Is it possible to apply firewall rules on LAN to “this device”?

Hello everyone,

I want to protect Openwrt from local devices so I want to ask, is it possible to apply firewall rules on LAN to “this device” connections?
For example block all connections and allow only DHCP, 443 and 22?

Best Regards

what else have you got listening ?

oh, and you probably want to have DNS too, unless you're using an external.

3 Likes

I assume your intention is to only allow access to things like HTTPS and SSH to specific devices? Otherwise I'm unclear what you think you'll be protecting the router from..

But, to answer your question, you can change the input rule for the lan zone to drop or reject which would block access to the device. I would do this after setting up the necessary firewall rules to allow needed access and would strongly recommend having some other method to connect (i.e. serial or another allowed interface) available to resolve any issues/misconfiguration.

2 Likes

Hello again @frollic and thanks for the reply, yes sure DNS also.

I was afraid that applying firewall rules on LAN to “this device” is not possible and will brick my Openwrt again.

Most articles online talking about WAN to LAN and LAN to WAN only.

I understand.

Point is, if there's nothing listening, there's nothing to block...

1 Like

Thanks @krazeh yes I am trying to allow only specific needed ports to be opened and drop anything else, like I am not trusting the local devices.
The idea of using another interface for cases of misconfigurations is amazing. I am not using the eth port and will be great to set it as an emergency door.

But are you intending to allow access to those ports from all attached devices? Or just some? If it's the former then you're not really adding any protection by messing around with firewall rules. As @frollic says, unless the router is running something that is listening on a port then blocking those ports does nothing effective.

1 Like

Yes this is possible and in fact is what is usually done for guest network setups. INPUT in the guest zone is denied and then services like DNS and DHCP are explicitly whitelisted.

2 Likes

In my home network I have a TV box and an Android Phone sending requests every 2 seconds on ports 2002 and 89998 to every device on the network, I am not a pro but I see it unacceptable, I already made hard reset to both of them but they are still sending, I moved them to another router but still not able to trust any device so I decided to block any not needed ports.

Thank you very much.

Put them on their own isolated guest network just like we are doing with the IoT stuff

I agree with the general sentiment of the other contributers here... summarizing what they said:

  • If there are no services on a port, there is no reason to block it.
  • leaving the admin ports available on a network that isn't fully trusted doesn't really do anything to further protect the router.

Instead, there are two approaches that are recommended in cases where you are dealing with untrusted hosts on your network:

  1. Create an untrusted (i.e. guest or iot) network specifically for those devices so that they are isolated from the trusted and important devices that you keep on your main trusted lan. From there, you can use the firewall to protect the router AND your trusted lan from the untrusted devices.
  2. Use DHCP reservations + firewall rules to prevent specific devices (i.e. untrusted things) from reaching the router. This can be done on the main trusted network, of course, but it cannot protect your other trusted devices.

IMO, if you have untrusted devices, the larger risk is the access they have to your trusted computers and other important devices (router included, but much lower on the list of the level/severity of the risk) which is why putting them on their own network (option 1) is usually preferred.

2 Likes