NEWBIE Firewall rules not working

airvb · April 15, 2019, 3:55pm

Hello,
Installation of OPENWRT on TP-LINK 902AC micro router is ok .
I give static address 192.168.1.253 for LAN (eth0) interface, gateway 192.168.1.1 who is my internet acces box.
2 wifi modules AC (wlan0)& N (wlan1) with 2 interfaces WLAN_AC and WLAN_N
Each one as DHCP client. Firewall zone WLAN

I made a bridge (br_lan) between eth0,wlan0,wlan1

I create a interface/firewall zone WAN with eth0 interface ( dhcp )

Everything is ok at this point .
I can connect from any device on internet from.

As i would like to make time restriction for wifi i 'm trying basic firewall rule first.

FROM LAN TO WAN REJECT (see capture )

I still have connection from my wifi to internet
Restarting firewall , but no help !

I precise, i am a very newbie in router configuration and understanding of router configuration.

Any idea ?

Thanks

leeandy · April 15, 2019, 4:15pm

Your configuration totally wrong, pls reset to default, start from scratch & follow this gui: https://openwrt.org/docs/guide-user/network/wifi/dumbap

Hegabo · April 16, 2019, 3:29am

Could you provide some details about what you are trying to achieve?

Start by explaining your network. You have internet box, what model?
I imagine form your question that you will want to have the TP-Link working as a router. When you do that, the Ethernet port will be a WAN port. So you would need to allow access to SSH from WAN side. We will help you with that.

Anyway, start by reverting the configuration to the default.

System > Backup / Flash Firmware > Perform Reset

When you have done that, login to the router from SSH and send the output of the following commands

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/firewall

If you don't know how to do that, you can send screenshots.

Remember to hide your MAC addresses form text and from screenshots. Also delete your first screenshot that shows your MAC addresses.

Hegabo · April 16, 2019, 3:31am

His config is wrong and needs to be changed, yes,, but he also wants a firewall. Therefore, presuming that he has a reason to want a firewall, the dumpap will not help.

trendy · April 16, 2019, 10:35am

He could skip the "Disable Firewall" step and setup some rules to block specific mac addresses. Or use ebtables

Hegabo · April 16, 2019, 10:49am

But unless he connects internet to WAN, the firewall will not help.

The thing is that this device has one combined WAN/LAN port, so it's this or that. It has to be configured for one way or the other.

trendy · April 16, 2019, 10:59am

I believe it can work either way.
If eth and wifi are bridged all together it would make more sense to use ebtables.
If they are not bridged the normal firewall could have them in the same zone, e.g LAN and change the setting for intra zone forwarding to DROP, allowing individual IPs or MACs to be forwarded. But this also needs static route in the main router, otherwise NAT should be enabled for IPs of the Wifi interfaces.

leeandy · April 16, 2019, 1:37pm

I think he just want manage wifi client, using Dumbap & install wifi-schedule package is enough.

airvb · April 16, 2019, 2:42pm

Thank you all for yr responses.

You right . I 'm looking for a simple thing, easily manageable

I made the reset .
Following this, i have a bridge bet eth0 and the 2 wifi devices in LAN ZONE .
Internet ok .

But like this i can't schedule a time restriction as there is only on firewall zone ?

I think i have to separate the wifi devices from eth0 ?

What 's is the good option ?

2 wifi devices bridged in WLAN interface , Firewall WLAN zone and
Eth0 in LAN interface LAN zone ?
In this case, how do i connect the LAN to WLAN ?

I tried already but with this schema it doesn't connect to internet .

You speak about "wifi-schedule package" can you precise the name of the package ?

Thanks again for yr help, apologize my English.

mk24 · April 16, 2019, 7:22pm

When you create a kernel bridge, the bridge owns the IP address and any DHCP server or client. The interfaces attached to the bridge are "slaves" to it. It is like plugging Ethernet cables into an unmanaged switch. There is nothing to configure or control about the individual end interfaces, they just are connected.

The wifi-schedule package will take the AP off the air when the off time hour arrives. It isn't concerned with bridging or routing.

Should you create new interfaces, use short names in all lower case. There is a difference, and the convention is to use lower case. LuCI uppercases the names, that is confusing.

leeandy · April 17, 2019, 12:43am

I don't know exactly you want, just want control wifi on off by time based ?
If not, you need assign wired eth0 interface to wan zone, assign wifi interface to lan zone, enable dhcp server, change ip address subnet of AP to difference with main router & create firewall rule to control.

To install wifi-schedule, on luci gui system-software, click update lists, type luci-app-wifischedule on filter box, you see that package to install. see more: https://github.com/openwrt/luci/tree/master/applications/luci-app-wifischedule

airvb · April 17, 2019, 7:11am

Above the dia of expecting network.

Eth0 to interface lan :zone lan

If i made a subnet for wifi devices, for exemple,
192.168.2.100 to 2.150 , i imagine i have to create a route to subnet 192.168.1.1/254 as i would like that wifi devices can connect to the others network client ?

Thanks you again .

mk24 · April 17, 2019, 12:10pm

For the wifi devices to have unrestricted access to the whole network you would want a simple bridge or "dumb AP". The dumb AP operates as a wifi to wired converter at layer 2, much like an unmanaged Ethernet switch except that some of the connections are wireless. It doesn't route or firewall any potential traffic between the wifi users and the rest of the network. The wifi users will get their IP address from the DHCP server in the main router. They will then be in the 192.168.1.0/24 network with the main router 192.168.1.1 as their gateway to the Internet.

The only reason the dumb AP needs an IP address is to log in and administer it. Usually I set it up as a DHCP client.

A dumb AP has only one internal network, the LAN bridge (which exists by default, and can be used for this purpose). The wifi and wired ports are all attached to it. The DHCP server in the AP which exists by default needs to be turned off.

airvb · April 18, 2019, 5:36am

I've got it.
DumbAP is to dumb for my needs.

So how is it possible to get a managed device in accordance with my needs ?

anon50098793 · April 18, 2019, 7:25am

Decision 1

Layer 2 ( bridged ) ( ebtables etc. )
Layer 3 ( routed )

Decision 2

Separate "guest/restricted" interface / subnet / BSSID
Same subnet + higher level restrictions ( firewall etc. )

There are many guides available on these configurations...... The only difference as you already mention is;

adding routes possibly
disabling NAT probably

With the firewall... Just disable it..... It's internal for now..... The slowly build it it up bit by bit..... This way you will be able to learn without being overwhelmed.

What you need to do is just follow a simple one or two.... even if it's not perfect for your situation. This will give you better foundation skills.....