Isolate a client in LAN network and allows only specific ports with a specific client

Hi,

I have OpenWrt 23.05.3 and LuCI, I have my working laptop connected via WiFi to the same LAN interface network of my main PC and other devices, I want to isolate it from all devices except that I need it to connect to my PC IP to view a couple of web application running on port 8764 and 6784!

I don't want to use different interface (like guest) because those are completely isolated from LAN by different Firewall rules and the WiFi networks using those interfaces have the Isolate Clients flag checked!

I tried to go to Firewall -> Traffic Rules -> Add and create a rule having:

  • Protocol: TCP+UDP
  • Source zone: lan
  • Source address: IP of my work laptop
  • Source port: empty
  • Destination zone: lan
  • Destination address: empty (to match all IPs)
  • Destination port: empty
  • Action: reject

but I'm still able to access my PC.
Once I find the correct rule, I will add 2 more rules to allow only the specific ports similarly.

Could you help me to reach the goal?

Thanks

You cannot isolate wlan from lan if clients are on the same network.

You have to make a guest wifi.
Although a guest wifi is usually isolated that does not have to be that is up to you

You cannot isolate wlan from lan if clients are on the same network.

the PC is connected via cable and the laptop via WiFi, they are both on the same lan interface, however I guess what you say is still valid the same!

You have to make a guest wifi.

So I need to create another interface, right?

Exactly just like a guest wifi which sits on an other interface and on another subnet
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface

You can either associate the lan port with the new interface or the wifi.

But as you want to isolate the laptop just create a guest wifi for the laptop and make a rule for access to your main machine

thanks, could you please also help on setting up the rule PC <-> Laptop to allow access on those 2 ports only?

Give both laptop and main PC a static lease.

Make a traffic rule from guest zone ip-address-of-laptop to lan zone ip-address-of-main, action: accept

You can restrict ports if you want

hi, I created the new zone and I could block the access PC <-> Laptop!
Now I'm trying the following rule to allow Laptop -> PC on specific port:

config rule                                               
        option name 'Allow laptop -> lan acces on port 8764'                   
        option src 'laptop'                                            
        option dest 'lan'                              
        option dest_port '8764'                                      
        option target 'ACCEPT'                                
        list proto 'tcp'                                  
        list proto 'udp'                                                  
        list src_ip '192.168.6.120'                                  
        list dest_ip '192.168.1.2'

but I'm not able to reach http://192.168.1.2:8764 from laptop!
Note that 192.168.6.120 is the static IP of the laptop and 192.168.1.2 is the static IP of the PC.
What am I doing wrong?

Your main PC can have a firewall which doesnot allow traffic form other subnets so as a test disable firewall on the main PC.

Further test do not specify port an use protocol all and see if you can ping your main PC with its firewall disabled e.g.:

Otherwise we should see your config:

Please connect to your OpenWRT device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact keys, passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
ip route show

Just to be more clear I want to block Work (Laptop) -> PC access, except for specific ports.

Here is the output of those commands:

# $ ubus call system board
{
        "kernel": "5.15.150",
        "hostname": "OpenWrt",
        "system": "Qualcomm Atheros QCA956X ver 1 rev 0",
        "model": "TP-Link Archer C7 v5",
        "board_name": "tplink,archer-c7-v5",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "ath79/generic",
                "description": "OpenWrt 23.05.3 r23809-234f1a2efa"
        }
}

# $ cat /etc/config/network
config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option device 'br-lan'

config interface 'wan'
        option proto 'dhcp'
        option peerdns '0'
        option device 'eth0.2'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'work'
        option proto 'static'
        list ipaddr '192.168.6.1/24'

# $ cat /etc/config/dhcp
config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        option force '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'pc'
        option dns '1'
        option ip '192.168.3.2'
        option mac 'xx:xx:xx:xx:xx:xx'

config host
        option name 'laptop'
        list mac 'xx:xx:xx:xx:xx:xx'
        option ip '192.168.6.120'

config dhcp 'work'
        option interface 'work'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option force '1'

# $ cat /etc/config/firewall
config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config include
        option path '/etc/firewall.user'

config zone
        option name 'work'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'work'

config forwarding
        option src 'work'
        option dest 'wan'

config rule
        option name 'Protect LAN from Work'
        option src 'work'
        option dest 'lan'
        option target 'REJECT'

config rule
        option name 'Allow laptop -> lan access on port 8764'
        option src 'work'
        option dest 'lan'
        option target 'ACCEPT'
        list src_ip '192.168.6.120'
        list proto 'all'
        list dest_ip '192.168.3.2'

# $ ip route show
default via 192.168.1.254 dev eth0.2  src 192.168.1.50 
192.168.1.0/24 dev eth0.2 scope link  src 192.168.1.50 
192.168.3.0/24 dev br-lan scope link  src 192.168.3.1 
192.168.6.0/24 dev phy0-ap1 scope link  src 192.168.6.1 

anyway changing the rule to list proto 'all' did not work either, but as I said I don't want work to fully access lan, just allowing access on specific ports!

Remove this

Set input to ACCEPT

Reboot and test again

this way I'm going to allow all traffic from work to lan and that's not what I want

Unless you tinkered with the defaults that is not the case.
By default there is no traffic allowed that is why you have to make a forwarding rule e.g.

And there is no forwarding rule from work to lan or the other way around

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.