Can anyone help me create a firewall to block all traffic to IP range 192.168.200.0/24 on a dump wireless AP setup for guests?
Interface wise I just have Guestwifi, lan and wan (empty)
Does the IP range 192.168.200.0/24 relate to one of the interfaces?
Nope, not related to any of the interfaces
The easiest way to generally block guest interfaces is through having them in a separate firewall zone. But to figure out if that's possible it needs some more info about your network layout and config on the AP.
What does the range you want to block do within your network? Is it part of your trusted LAN?
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/firewall
1 Like
The IP range 192.168.200.0/24 contain servers that I don't want guest wifi users to be able access. The wireless AP is connected to a switch that is connected to the rest of the network.
Firewall:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq '1'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
option masq '1'
config zone
option name 'Guestwifi'
option output 'ACCEPT'
list network 'Guest'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Guest DHCP and DNS'
option src 'Guestwifi'
option dest_port '53 67 68'
option target 'ACCEPT'
config forwarding
option src 'Guestwifi'
option dest 'lan'
config rule
option name 'Guest-Block-All'
option src 'Guestwifi'
option target 'DROP'
config rule
option name 'Block-Office-Network'
option src 'Guestwifi'
list dest_ip '192.168.200.0/24'
option target 'REJECT'
config rule
option name 'Allow-Internet-Access'
option src 'Guestwifi'
list dest_ip '192.168.200.1'
option target 'ACCEPT'
config wifi-device 'radio0'
option type 'mac80211'
option path 'soc/40000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
option band '5g'
option htmode 'VHT80'
option cell_density '0'
option channel 'auto'
option country 'GB'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/a000000.wifi'
option band '2g'
option htmode 'HT20'
option channel 'auto'
option country 'GB'
option cell_density '0'
option disabled '1'
config wifi-device 'radio2'
option type 'mac80211'
option path 'platform/soc/a800000.wifi'
option band '5g'
option htmode 'VHT80'
option channel 'auto'
option cell_density '0'
option country 'GB'
option disabled '1'
config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'ap'
option encryption 'psk2'
option isolate '1'
option key '***********'
option network 'Guestwifi'
option ssid 'GuestWifi'
Network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd1a:cddd:d99c::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
list dns '8.8.8.8'
list dns '1.1.1.1'
option ipaddr '192.168.200.9'
option gateway '192.168.200.1'
config interface 'Guest'
option proto 'static'
option ipaddr '10.20.30.40'
option netmask '255.255.255.0'
list dns '8.8.8.8'
list dns '1.1.1.1'
You need to add the destination zone lan, as described here.
Also one more thing, the second rule will never be matched and I am not sure if it is needed at all.
1 Like
Amazing, thank-you! That did the trick.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.