OpenWrt guests can see hosts in upstream LAN

Hello,

Using release 19.07.2 on a ZyXEL NBG6716.

This router (LAN-range 192.168.2.0/24) is behind an ISP's router (Experiabox v10, LAN-range 192.168.1.0/24). The guest-WLAN has a LAN-range of 192.168.42.0/24. Wireless client-isolation is active for the guest-interface and this works as expected.

The guests cannot see each other (as intended per client-isolation), cannot see the devices in the normal LAN, but can see/reach/attack the devices in the ISP router's range.

Can this somehow be prevented? Can the upstream router (and the devices in its LAN) be shielded from the guests?

Thanks in advance,
Frans-Willem

Ummmm, your device is downstream, but you want to block access to to its upstream network???

:thinking:

Yes, you firewall to all IPs in the subnet...above that rule, you allow the OpenWrt's WAN to reach the gateway (if you need things like DNS lookup from it).

4 Likes

This is expected behavior. You can add a firewall rule to drop all packets with a destination of the 192.168.1.0/24 network.

3 Likes

Thank you very much for this very quick response.
Case solved - as soon as I construct the correct rule(s) for doing so.
Edit: done. This is the firewall rule that does exactly what I think I need.

config rule                               
        option name 'Drop-Guest-to-Upstream'
        option family 'ipv4'         
        option src 'guest'    
        option proto 'tcp udp'
        option dest 'wan'              
        list dest_ip '192.168.1.0/24'
        option target 'REJECT' 

Kind regards,
Frans-Willem

Might wanna use 'all'

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.