[Luci] Prevent VLAN guests from accessing network/LAN wrong settings?

Hey all, I've made single router vlans on 2 lan ports and wifi without dumb ap. All same settings as guest. So I have trouble understanding what masquerade is, reading definitions over and over just makes me more lost. I feel this may be it but decided to firewall instead. Am I on the right track with the settings I have here? Am I missing anything else besides this?
n0tat7vw6nv61
tjkdww167nv61

Port 68 is not needed.
Your general firewall settings seem correct. Lan, guest, and ultron can access only wan. Masquerade is also correct, only on wan.
The prevent molesting rule is not clear what it is trying to achieve, but I don't think it is needed.

2 Likes

It's meant to not be able to access the modems gateway, I mean that's what I'm trying to achieve. Haven't made this rule since you said its fine but haven't tested

So this OpenWrt router is behind a modem and you want to prevent lan/guest/ultron users from accessing its web interface?
If yes, then:
Protocol = All
Source zone = lan, guest, and ultron
Destination zone = wan
Destination address = the IP of the modem
Action = Drop

2 Likes

Perfect thank you, so same can also be applied on the vlans same router from accessing the lan. <3

Do you mean from guest to lan for example?

1 Like

Yes, same rules would apply just guest ip gateway of 10.0.0.1. I'm aware that I'm double natting, before I use the 3 dynamic ips that will be set based on mac address and won't be able to change afterwards to the appropiate vlans. Anyways

Protocol = All
Source zone = lan 192.168.2.1, this alone will also block the other vlans right
Destination zone = wan 192.168.1.1
Destination address = vlan guest gateway 10.0.0.1
Action = Drop

I don't quite follow you.
You cannot specify an IP address as destination which doesn't belong to the destination zone.
Inter-zone traffic is not allowed as there is no forwarding, say from lan to guest or from guest to ultron.

1 Like