I had to change the forwarding to reject because after the last step aka deleting the wan interfaces etc as described in the documentation mine was on accept, but because in the documentation was on reject I changed it so it would reflect the firewall settings exactly as described in the documentation.
Can anyone please explain why this needs to be set to reject?
Also in the documentation they used the destination address 192.168.1.0/24 altho they specified LAN as destination.
Why specifying the subnet was necesarry if the destination zone is LAN, seems unneccesarry or is it?
This should not be possible; no special rule to block pings is required.
Per the guide, this should not be possible, so this is working as intended.
This should not be necessary and should have no effect if you've configured things properly.
It doesn't. Probably just an artifact of an unrelated thing that the person taking the screnshots must have been doing.
It is necessary to ensure that only the upstream lan network is blocked from the guest network. If the network (address/subnet) wasn't specified, the rule would stop all traffic from the guest network to the internet.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
I just connected some devices to guest, lan wifi and performed some pings to see if everything is ok. Could ping devices in the LAN area from guest client for example my main router but could not connect to it which is expected.
Regarding that Ping rule if I remove it somehow guests can ping lan zone devices.
This won't matter. I would typically leave it on ACCEPT but it only applies to intra-zone forwarding when you have 2 or more networks in the same zone (you don't have this configuration).
What are the source and destination devices + addresses that you're testing?
Basically when I connect a device to the guest wifi (I also check the ip on the device itself an also on the AP) I can for example ping anything connected on my lan subnet, my main router included, but not my AP (192.168.1.2)
No luck, I also removed for DNS & DHCP.
Btw what should block ping from guest to lan if no icmp is defined in the firewall?
With reject from guest to lan 192.168.1.0/24 on tcp/udp you would expect all other traffic to pass from guest to lan 0.0.0.0/0 (besides 192.168.1.0/24 offcourse) and also icmp.
Thanks for asking that... it made me re-evaluate the rule:
This is missing one critical line.
list proto 'all'
Without it, only TCP + UDP is blocked. Therefore, the rule should be this:
config rule
option name 'Block_Guest_from_Lan'
list proto 'all'
option src 'guest'
option dest 'lan'
list dest_ip '192.168.1.0/24'
option target 'REJECT'