How to block luci access to pubblic vlan? [solved]

i have 2 different vlan one is pubblic and the other one is private, i already maked a different firewall zone, devices on pubblic vlan can't even ping client on private vlan, but if on public vlan i try to access to private gateway i can access to luci login menu, and ofcourse i can access luci also on pubblic gateway

my goal is to deny every lucy gateway access from pubblic vlan

i'm not a command line ssh expert, so i whould like to reach the purpose if possible using luci

i hope someone could help thanks

It should be possible via Firewall >> Traffic Rules... Deny access to port 80,443 and 22 for SSH.
I'm running a isolated guest network (wired+wifi) for some clients and blocked Luci,Modem and SSH access via Traffic rules. It's working fine here...

/etc/config/uhttpd

option  redirect_https      '1'
list    listen_http         '192.168.1.1:80'
list    listen_https        '192.168.1.1:443'
  • IIRC, specifying a specific IP in the uhttpd config should stop LuCI [uhttpd] from listening on 127.0.0.1:80 & 127.0.0.1:443 [localhost:80 & localhost:443)

    • If it does not, simply create four firewall rules for the public vlan:
      config rule
           option  target          'REJECT'
           option  family          'ipv4'
           option  proto           'tcp udp'
           option  src             '<public vlan>'
           option  dest            '*'
           option  dest_ip         'localhost'
           option  dest_port       '80 443'
           option  name            'Reject Forwarded Public vLAN -> LuCI [localhost]'
      
      config rule
           option  target          'REJECT'
           option  family          'ipv4'
           option  proto           'tcp udp'
           option  src             '<public vlan>'
           option  dest            'lan'
           option  dest_ip         'localhost'
           option  dest_port       '80 443'
           option  name            'Reject Public vLAN -> LuCI [localhost]'
      
      config rule
           option  target          'REJECT'
           option  family          'ipv4'
           option  proto           'tcp udp'
           option  src             '<public vlan>'
           option  dest            '*'
           option  dest_ip         '192.168.1.1'
           option  dest_port       '80 443'
           option  name            'Reject Forwarded Public vLAN -> LuCI [IP]'
      
      config rule
           option  target          'REJECT'
           option  family          'ipv4'
           option  proto           'tcp udp'
           option  src             '<public vlan>'
           option  dest            'lan'
           option  dest_ip         '192.168.1.1'
           option  dest_port       '80 443'
           option  name            'Reject Public vLAN -> LuCI [IP]'
      
1 Like

Better yet, set the input rule to reject for the firewall zone for the public vlan. Then whitelist DHCP and DNS.

This is all explained in this guide that uses only Luci, and should be easy to follow: https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guest-wlan-webinterface

Note that this is about setting up guest WiFi, but firewall-wise this is identical to setting up a public VLAN.

3 Likes

edit: thank you i had some trouble but now it works
i have one last problem related on this, my lede router work under isp modem, i can still access to it from my public vlan, i've tryed to do the same for his ip on trafic rules, but doesn't work, any suggestion?

traffic_rules
These are the traffic rules @ my dir-860L, but i only use this device as a smart switch with vlans and Wifi AP...
So better listen to Mushoz, my setup is a bit weird anyway :wink:

@Mushoz, my fw zone settings look like this:
fw_zones
Would u recommend to set the guest zone Input to "reject" in my case ?

Is your ISPmodem connected with the WAN port of your OpenWRT router ?
I've blocked access to my bridged modem on my main router for the guest/public network, so i guess it should work for you as well.

If you truly want to isolate your public network clients i would suggest to take a look at my rollercoaster Thread about wifi+wired client isolation (in my case over two Routers)...
I've started with OpenWRT + Tomato and ended up with OpenWRT + OpenWRT.
At the end it finally worked out: How to prevent Guest Network clients to communicate with each other?

yes my lede router is connected with the WAN port to the ISP modem
i've saw what you linked but i did not understood what did i have to for deny public vlan to access to ISP modem

trying to explain a bit better what i need to

ISP modem
192.168.0.1 ISP under this lan my lede router is 192.168.0.2 and i setup for this address a DMZ

lede vlans
192.168.1.1 private
192.168.2.1 public

if i open a browser and write 192.168.0.1 on public vlan i can access to my ISP router, i need to deny it

Do you have a seperate fw zone for your public network ?

My "Block Modem Access" rule looks like this (Modem = 192.168.254.100):
block_modem

In your case 192.168.0.0/24 should work !

edit: worked thanks alot

1 Like

Depending on the uhttpd config, that wouldn't necessarily block LuCI access, as uhttpd is configured by default to listen on localhost:80, hence my post above

This topic was automatically closed 6 days after the last reply. New replies are no longer allowed.