Non working traffic rules

Hello Community,

I read the topics but I didn't found the right solution. Hope someone can help me.
At first that are my first steps with openWRT. I installed openWRT 19.07 on a glint AR150
I'd like to drop the hole traffic on the WAN interface. No matter if it is output or input. I made traffic rules and I command iptables under custom rules. But it doesn't work. I'd like to achieve that I can later set special IPs to accept over the WAN interface. I made a screenshot from the traffic rules and insert my iptables custom rules. Hope someone can help me. And sorry for my bad English.

iptables -A INPUT
iptables -A OUTPUT
iptables -A INPUT -i eth1 -j Drop
iptables -A OUTPUT -i eth1 -j Drop

what doesn't work ?

I sense that you are about to do something that you won't be proud later, so may I ask what is the use case of dropping everything on the wan interface?
All these rules will render the wan interface useless. If you don't need it, you can delete it. Otherwise the default firewall rules provide a good level of security with the necessary functionality.

Thanks al lot for your replies.
My goal is to realize two separate networks. Over the interface LAN I'll surf in the free internet. That part works great. On the interface WAN I'll realize a supposed VPN. The hole traffic should be dropped only a access to special IPs should work.
I made two WLAN AP. One covered to LAN the second covered to WAN.
If I'm connected to the LAN interface over the first WLAN I can surf in the internet and I can't access to the WAN interface. Thats fine.
If I'm connected to the WAN over the second WLAN I can't access the LAN interface. That also fine. But now I hoped that I cant't access the internet because of the traffic rules and iptables configuration. But I still can access the hole internet.
I hope it's understandable what I want to realize and where may problem is.

If I understand correctly you want to have 2 Wifi. One will access the internet over the wan, that is the usual ISP uplink. The second wifi will access the internet over some vpn. Is that right?

Yes that's correct.

Then you need:
One lan2 zone covering the second interface lan2 which is connected to the second wifi. One vpn zone covering the vpn interface. Allow forwarding on the firewall from lan2 to vpn zone.
Also you need to do source based routing and you have 3 options:

  1. mwan3 package
  2. pbr package
  3. a set of rules/routes for each internet connection.
    The easier is option 2. You need to set as gateway for the lan the wan interface and for lan2 the vpn.
1 Like

Thank you I'll try it.

1 Like