OpenWrt firewall on local network

I have this simple network:

  • OpenWRT 18.06.1 AP at 192.168.1.1
  • Device1 (connected via Eth) at 192.168.1.201
  • Device2 (connected via Eth) at 192.168.1.130

What I try to do is to block any traffic from Device1 (192.168.1.201) to Device2 (192.168.1.130). As a first step, I try to block just ping traffic.

I observed that it's easy to block traffic from Device1 to OpenWRT itself, or any device on the WAN side (such as www.google.com). Something like this would do:

config rule                                      
        option name 'block-ping-google'          
        option src 'lan'                         
        option proto 'icmp'                      
        option icmp_type 'echo-request'          
        option family 'ipv4'                     
        option target 'DROP'                     
        option dest 'wan'

But I failed to block any traffic from 192.168.1.201 to another device on the local LAN itself (eg, 192.168.1.130). So something like this never worked.

config rule
        option name 'block from 192.168.1.201'
        option src 'lan'
        option family 'ipv4'
        option target 'DROP'
        option src_mac '40:8d:5c:d9:e1:17'
        option src_ip '192.168.1.201'
        option proto 'all'
        option dest '*'

I also tried this raw iptables commands on OpenWRT, but yet 192.168.1.201 can still ping the other device 192.168.1.130.

root@OpenWrt:/# iptables -I INPUT -s 192.168.1.201 -j DROP
root@OpenWrt:/# iptables -I OUTPUT -s 192.168.1.201 -j DROP
root@OpenWrt:/# iptables -I FORWARD -s 192.168.1.201 -j DROP
root@OpenWrt:/# /etc/init.d/firewall reload

It looks like OpenWRT has two default zones: lan and wan. By default, 'lan' contains eth0 and 2xwifi interfaces (that all combined into br-lan interface), whereas 'wan' is eth1.
The forwarding rule seems work fine between two different zones (lan and wan). But when it comes to forwarding within 'lan' itself, it doesn't seem to work.

Perhaps I missed out something, any help/suggestion is appreciated.

For a firewall to work, traffic must be trying to pass through it. If the traffic is between two devices on the same local network then it isn't going to need to travel through a firewall.
ie. Imagine your front door is a firewall and you only want to travel from your lounge room to your kitchen. Unless you have a weird house you don;t need to go through the front door to get there.

3 Likes
opkg update
opkg install kmod-br-netfilter

For a bridge filter to workwouldn't it need to have two interfaces bridged? ie AP to ethernet or ethernet on two devices rather than the typical ethernet switch on an openwrt device.

I could see it working between bridged interfaces but not sure that it would work for what the OP has described.

I believe it should work as it works for my 2 wireless clients on the same interface.

That suggests to me that the wifi traffic passes through the cpu to allow for filtering. The OP is trying to isolate two ethernet connected devices and on most openwrt devices they would be connected to a switch and therefore the traffic would only be passing through the cpu for ethernet <-> wifi traffic. So it wouldn't filter ethernet <-> ethernet
(I could be learning something about openwrt traffic flow with this discussion :blush: )

3 Likes

May I ask if this is essentially ebtables for OpenWRT ? Is there some docs how to to use it ?

Do you mean you could implement some iptable rules on OpenWRT that blocks traffic from wireless STA A to reach wireless STA B in the same network?

May I ask what rule do you use src zone and dest zone being the same lan ?

opkg update
opkg install kmod-br-netfilter
uci set firewall.@zone[0].forward="REJECT"
uci add firewall rule
uci set firewall.@rule[-1].name="Allow LAN to desktop"
uci set firewall.@rule[-1].src="lan"
uci set firewall.@rule[-1].dest="lan"
uci set firewall.@rule[-1].dest_ip="192.168.1.2"
uci set firewall.@rule[-1].proto="all"
uci set firewall.@rule[-1].target="ACCEPT"
uci commit firewall
service firewall restart

It will set lan zone forward policy to REJECT but allow access to host 192.168.1.2.
However hardware switch may override these settings as @greybeard noted.
In that case you probably need to reconfigure the switch to use separate VLANs.

1 Like

Can you elaborate on the VLANs case. Can 2 VLANs in different subnet talk to each other and the traffic being routed through OpenWRT firewall?

# Rename for convenience
uci rename network.@switch[0]="switch"
uci rename network.@switch_vlan[0]="vlan1"
uci rename network.@switch_vlan[1]="vlan2"

# Show switch config
swconfig list
swconfig dev switch0 show

# The VLAN device and new VLAN ID
VLAN_DEV="$(uci get network.switch.name)"
VLAN_ID="3"
# The untagged port becomes up when connected to the host via ethernet
PORT_ID="0"
# The tagged port
TAGPORT_ID="6t"

uci get network.vlan1.ports
# Exclude the port PORT_ID from the list of LAN ports
uci set network.vlan1.ports="1 2 3 5 ${TAGPORT_ID}"

# Add a new VLAN uniting the excluded port PORT_ID with the tagged one
uci set network.vlan${VLAN_ID}="switch_vlan"
uci set network.vlan${VLAN_ID}.device="${VLAN_DEV}"
uci set network.vlan${VLAN_ID}.vlan="${VLAN_ID}"
uci set network.vlan${VLAN_ID}.ports="${PORT_ID} ${TAGPORT_ID}"

# Configure the new VLAN interface
uci set network.lan${PORT_ID}="interface"
uci set network.lan${PORT_ID}.type="bridge"
uci set network.lan${PORT_ID}.ifname="eth0.${VLAN_ID}"
uci set network.lan${PORT_ID}.proto="static"
uci set network.lan${PORT_ID}.ipaddr="192.168.2.1"
uci set network.lan${PORT_ID}.netmask="255.255.255.0"
uci set network.lan${PORT_ID}.ip6assign="60"
uci set network.lan${PORT_ID}_dev="device"
uci set network.lan${PORT_ID}_dev.name="eth0.${VLAN_ID}"

# Specify a new MAC address different from LAN and WAN interface
uci set network.lan${PORT_ID}_dev.macaddr="xx:xx:xx:xx:xx:xx"
service network restart

# Configure DHCP sever
PORT_ID="0"
uci set dhcp.lan${PORT_ID}="dhcp"
uci set dhcp.lan${PORT_ID}.interface="lan${PORT_ID}"
uci set dhcp.lan${PORT_ID}.start="100"
uci set dhcp.lan${PORT_ID}.limit="150"
uci set dhcp.lan${PORT_ID}.leasetime="12h"
uci set dhcp.lan${PORT_ID}.dhcpv6="server"
uci set dhcp.lan${PORT_ID}.ra="server"
service dnsmasq restart
service odhcpd restart

# Configure firewall
PORT_ID="0"
uci set firewall.lan${PORT_ID}="zone"
uci set firewall.lan${PORT_ID}.name="lan${PORT_ID}"
uci set firewall.lan${PORT_ID}.network="lan${PORT_ID}"
uci set firewall.lan${PORT_ID}.output="ACCEPT"
uci set firewall.lan${PORT_ID}.forward="ACCEPT"
uci set firewall.lan${PORT_ID}.input="ACCEPT"
uci set firewall.lan${PORT_ID}_wan="forwarding"
uci set firewall.lan${PORT_ID}_wan.src="lan${PORT_ID}"
uci set firewall.lan${PORT_ID}_wan.dest="wan"
service firewall restart

# Reconnect and test, then save the configs
uci commit network
uci commit dhcp
uci commit firewall
1 Like

I'll give it a try. Thank you.