during the Covid Lockdown I want to give a friend access to my LAN to play LAN-Games.
However, I want to restrict the remote access to certain IP addresses in my LAN.
I am already using a GL-AR750s with a wirecard server to access with my laptop and mobile from work / while traveling.
Getting access to my LAN is working smoothless.
However, I am not able to restrict the access.
If I understood everything right, I have to adopt the allowed IPs in the etc/config/wireguard_server.
Add firewall rules to allow or deny traffic forwarding depending on the source and destination IPs.
E.g. allow traffic from 10.0.0.8 only to 192.168.0.1 and deny anything else from that source IP.
I want to allow access only to IPs 192.168.0.120 - 192.168.0.255 because 192.168.0.100-119 is used by NAS / Raspberry etc. to which I do not want to grant access.
As 192.168.0.1 is my WAN Router, I would have to restict access to that IP, right?
How and where do I set up the rule for 10.0.0.8 then?
uci -q delete firewall.wg_allow
uci set firewall.wg_allow="rule"
uci set firewall.wg_allow.name="wg_allow"
uci set firewall.wg_allow.src="lan"
uci set firewall.wg_allow.src_ip="10.0.0.8/32"
uci set firewall.wg_allow.dest="lan"
uci add_list firewall.wg_allow.dest_ip="192.168.0.120/29"
uci add_list firewall.wg_allow.dest_ip="192.168.0.128/25"
uci set firewall.wg_allow.proto="all"
uci set firewall.wg_allow.target="ACCEPT"
uci -q delete firewall.wg_deny
uci set firewall.wg_deny="rule"
uci set firewall.wg_deny.name="wg_deny"
uci set firewall.wg_deny.src="lan"
uci set firewall.wg_deny.src_ip="10.0.0.8/32"
uci set firewall.wg_deny.dest="lan"
uci set firewall.wg_deny.proto="all"
uci set firewall.wg_deny.target="REJECT"
uci commit firewall
/etc/init.d/firewall restart
#!/bin/sh
uci -q delete firewall.wg_allow
uci set firewall.wg_allow="rule"
uci set firewall.wg_allow.name="wg_allow"
uci set firewall.wg_allow.src="lan"
uci set firewall.wg_allow.src_ip="10.0.0.5/32"
uci add_list firewall.wg_allow.src_ip="10.0.0.6/32"
uci add_list firewall.wg_allow.src_ip="10.0.0.7/32"
uci add_list firewall.wg_allow.src_ip="10.0.0.8/32"
uci set firewall.wg_allow.dest="lan"
uci add_list firewall.wg_allow.dest_ip="192.168.0.120/29"
uci add_list firewall.wg_allow.dest_ip="192.168.0.128/26"
uci add_list firewall.wg_allow.dest_ip="192.168.0.192/29"
uci set firewall.wg_allow.proto="all"
uci set firewall.wg_allow.target="ACCEPT"
uci -q delete firewall.wg_deny
uci set firewall.wg_deny="rule"
uci set firewall.wg_deny.name="wg_deny"
uci set firewall.wg_deny.src="lan"
uci set firewall.wg_deny.src_ip="10.0.0.5/32"
uci add_list firewall.wg_deny.src_ip="10.0.0.6/32"
uci add_list firewall.wg_deny.src_ip="10.0.0.7/32"
uci add_list firewall.wg_deny.src_ip="10.0.0.8/32"
uci set firewall.wg_deny.dest="lan"
uci set firewall.wg_deny.proto="all"
uci set firewall.wg_deny.target="REJECT"
uci commit firewall
/etc/init.d/firewall restart
And got the following error messages:
Warning: Section @zone[1] (wan) cannot resolve device of network 'wan6'
Warning: Option 'sambashare'.dest_proto is unknown
Warning: Section 'sambashare' does not specify a protocol, assuming TCP+UDP
* Flushing IPv4 filter table
* Flushing IPv4 nat table
* Flushing IPv4 mangle table
* Flushing IPv6 filter table
* Flushing IPv6 mangle table
* Flushing conntrack table ...
* Populating IPv4 filter table
* Rule 'Allow-DHCP-Renew'
* Rule 'Allow-Ping'
* Rule 'Allow-IGMP'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Rule 'guestzone_DHCP'
* Rule 'guestzone_DNS'
* Rule 'glservice_https'
* Rule 'glssh'
* Rule #13
* Rule 'Allow-Wireguard'
* Rule 'wg_allow'
* Rule 'wg_deny'
* Forward 'lan' -> 'wan'
* Forward 'guestzone' -> 'wan'
* Forward 'wireguard' -> 'wan'
* Forward 'wireguard' -> 'lan'
* Forward 'lan' -> 'wireguard'
* Forward 'guestzone' -> 'wireguard'
* Forward 'wireguard' -> 'guestzone'
* Zone 'lan'
* Zone 'wan'
* Zone 'guestzone'
* Zone 'wireguard'
* Populating IPv4 nat table
* Zone 'lan'
* Zone 'wan'
* Zone 'guestzone'
* Zone 'wireguard'
* Populating IPv4 mangle table
* Zone 'lan'
* Zone 'wan'
* Zone 'guestzone'
* Zone 'wireguard'
* Populating IPv6 filter table
* Rule 'Allow-DHCPv6'
* Rule 'Allow-MLD'
* Rule 'Allow-ICMPv6-Input'
* Rule 'Allow-ICMPv6-Forward'
* Rule 'Allow-IPSec-ESP'
* Rule 'Allow-ISAKMP'
* Rule 'guestzone_DHCP'
* Rule 'guestzone_DNS'
* Rule 'glservice_https'
* Rule 'glssh'
* Rule #13
* Rule 'wg_allow'
! Skipping due to different family of ip address
! Skipping due to different family of ip address
! Skipping due to different family of ip address
! Skipping due to different family of ip address
* Rule 'wg_deny'
! Skipping due to different family of ip address
! Skipping due to different family of ip address
! Skipping due to different family of ip address
! Skipping due to different family of ip address
* Forward 'lan' -> 'wan'
* Forward 'guestzone' -> 'wan'
* Forward 'wireguard' -> 'wan'
* Forward 'wireguard' -> 'lan'
* Forward 'lan' -> 'wireguard'
* Forward 'guestzone' -> 'wireguard'
* Forward 'wireguard' -> 'guestzone'
* Zone 'lan'
* Zone 'wan'
* Zone 'guestzone'
* Zone 'wireguard'
* Populating IPv6 mangle table
* Zone 'lan'
* Zone 'wan'
* Zone 'guestzone'
* Zone 'wireguard'
* Set tcp_ecn to off
* Set tcp_syncookies to on
* Set tcp_window_scaling to on
* Running script '/etc/firewall.user'
uci: Entry not found
uci: Entry not found
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
ipset v6.34: The set with the given name does not exist
iptables v1.6.2: can't initialize iptables table `raw': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
iptables v1.6.2: can't initialize iptables table `raw': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
! Failed with exit code 3
* Running script '/var/etc/gls2s.include'
! Skipping due to path error: No such file or directory
* Running script '/usr/bin/glfw.sh'
* Running script '/usr/sbin/glqos.sh'
* Running script '/var/etc/mwan3.include'
OK, I am lost. What do I have to change? Are different rules in conflict?
Thanx a lot - that was the solution. As my openwrt router is behind my primary router (a native fritzbox), I had just adopt the destination to "wan" not "lan":
#!/bin/sh
uci -q delete firewall.wg_allow
uci set firewall.wg_allow="rule"
uci set firewall.wg_allow.name="wg_allow"
uci set firewall.wg_allow.src="wireguard"
uci set firewall.wg_allow.family="ipv4"
#set a range of ips
uci set firewall.wg_allow.src_ip="10.0.0.16/28"
#because router is behind primary router use wan not lan
uci set firewall.wg_allow.dest="wan"
#allowed range 192.168.0.110-192.168.0.179
uci add_list firewall.wg_allow.dest_ip="192.168.0.110/31"
uci add_list firewall.wg_allow.dest_ip="192.168.0.112/28"
uci add_list firewall.wg_allow.dest_ip="192.168.0.128/27"
uci add_list firewall.wg_allow.dest_ip="192.168.0.160/28"
uci add_list firewall.wg_allow.dest_ip="192.168.0.176/30"
# optional for full access
#uci add_list firewall.wg_allow.dest_ip="192.168.0.0/24"
uci set firewall.wg_allow.proto="all"
uci set firewall.wg_allow.target="ACCEPT"
uci -q delete firewall.wg_deny
uci set firewall.wg_deny="rule"
uci set firewall.wg_deny.name="wg_deny"
uci set firewall.wg_deny.src="wireguard"
uci set firewall.wg_deny.family="ipv4"
uci set firewall.wg_deny.src_ip="10.0.0.16/28"
uci set firewall.wg_deny.dest="wan"
uci set firewall.wg_deny.proto="all"
uci set firewall.wg_deny.target="REJECT"
uci commit firewall
/etc/init.d/firewall restart```
Thanx to all for the very (incredible) fast support!