Hello everyone,
Thank you for your interest. I recently installed the latest OpenWrt 18.06.
I followed https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_parent_controls to define parental control rules with LUCI. (Device1 has one Reject rule. Device2 gets 3 Accept rules followed by one Reject.)
I subsequently created a guest network with LUCI based on
https://openwrt.org/docs/guide-user/firewall/fw3_configurations/fw3_parent_controls
As a result of the Guest network creation, I got a hole in my parental control... (BTW: At first, it looked like I had it all under control. I made a couple of changes in the Wiki e.g. to warn about this, and suggest a possible solution. I'll revert/clarify them if it appears I was wrong. Sorry for the noise.)
I'd like some clarification because my fix appeared to be imperfect after more testing. It was based on source zone=any zone (not just source zone=lan).
For Device1, with one Reject rule, I get the expected result. And I don't mind extending the "scope" of a "Reject rule". ("From any host in any zone with source MAC XX:XX:XX:XX:XX:XX To any host in wan")
For Device2, with three Accept followed by one Reject, it gets more complicated.
I wanted to keep all Accept rules with source zone=lan, and extend the Reject rule with source zone=any zone. However, this results in unexpected blocking. As if the order of the Reject rule with "any zone" was modified to end up before the lan "Accept rule". It seems to work fine if I extend all rules with "any zone", although I can't know if it's safe. I'm not a network expert nor do I want to become one. (I'm not against learning a bit and I already had to learn a bit I must say.)
Considering the complexity of the default firewall rules and my limited knowledge, I won't extend any "Accept" rule unless some expert can confirm it's safe. Extract from /etc/config/firewall below.
What's the good strategy with respect to parental control with a guest network? Is it safe to use source zone=any zone for any rule, or at least for rules such as the ones below ?
Thank you for your guidance
Model Netgear Nighthawk X4S R7800
Architecture ARMv7 Processor rev 0 (v7l)
Firmware Version OpenWrt 18.06.4 r7808-ef686b7292 / LuCI openwrt-18.06 branch (git-19.170.32094-4d6d8bc)
Kernel Version 4.14.131
MAC adresses have been obfuscated. They were identical in all 4 rules.
config rule
option target 'ACCEPT'
option src_mac 'xx:xx:xx:xx:xx:xx'
option weekdays 'Sun Mon Sat'
option start_time '17:00:00'
option name 'R S2 SA-DI-LU 17-18 Accept'
option src 'lan'
option dest 'wan'
option stop_time '18:00:00'
config rule
option target 'ACCEPT'
option src 'lan'
option src_mac 'xx:xx:xx:xx:xx:xx'
option weekdays 'Sun Sat'
option start_time '14:00:00'
option stop_time '15:00:00'
option name 'R S2 SA-DI 14-15'
option dest 'wan'
config rule
option target 'ACCEPT'
option src 'lan'
option weekdays 'Tue Wed'
option start_time '16:00:00'
option stop_time '17:00:00'
option src_mac 'xx:xx:xx:xx:xx:xx'
option name 'R S2 MAR-MER 16-17 Accept'
option dest 'wan'
config rule
option name 'R S2 General block'
option src_mac 'xx:xx:xx:xx:xx:xx'
option target 'REJECT'
option src '*'
option dest 'wan'