Isolate single wired client from LAN on secondary router

Good day everybody, Im currently finding myself in a bit of a conundrum, and I'm unsure on how to proceed.

I have a DD-WRT router connected to the ISP (192.168.1.1)
I have a secondary OpenWRT (wr841m) which is set up as:

  1. Static IP (192.168.0.8)
  2. Gateway 192.168.1.1
  3. Wifi: On (has 7 clients connected at all times)
  4. DHCP: Off
  5. Connection to DD-WRT is on cable on port 1
  6. Connection to PC is on cable on port 2

There is a PC (192.168.1.29) that is connected to this OpenWRT.

What I need, is to isolate this pc from entire /23 network, but for it to still have access to internet.
The wifi clients that are connected to the OpenWRT should still have acces both to internet and LAN.\

To my understanding, VLAN is not an option, since there is no control over DD-WRT
I've tried setting up a traffic rule: source - 192.168.1.29, prot - all, ipv4 and ipv6, dest - 192.168.0.1/23
Tried drop and reject, nothing happens. For testing purposes tried setting destination to be a specific address on the network, it was still accessible both ways.

Im trying to configure this using the GUI Web interface, so if there is any advice on how should I proceed, It would be very helpful

Haven't done this before, so it's a guess, but try setting the forward to the WAN IP of your DD-WRT unit,
or even the default GW provided by your ISP to your DD-WRT unit.

So basically outside your own LAN.

https://openwrt.org/docs/guide-user/firewall/fw3_configurations/bridge
And use firewall rules to allow or deny traffic depending on its source and destination.

It sounds like you have configured your OpenWrt router to act as an AP. Are port 1 and port 2 both part of the block of four ethernet ports on the back?

As such your firewall rules are likely to not get triggered.

It is technically involved, but it is possible to create a new seperate "interface" for the PC (ethernet port 2), and then create specific firewall rules that apply when forwarding packets from that interface to the main "LAN" interface.

Using the description of https://openwrt.org/docs/guide-user/network/wifi/guestwifi/guestwifi_dumbap

this PC to be separated could run in the guest net if some ports of the switch are assigned to a separate vlan that belongs to the guest network.

1 Like

For testing purposes you can try this to be sure that the firewall is working:

1.Log to the OpenWrt router using ssh client.
2.Copy and paste the following:

iptables -A INPUT -s 192.168.1.29/32 -d 192.168.0.0/23 -j REJECT
iptables -I INPUT 1 -s 192.168.1.29/32 -d 192.168.1.1/32 -j ACCEPT

The target is set to REJECT, so you should see "Destination Port Unreachable" when you ping from the PC some device from network 192.168.0.0/23, exept for 192.168.1.1, which is the gateway to Internet.

If someting goes wrong, restart the router and the settings will be lost.

Forget about it. INPUT is not the correct chain.

Is your Port2 of OpenWRT part of Zone LAN?
If the answer is yes, can you try to put it into a newly created zone? For sure you have to create new traffic rules which allows the traffic towards DD-WRT (Internet).