Limit access to a zone to certain machines only

deadlock · July 17, 2020, 2:07pm

Hi

I have a couple of zones. LAN, WAN, VPN.

The LAN is used both by ethernet cable and wifi via a bridge.

The WAN is nothing special, just a standard WAN.

The VPN is going to our cloud service provider so that we can access our servers internal IP addresses. All this is in place.

In firewall I have the following zone forwardings:

General settings: Input=Output=Forward=Reject

LAN > WAN, VPN Input=Accept, Output=Accept, Forward = Reject
WAN -> Reject Input=Reject, Output=Accept, Forward = Reject
VPN -> LAN Input=Accept, Output=Accept, Forward = Reject

Now to the question. The servers in the VPN is a bit sensitive so I would like to have an extra restriction so that only certain computer on the LAN can access this zone. Is this possible? Preferable would be to have some kind of authentication (Like in OpenBSD that have authpf over ssh).
As a last resort maybe I could limit access using MAC addresd of the computer.

Is something like this possible with OpenWRT?

Kind regards
Jens

trendy · July 17, 2020, 2:32pm

First of all remove source zone lan from forward to vpn zone. You can leave the vpn->lan zone if you need it.
Then create a traffic rule to allow the hosts you want from lan to access the servers in vpn zone.
I don't know if there is something like authpf, but you can always use the OpenWrt as ssh proxy.