NAT rule for local LAN limitation

daggs · May 3, 2021, 3:36pm

Greetings,

how can I define a rule or multiple ones that will limit a host to local lan only?

Thanks,

Dagg

frollic · May 3, 2021, 4:42pm

Don't provide gateway via DHCP.

daggs · May 3, 2021, 5:55pm

won't this prevent me from accessing other machines in the internal lan?

ergamus · May 3, 2021, 6:08pm

Lazy way would be to have FW rules that do REJECT/DROP on a specific source/destination IP in zone LAN with WAN or any other zone set as source/destination. Nothing preventing your host from changing IP address or spoofing MAC and bypassing.

Probably better to setup a separate subnet/VLAN for any hosts you want to cordon off, add interface to new zone, and setup your forward or deny rules based on that. (Allow forward to zone LAN, but not WAN, etc.).

frollic · May 3, 2021, 6:20pm

no it won't, assuming they're in the same subnet.

daggs · May 4, 2021, 12:42pm

the host is managed by me only, the same goes for the router so I don't think the scenario in which the host changes mac addr is likely.

daggs · May 4, 2021, 12:44pm

so what I need to do is the following?

uci set dhcp.tag1="local_lan_only"
uci set dhcp.tag1.dhcp_option="3,0.0.0.0"
uci add dhcp host
uci set dhcp.@host[-1].name="utils_server"
uci set dhcp.@host[-1].tag="local_lan_only"
uci commit dhcp
/etc/init.d/dnsmasq restart

will this work?

frollic · May 4, 2021, 12:47pm

you need to provide the MAC as well ....

daggs · May 4, 2021, 6:03pm

so:

uci set dhcp.tag1="local_lan_only"
uci set dhcp.tag1.dhcp_option="3,0.0.0.0"
uci add dhcp host
uci set dhcp.@host[-1].name="utils_server"
uci set dhcp.@host[-1].mac="xx:xx:xx:xx:xx:xx"
uci set dhcp.@host[-1].tag="local_lan_only"
uci commit dhcp
/etc/init.d/dnsmasq restart

?

daggs · May 4, 2021, 6:04pm

isn't this what I need?

uci set dhcp.mac1="mac"
uci set dhcp.mac1.mac="00:FF:*:*:*:*"
uci set dhcp.mac1.networkid="vpn"
uci add_list dhcp.mac1.dhcp_option="3"
uci add_list dhcp.mac1.dhcp_option="6,192.168.1.3"
uci commit dhcp
/etc/init.d/dnsmasq restart

frollic · May 4, 2021, 7:37pm

Probably ony need the mac and dhcp_option.

daggs · May 5, 2021, 12:17pm

yeah, networkid seems unrelated.

what should be the dhcp_option 6 value? the router's ip?

frollic · May 6, 2021, 8:14am

Doesn't really matter, unless you have a DNS in your network.

Since there's no GW, it won't be able to communicate with anything outside your LAN anyway.

daggs · May 8, 2021, 1:13pm

tried that, see:

root@router:~# uci show dhcp.mac1
dhcp.mac1=mac
dhcp.mac1.mac='fe:54:00:a7:79:6b'
dhcp.mac1.dhcp_option='3' '6,10.0.0.138'

however:

dagg@NCC-5001D ~ $ ssh igor@utils_server 'ping -c 5 216.58.213.4; ifconfig veth'
(igor@utils_server) Password: 
PING 216.58.213.4 (216.58.213.4) 56(84) bytes of data.
64 bytes from 216.58.213.4: icmp_seq=1 ttl=110 time=79.8 ms
64 bytes from 216.58.213.4: icmp_seq=2 ttl=110 time=80.0 ms
64 bytes from 216.58.213.4: icmp_seq=3 ttl=110 time=80.0 ms
64 bytes from 216.58.213.4: icmp_seq=4 ttl=110 time=79.9 ms
64 bytes from 216.58.213.4: icmp_seq=5 ttl=110 time=79.8 ms

--- 216.58.213.4 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 79.750/79.894/80.009/0.092 ms
veth: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.0.3  netmask 255.255.255.0  broadcast 10.0.0.255
        inet6 fdab:9802:eb52:0:fc54:ff:fea7:796b  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::fc54:ff:fea7:796b  prefixlen 64  scopeid 0x20<link>
        ether fe:54:00:a7:79:6b  txqueuelen 1000  (Ethernet)
        RX packets 3381  bytes 542364 (529.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 440  bytes 73841 (72.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

frollic · May 8, 2021, 1:50pm

Try setting som bs value on option 3, instead of leaving it empty.

daggs · May 8, 2021, 8:38pm

like

3,10.0.0.138

?