Greetings,
how can I define a rule or multiple ones that will limit a host to local lan only?
Thanks,
Dagg
Greetings,
how can I define a rule or multiple ones that will limit a host to local lan only?
Thanks,
Dagg
Don't provide gateway via DHCP.
won't this prevent me from accessing other machines in the internal lan?
Lazy way would be to have FW rules that do REJECT/DROP on a specific source/destination IP in zone LAN with WAN or any other zone set as source/destination. Nothing preventing your host from changing IP address or spoofing MAC and bypassing.
Probably better to setup a separate subnet/VLAN for any hosts you want to cordon off, add interface to new zone, and setup your forward or deny rules based on that. (Allow forward to zone LAN, but not WAN, etc.).
no it won't, assuming they're in the same subnet.
the host is managed by me only, the same goes for the router so I don't think the scenario in which the host changes mac addr is likely.
so what I need to do is the following?
uci set dhcp.tag1="local_lan_only"
uci set dhcp.tag1.dhcp_option="3,0.0.0.0"
uci add dhcp host
uci set dhcp.@host[-1].name="utils_server"
uci set dhcp.@host[-1].tag="local_lan_only"
uci commit dhcp
/etc/init.d/dnsmasq restart
will this work?
you need to provide the MAC as well ....
so:
uci set dhcp.tag1="local_lan_only"
uci set dhcp.tag1.dhcp_option="3,0.0.0.0"
uci add dhcp host
uci set dhcp.@host[-1].name="utils_server"
uci set dhcp.@host[-1].mac="xx:xx:xx:xx:xx:xx"
uci set dhcp.@host[-1].tag="local_lan_only"
uci commit dhcp
/etc/init.d/dnsmasq restart
?
isn't this what I need?
uci set dhcp.mac1="mac"
uci set dhcp.mac1.mac="00:FF:*:*:*:*"
uci set dhcp.mac1.networkid="vpn"
uci add_list dhcp.mac1.dhcp_option="3"
uci add_list dhcp.mac1.dhcp_option="6,192.168.1.3"
uci commit dhcp
/etc/init.d/dnsmasq restart
Probably ony need the mac and dhcp_option.
yeah, networkid seems unrelated.
what should be the dhcp_option 6 value? the router's ip?
Doesn't really matter, unless you have a DNS in your network.
Since there's no GW, it won't be able to communicate with anything outside your LAN anyway.
tried that, see:
root@router:~# uci show dhcp.mac1
dhcp.mac1=mac
dhcp.mac1.mac='fe:54:00:a7:79:6b'
dhcp.mac1.dhcp_option='3' '6,10.0.0.138'
however:
dagg@NCC-5001D ~ $ ssh igor@utils_server 'ping -c 5 216.58.213.4; ifconfig veth'
(igor@utils_server) Password:
PING 216.58.213.4 (216.58.213.4) 56(84) bytes of data.
64 bytes from 216.58.213.4: icmp_seq=1 ttl=110 time=79.8 ms
64 bytes from 216.58.213.4: icmp_seq=2 ttl=110 time=80.0 ms
64 bytes from 216.58.213.4: icmp_seq=3 ttl=110 time=80.0 ms
64 bytes from 216.58.213.4: icmp_seq=4 ttl=110 time=79.9 ms
64 bytes from 216.58.213.4: icmp_seq=5 ttl=110 time=79.8 ms
--- 216.58.213.4 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 79.750/79.894/80.009/0.092 ms
veth: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.3 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fdab:9802:eb52:0:fc54:ff:fea7:796b prefixlen 64 scopeid 0x0<global>
inet6 fe80::fc54:ff:fea7:796b prefixlen 64 scopeid 0x20<link>
ether fe:54:00:a7:79:6b txqueuelen 1000 (Ethernet)
RX packets 3381 bytes 542364 (529.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 440 bytes 73841 (72.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Try setting som bs value on option 3, instead of leaving it empty.
like
3,10.0.0.138
?