Using OpenWrt 22.03.0 and NFT-QOS I would like to restrict total access to only the IP's that have been controlled by NFT-QOS. I've changed the default INPUT on the lan firewall to REJECT
config zone
option name 'lan'
list network 'lan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'ACCEPT'
I've added accepts for DHCP and just the IP's I want to allow access.
I've reserved IP's on static leases to their MAC address.
This seems to work as I want just wanting some feedback on performance etc of this setup or if something may not function because of this configuration.
This is in a controlled environment so MAC addresses of the devices won't change unless someone fiddles to tries and get around the speed limits. TIA
With these rules (in the INPUT chain) you block only the access to the router itself. You think it works just because lan clients outside the specified range cannot use the router as a DNS server.
Someone smart enough could set a static IP address on their device (or just a custom DNS server) and then will get internet access at full speed.
To do it right, you need a rule in the FORWARD chain:
config rule
option name 'Restrict-Internet-access'
list proto 'all'
option src 'lan'
option src_ip '!192.168.1.158-192.168.1.166'
option dest 'wan'
option target 'REJECT'
Thank you so much. I tested it and you are correct.
Does the ! symbol only work with an IP range and not a group of individual IP addresses as in my previous post?