've changed the default INPUT on the lan firewall to REJECT

config zone
	option name 'lan'
	list network 'lan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

I've added accepts for DHCP and just the IP's I want to allow access.

config rule
	option name 'AllowDHCP'
	option src 'lan'
	option dest_port '67'
	option proto 'udp'
	option target 'ACCEPT'

config rule 'allowpc'
	option name 'AllowPC'
	option src 'lan'
	option proto 'all'
	option target 'ACCEPT'
	option src_ip ''

I've reserved IP's on static leases to their MAC address.
This seems to work as I want just wanting some feedback on performance etc of this setup or if something may not function because of this configuration.
This is in a controlled environment so MAC addresses of the devices won't change unless someone fiddles to tries and get around the speed limits. TIA

With these rules (in the INPUT chain) you block only the access to the router itself. You think it works just because lan clients outside the specified range cannot use the router as a DNS server.

Someone smart enough could set a static IP address on their device (or just a custom DNS server) and then will get internet access at full speed.

To do it right, you need a rule in the FORWARD chain:

config rule
        option name 'Restrict-Internet-access'
        list proto 'all'
        option src 'lan'
        option src_ip '!'
        option dest 'wan'
        option target 'REJECT'

Thank you so much. I tested it and you are correct.
Does the ! symbol only work with an IP range and not a group of individual IP addresses as in my previous post?

It works also with individual IP addresses, but I would use the list syntax because it looks more perspicuous to me.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.