Need to limit IP access to AP

I converted a tp-link AC1750 to an AP and it works perfectly as that for wireless clients. I can now keep track of all devices connecting to the AP and know what they are, limit access etc.

However, one thing is that all clients on the same network as the AP can see the AP and it's ports, 22, 53, 80 and 443.

The openwrt conversion set up a bunch of firewall rules which I don't want to mess up. I basically need to add a rule that allows one remote IP to gain admin access while hiding all of those open ports other than 53 of course.

I'm not sure if I should do this from the GUI (no idea where/how) or from the command line which has not worked so far.

Here are the things I've tried, not one has worked as clients can still see the ports so am obviously missing something.

iptables -A zone_lan_input -s -i br-lan -p tcp -m tcp --dport 80 -j ACCEPT

iptables -A INPUT -s -i br-lan -p tcp -m tcp --dport 80 -j ACCEPT

iptables -A zone_lan_input -s -p tcp -m tcp --dport 80 -j ACCEPT

Are you sure you're running an AP ?

Those usually don't have firewall and DHCP running...

How would I confirm this to you?
I installed openwrt on the AP.
It is connected to a pfsense firewall using one of the LAN ports.
All wifi clients are getting DHCP IPs from the pfsense firewall so no routing is being done on the AP.

To me, that's an AP no?

You can't :slight_smile:

But I think I misread your post :confused:

Anyway, you could put the device in another subnet, then the client managing it, have to be in the same subnet to be able to access it.

Regular traffic will flow as before, of course.

This could work -- creating a management subnet is a good option if you have infrastructure that you want to protect from your other functional networks.

But there is another way. As long as you didn't disable the firewall, you can actually change the zone input rule on the lan zone of the AP.

  • create a traffic rule:
    • Protocol: TCP
    • Source zone: lan
    • source address: < IP of a trusted host >
    • destination zone: Device (input)
    • destination port: optional (22, 80, 443)
    • action: accept
  • then change the lan zone "input" rule to drop or reject.

Sounds like I need to provide more information.
The AP is connected to its own network on the pfsense firewall, OPT2.
This is a separate interface or isolated network that is for wireless use only.
The point of course is to prevent wifi clients from being able to see/access anything on the LAN side.

The LAN side is the management side and has full access to any clients/devices on OPT2 or any of the other networks on the pfsense firewall.

The problem is that the AP is showing its ports, 22, 80, 443 to clients on the same network and I want to prevent those from being able to see/access it. I want to allow only one IP from the LAN to access the AP.

Basically, it's just a remote IP rule, a rule that would allow a specific IP to the protected ports.

uci add firewall rule
uci set firewall.@rule[-1].name='Allow-access-from-1.205'
uci set firewall.@rule[-1].src='lan'
uci set firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].target='ACCEPT'
uci set firewall.@rule[-1].dest_port='22 80 443'
uci set firewall.@rule[-1].src_ip=''
uci set firewall.@zone[0].input='REJECT'
fw3 restart

If it works as expected:

uci commit firewall

Nice, seems to work.
I don't see those ports from a client on the same net and I can access the AP from the LAN network.
The only odd thing is now I don't see port 53 which we didn't list in the above rules.

Also, on the first item, I didn't know if you were abbreviating or not so I used the full IP.
uci set firewall.@rule[-1].name='Allow-access-from-'

This is just a human readable name. It doesn't have any impact on the functionality.

Thank you for sharing that. I'll be sure to keep it in my notes and try to better understand uci too since I was looking at iptables.

What about disabling dnsmasq and firewall and disablong tcpip protocol in the lan interface, just use raw?

I have it like this, read about it it some tutorial.
Thus nobody can access your AP and needs no rules or complicated config.
Of course you need to access it from some where.
Just create another interface with tcpip and assigned it to the port from where you want to access ig for config.
Or use a tagged vlan for administration purposes.

I rarely need to change anything on the device, it's just an AP and the uci set of commands is easy to make a note of and repeat if needed in the future.

Well you will allways need access to the AP at some time, like upgrading it, or if you change password of wifi.

So you can let one port to get access to it using http.
If you don't need access, you just can configure lan interface as raw protocol.
So it won't have an IP at all and it will just forward traffic to the router, and you won't be able to access the router from any where.

The only way to access it, I guess, would be to boot it in failsafe mode, connecto to and make configuration changes when you need it.

Or as said you can get access through a dedicated port in the switch or configuring an interface with a tagged VLAN with IP protocol.

I have configured my AP to not be able to access it from the IOT and guest VLAN (no IP protocol there, just raw protocol) but being able to access it from the lan in any device connected to that network, but it would be easy to change that and configure that interface as raw too (and configure other interface with ip protocol associated to one port or another admin vlan).

I don't know if this approach have any drwaback, it is working well for me, I have found that recomendation here:

Yes, all good ideas.
I will likely go with VLAN in the future once I start playing around with learning more about that.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.