I have my TP-Link Archer C7 configured as an access point only, bridging a couple of VLANs onto wireless networks. I'm am not doing any layer 3 forwarding, filtering, etc.; the only layer 3 functionality that I need is administrative access (ssh & https) on my admin VLAN.
The default OpenWrt firewall configuration assumes that the device is being used as a "router" - WAN & LAN zones, IP forwarding enabled, etc. I would like to change this to something more appropriate for the way that I'm using the device. I'm very familiar with iptables, but I haven't been able to grok the way that OpenWrt configures it, despite reading the documentation.
Does anyone have an example of a simple access point-only firewall configuration?
Also do not set any IP address on untrusted (guest) networks. Use "Unmanaged" or "proto none" so they are only layer 2 bridges. This way the guests have certainly no way to ssh or http to your AP OpenWrt.
Do you need a firewall at all? Simply put this in your rc.local ...
I supposed I could technically do without. I'm in the habit of using iptables to block ports/source addresses on my Linux systems, so I'd prefer to do that on my access point as well.
Also do not set any IP address on untrusted (guest) networks. Use "Unmanaged" or "proto none" so they are only layer 2 bridges. This way the guests have certainly no way to ssh or http to your AP OpenWrt.
Already done. The question was about the firewall.
I have an Archer C7 configured as an acces point as well. I have disabled the firewall and my security concept is as follows:
The bridges for my wifi interfaces do not get any IP addresses. So, no wifi client can access the access point on an IP level, hence no need for iptables. I also disabled IPv6, since otherwise the interfaces would automatically get link local IPv6 addresses.
I have a separate VLAN for management purposes only, directly connected to my main firewall. The access control for that management VLAN is defined on the main firewall. There are only two ports allowed on that VLAN: NTP (to a local server only) and SSH (from trusted wired local clients only, and needless to say, with public key authentication).
Of course, you can continue to use iptables and define rules according to your liking, I just don't see the benefit to it.