Firewall blocking to other lan devices

cogstrail · October 25, 2024, 8:15pm

I would like to block all traffic from a single lan IP to all other lan devices excluding the router. I'm using a dumb AP that doesn't support Openwrt so a VLAN or guest network aren't options. I've tried this firewall entry:

firewall.@rule[2]=rule
firewall.@rule[2].name='Block Host1 Access'
firewall.@rule[2].src_ip='10.1.0.184'
firewall.@rule[2].src='lan'
firewall.@rule[2].dest='lan'
firewall.@rule[2].target='REJECT'
firewall.@rule[2].proto='all'

After enabling the rule and restarting the firewall, pings from 10.1.0.184 are still getting to other lan IP's. (Rule 0 and 1 do not allow this traffic.)

Is there a way to prevent a single lan device from accessing other ip addresses with this dumb AP?

jdwl1o1 · October 25, 2024, 8:17pm

No, that’s not possible.

LAN traffic doesn’t go through the firewall, it will get switched directly on the switch controller.

You need to separate the device you want to segment off into a separate vlan network.

brada4 · October 25, 2024, 8:22pm

What is your device? ubus call system board
in dsa you can use bridge filter directly (outside of scope of fw4)
with wifi you need to enable client isolation to land into bridge
in swconfig you need to make isolated device in separate eth0.new_wlan then you can filter adding that new vlan to br-lan
Or in more general approach - make a guest wifi for that device (if it is on the ethernet - add only that ethernet port, no wifi)

cogstrail · October 25, 2024, 8:31pm

Thanks for the responses.

Router's - ubus call system board:

root@MX_OpenWrt:/etc/config# ubus call system board
{
"kernel": "5.15.134",
"hostname": "MX_OpenWrt",
"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
"model": "TP-Link Archer A7 v5",
"board_name": "tplink,archer-a7-v5",
"rootfs_type": "squashfs",
"release":
"distribution": "OpenWrt",
"version": "23.05.0",
"revision": "r23497-6637af95aa",
"target": "ath79/generic",
"description": "OpenWrt 23.05.0 r23497-6637af95aa"

The router's wifi does not reach the device in question. AP is a dumb Netgear power line extender with a wifi AP that doesn't support Openwrt.

brada4 · October 25, 2024, 8:37pm

Upgrade to 23.05.5 (luci-app-attendedsysupgrade)
so it is swconfig. is the adverse device wifi or fixed?
We are not netgear support (you will have to block whole extender)

cogstrail · October 25, 2024, 8:38pm

That's what I suspected, but I have found a bunch of mentions online of it being doable. The dumb AP provides wifi to other devices so I can't connect to it through a dedicated VLAN Ethernet port either.

If there's no way to do this I guess I'll be forced to add an Openwrt AP.

cogstrail · October 25, 2024, 8:45pm

This isn't Netgear technical support?
Can't block the whole extender and I've already verified there's no way to do this on the Netgear AP. Looks like I'll have to add an OpenWRT AP.

lleachii · October 25, 2024, 8:46pm

Do you think it's possible to use a separate SSID (connected to the same network) and firewall the WiFI phy in advanced firewall config?

cogstrail · October 25, 2024, 10:17pm

Nope. The Netgear equipment is as basic as it gets and there's no way to relocate the existing OpenWRT router. I'll be adding a dumb OpenWRT AP which will provide the flexibility Netgear doesn't have, but I've been trying to avoid that because I already have an absurdly complex network.

lleachii · October 25, 2024, 11:52pm

Oh, I didnt realize you were asking us to support the Netgear. My bad.

cogstrail · October 26, 2024, 12:28am

I wasn't asking for Netgear support, I was trying to figure out if there was some way to do what I needed using my OpenWRT router. Sorry if I wasn't clear.

system · November 5, 2024, 12:28am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.