Hi,
i would like to block access from one zone to all private 10.0.0.0/24 subnets.
I realized that i can put a destination ip 10.1.0.0/16 in the rule and it works as expected (subnet not reachable).
When i put 10.0.0.0/24 however, it doesn't work. I can reach all hosts in the subnets.
What am i doing wrong?
Information: I have an Intranet-Wifi and a guest wifi, both connect to the network on the lan-port. The goal is to not allow guest-network any access to intranet.
Thanks for reading,
TH
Do you have two firewall zones for each network?
You should be able to setup two rules allowing DNS and DHCP for the guest vlan/network. This should restrict access to only the internet.
Since it's wifi, is this SSID being broadcasted from the openwrt device, or a separate AP?
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
10.0.0.0/24 = 10.0.0.0-10.0.0.255
10.1.0.0/16 = 10.1.0.0-10.1.255.255
For a start you are blocking completely different address spaces.
Post the information mentioned in the post above so we can help you with the correct address.
Yes, that's it.
My intention was to block 10.0.0.0/8. What i did is what i posted previously.
Now it works as intended.
I should get more sleep 
Thanks
TH
Into /etc/config/network
config route
option interface 'loopback'
option type 'blackhole'
option target '10.0.0.0/8'
option metric '2338'
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.