Guest wifi can access via ssh, even with restricted ssh interface

phqzgunsfjror · June 9, 2021, 4:16pm

I am using fritzbox 4040 with:
LuCI openwrt-19.07 branch (git-21.044.30835-34e0d65)
OpenWrt 19.07.7 r11306-c4a6851c72

I set up guest wifi based on this guide: https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface

The ESSID is OpenWrt_Guest
It has its own network "guest" with its own ip range "192.168.3.0/24"
Unlike my normal wifi, the guest wifi is not part of the network "lan".

In addition to that I also restricted the ssh interface to "lan":
→ System → Administration → SSH Access → Interface: "lan"
(saved and rebootet)

cat /etc/config/dropbear

config dropbear
	option Port '22'
	option Interface 'lan'
	option PasswordAuth 'off'

For some reason I can still access openwrt via ssh over my guest wifi "OpenWrt_Guest".
How is that possible?
If it is a kind of bug, I would see it as a security risk.

mk24 · June 9, 2021, 4:25pm

I think you need to use the real kernel name br-lan not lan for that to work.

But this is generally not how it is done. The server can run its default of listening on all interfaces, but the firewall rejects incoming connections from un-privileged interfaces. That is set up by having the default "input" rule on guest be REJECT, which is set at the bottom of the firewall summary general settings page, or in the config zone section of /etc/config/firewall.

phqzgunsfjror · June 11, 2021, 7:49pm

@mk24 thanks for your input.

In Luci I cannot select br-lan.
When I tried it via ssh, it complains after restarting dropbear:

vi /etc/config/dropbear
config dropbear
        option Port '22'
        option Interface 'br-lan'
        option PasswordAuth 'off'

/etc/init.d/dropbear restart

interface br-lan has no physdev or physdev has no suitable ip

With setting "input" rule on guest to REJECT, the guest network has no internet connection anymore...

config zone
	option network 'guest'
	option name 'guest'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option input 'REJECT'

What else can I do?

phqzgunsfjror · June 12, 2021, 11:34am

Okay, thanks @mk24

REJECT on "input" revoked the access from guest to OpenWrt ssh.

I found my mistake with the problem about no internet. I did everything exactly like: https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface

But in the firewall rules for DHCP and DNS I entered in source address "192.168.3.0/24" (ip range from guest network). I dont understand why but this was the reason why my guest network hasnt have internet.

Still the dropbear interface restriction is irritating.

system · June 22, 2021, 11:35am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.