So I want to implement proper LAN device detection on OpenWRT for my geoip project. The purpose is when the project is used in whitelist mode, to add whitelist rules for LAN devices (so they don't get blocked). I already have a generic algorithm for Linux which should work in most cases, but since OpenWRT has its own tools for that, I'd rather use them.
Currently the best candidate I found is this: ubus call network.interface.lan status | grep "\"device\":" | cut -d\" -f4
(yes, I could parse json with a json tool but is that really better than grep+cut?)
With default configuration, this will produce the 'br-lan' device which is probably what I need, right? (this is a question)
Another question: what if the specific router is set up in a non-standard way, for example the user changed device names, or somehow connected the router to multiple local networks - what is my best bet to programmatically extract this information?
My intention is to eventually ask the user for confirmation, but I want to give them the best candidate I can get.
@eduperez
I could do that but that is not geoip blocking. Geoip blocking, by definition, is selectively blocking connections from certain geographical regions (rather than the whole WAN).
Now my project does support running in 'blacklist' mode where you pick countries you do not want to be connected from. But there is a different typical use case, where let's say you are running an application which you need to be accessible to you (and perhaps your clients/friends/etc.) in your country but have no need to make it available in other countries. That is what the whitelist mode is for. In this mode, you make a few "accept" rules, and everything which is not included in those rules, goes to 'drop'. So I could specifically allow connections from LAN addresses (which I'm doing when my project is installed on a host), but for a router, it's simpler and better and more reliable to add an 'accept' rule for the known LAN devices.
@eduperez Or do you mean to only apply geoip blocking on the known WAN interface and avoid dealing with the LAN altogether? I actually never thought of this possibility but this makes sense. Not sure what's preferable though. Would like to hear input from gurus.
I agree 100% with @eduperez. In the context of security, lan "east to/from west" is bridged to wan "north to/from south". Filter only the southbound wan traffic gate.
