Using release 19.07.2 on a ZyXEL NBG6716.
This router (LAN-range
192.168.2.0/24) is behind an ISP's router (Experiabox v10, LAN-range
192.168.1.0/24). The guest-WLAN has a LAN-range of
192.168.42.0/24. Wireless client-isolation is active for the guest-interface and this works as expected.
The guests cannot see each other (as intended per client-isolation), cannot see the devices in the normal LAN, but can see/reach/attack the devices in the ISP router's range.
Can this somehow be prevented? Can the upstream router (and the devices in its LAN) be shielded from the guests?
Thanks in advance,
Ummmm, your device is downstream, but you want to block access to to its upstream network???
Yes, you firewall to all IPs in the subnet...above that rule, you allow the OpenWrt's WAN to reach the gateway (if you need things like DNS lookup from it).
This is expected behavior. You can add a firewall rule to drop all packets with a destination of the 192.168.1.0/24 network.
Thank you very much for this very quick response.
Case solved - as soon as I construct the correct rule(s) for doing so.
Edit: done. This is the firewall rule that does exactly what I think I need.
option name 'Drop-Guest-to-Upstream'
option family 'ipv4'
option src 'guest'
option proto 'tcp udp'
option dest 'wan'
list dest_ip '192.168.1.0/24'
option target 'REJECT'
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.