How to create a firewall zone to separate servers and pc's

mch · June 28, 2023, 10:59pm

So my idea is to protect pc's and cellphones from the servers in a small company. In the case some servers get compromised, the other users can be less vulnerable. What can be done? Is there some tutorial about it?

iplaywithtoys · June 28, 2023, 11:03pm

Loads. Google is your friend.

Do you intend to use OpenWRT as part of your solution? This is a forum for OpenWRT.

mch · June 28, 2023, 11:04pm

Yes, use the OpenWRT firewall for it.

iplaywithtoys · June 28, 2023, 11:23pm

In that case, configure firewall zones for the subnets (interfaces) pertaining to the devices whose traffic you want to control.

Then configure a set of rules to permit and deny the appropriate traffic between those zones.

Before you dive into setting up the zones and rules, I suggest working it out on paper first. Draw a diagram so you can work out what lives where and what it should be allowed to communicate with (or prevented from communicating with).

mch · June 29, 2023, 7:30am

Thanks for the advice, I need to study it a bit more.
Found an interesting video and would like to share with other users trying to achieve the same as me:

iplaywithtoys · June 29, 2023, 7:43am

Excellent. Thank you both for doing some research and for coming back to share your results.

I see "iptables" in the still screenshot for that video. Be aware that the latest OpenWRT uses nftables, not iptables.

Depending on the content of that video (I haven't watched it), this might not be an issue. OpenWRT abstracts the firewall from the operator, so the distinction is only important if you need to edit iptables/nftables rules directly rather than by using LuCI/UCI/etc/config/firewall.

trendy · June 29, 2023, 8:06am

There is also a tutorial for the same thing the video describes.
Since we are talking about servers, the access is going to be wired, so you'll also need to add some port on the new interface for the DMZ (or SRV) interface.

mch · June 29, 2023, 8:10am

Thnaks, indeed yesterday I created a ghest zome from an old tutotrial as described here:

Still have not found something to create a specific firewall network only for servers...ideally with wlan off and with necessary ports open for each server.

system · July 18, 2023, 3:57pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.