Firewall rules and wireguard

Hi, i have openwrt on xiaomi ax3200.
All is working great.

i have couple questions "how to" :slight_smile: regarding zones/traffic rules and wireguard:

  1. block all incoming connections to specific LAN IP
  2. isolate WIFI clients per SSID (if is not possible, can i use vlan-s, and how?)
  3. I have two WAN connections with balancing and want to setup on both WAN wireguard

That would be all :)))

How is your wg network setup? Is this a ‘server’ config (such as for remote access) or a ‘client’ (connects to a remote peer like a commercial vpn or an office)?

You can setup a firewall rule to block connections, but it might not be necessary.

Are you looking to isolate clients on the same ssid? This is not a firewall thing. It is simply a WiFi config option. If you are trying to isolate clients between ssids, that would require multiple subnets (not necessarily VLANs per the strict definition, but the same general strategy) and then firewall configurations to keep them isolated.

This would probably require 2 wireguard configs (with separate keys and interface addresses, if it a client type config) and also policy based routing. I’d recommend splitting this one into a different thread.

1 Like
  1. This block i would like to finish with firewall rule, so it is not related to VPN it self.
  2. I found isolation between clients on same SSID, so this is per SSID isolation. Can you help me little bit how to accomplish this successful? :slight_smile:
  3. Yes, two separated (each for 1 WAN), but ok, will create new one.

Is your concern is about incoming connections (i.e. from the internet to the specific IP)? If so, this is blocked by default. Only return traffic based on the connections initiated by the device itself will be allowed to reach it. However, if you want to isolate it from the internet completely, that is easy to do by simply creating a rule that drops (or rejects) all connections from that IP address that are destined for the internet (wan zone) and/or any other zones that should be blocked.

I don't understand exactly what you are looking for here. Can you elaborate on your goals?