i have 2 different vlan one is pubblic and the other one is private, i already maked a different firewall zone, devices on pubblic vlan can't even ping client on private vlan, but if on public vlan i try to access to private gateway i can access to luci login menu, and ofcourse i can access luci also on pubblic gateway
my goal is to deny every lucy gateway access from pubblic vlan
i'm not a command line ssh expert, so i whould like to reach the purpose if possible using luci
It should be possible via Firewall >> Traffic Rules... Deny access to port 80,443 and 22 for SSH.
I'm running a isolated guest network (wired+wifi) for some clients and blocked Luci,Modem and SSH access via Traffic rules. It's working fine here...
option redirect_https '1'
list listen_http '192.168.1.1:80'
list listen_https '192.168.1.1:443'
IIRC, specifying a specific IP in the uhttpd config should stop LuCI [uhttpd] from listening on 127.0.0.1:80 & 127.0.0.1:443 [localhost:80 & localhost:443)
If it does not, simply create four firewall rules for the public vlan:
config rule
option target 'REJECT'
option family 'ipv4'
option proto 'tcp udp'
option src '<public vlan>'
option dest '*'
option dest_ip 'localhost'
option dest_port '80 443'
option name 'Reject Forwarded Public vLAN -> LuCI [localhost]'
config rule
option target 'REJECT'
option family 'ipv4'
option proto 'tcp udp'
option src '<public vlan>'
option dest 'lan'
option dest_ip 'localhost'
option dest_port '80 443'
option name 'Reject Public vLAN -> LuCI [localhost]'
config rule
option target 'REJECT'
option family 'ipv4'
option proto 'tcp udp'
option src '<public vlan>'
option dest '*'
option dest_ip '192.168.1.1'
option dest_port '80 443'
option name 'Reject Forwarded Public vLAN -> LuCI [IP]'
config rule
option target 'REJECT'
option family 'ipv4'
option proto 'tcp udp'
option src '<public vlan>'
option dest 'lan'
option dest_ip '192.168.1.1'
option dest_port '80 443'
option name 'Reject Public vLAN -> LuCI [IP]'
edit: thank you i had some trouble but now it works
i have one last problem related on this, my lede router work under isp modem, i can still access to it from my public vlan, i've tryed to do the same for his ip on trafic rules, but doesn't work, any suggestion?
These are the traffic rules @ my dir-860L, but i only use this device as a smart switch with vlans and Wifi AP...
So better listen to Mushoz, my setup is a bit weird anyway
@Mushoz, my fw zone settings look like this:
Would u recommend to set the guest zone Input to "reject" in my case ?
Is your ISPmodem connected with the WAN port of your OpenWRT router ?
I've blocked access to my bridged modem on my main router for the guest/public network, so i guess it should work for you as well.
If you truly want to isolate your public network clients i would suggest to take a look at my rollercoaster Thread about wifi+wired client isolation (in my case over two Routers)...
I've started with OpenWRT + Tomato and ended up with OpenWRT + OpenWRT.
At the end it finally worked out: How to prevent Guest Network clients to communicate with each other? - #124 by Kherby
yes my lede router is connected with the WAN port to the ISP modem
i've saw what you linked but i did not understood what did i have to for deny public vlan to access to ISP modem
trying to explain a bit better what i need to
ISP modem
192.168.0.1 ISP under this lan my lede router is 192.168.0.2 and i setup for this address a DMZ
lede vlans
192.168.1.1 private
192.168.2.1 public
if i open a browser and write 192.168.0.1 on public vlan i can access to my ISP router, i need to deny it
Depending on the uhttpd config, that wouldn't necessarily block LuCI access, as uhttpd is configured by default to listen on localhost:80, hence my post above
