OpenWrt accessing wireless subnet behind firewall

image

I have a simple problem, which i cannot solve. I have a 3 router setup, working as expected - but want to add something...

I defined a wireless network on R2 (interface "wlan1-2" with 192.168.2.1 static address) and have a client connected with 192.168.2.100.

What I want to achieve is to let all clients from 192.168.1.x connect to 192.168.2.x, but not reverse - so 192.168.2.x should not see out from its network.

I made some steps with static routing, but on a point, things get messed up and network becomes unusable. That is why I need professional help here :slight_smile:

I would add a static route on Central and R1 for 192.168.2.0/24 via 192.168.1.3
Then on R3 allow in firewall forwarding from the zone that 192.168.1 is towards the zone of 192.168.2 and vice versa.
Finally create a rule to deny traffic from 192.168.2 to 192.168.1

2 Likes

Then on R3 allow in firewall forwarding from the zone that 192.168.1 is towards the zone of 192.168.2 and vice versa.

Thank you for your detailed answer - it vibrates exactly with my thoughts. With R3 did you mean R2? The interface of 192.168.1.3 on R2 is "bridged lan" and the interface of 192.168.2.1 is "wlan1-2". They have separate zones and the firewall in these zones have to be modified - am I right?

A better but more advanced configuration, assuming central is running openwrt, would be to move R2 from LAN to another vlan since traffic from R2's network to the lan shouldn't be allowed anyway. That way you use the firewall on central to block access from R2 to lan

The static route is still needed unless you convert R2 into a dumb AP. Disable masquerade on R2 to avoid double NAT.

1 Like

Thank you - R2 needs to stay in lan, because outher functionality is (not on drawing) a switch for other clients. Unfortunately, no separate cable for VLAN - but I had the same idea in the beginning :slight_smile:

Yes, my bad.

2 Likes

Some unmanaged switches also forwards tagged frames in which case you can keep the LAN untagged and add other tagged VLANs.