Please help me setup a firewall for an access point that drop requests to the main router and the access point configuration pages

Installing and Using OpenWrt Network and Wireless Configuration
1

I'm trying to setup a firewall for an access point that does something like the "isolate clients" option in the wireless configuration page plus some firewall rules that block access to both the access point and the main router configuration page.
this is the network configuration:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr 'static ip'
	option gateway 'main router ip'

config interface 'wireless'
	option proto 'none'
	option auto '1'
	option ifname 'br-lan'

This is how I would setup the firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config include
	option path '/etc/firewall.user'

config zone
	option name 'wireless'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'wireless'
	option input 'REJECT'

config forwarding
	option dest 'wan'
	option src 'wireless'

config rule
	option target 'ACCEPT'
	option src 'wireless'
	option name 'AcceptDNS'
	option proto 'udp'
	option src_port '67-68'
	option enabled '0'
	option dest 'lan'
	option dest_ip '192.168.1.1'

config rule
	option target 'ACCEPT'
	option src 'lan'
	option name 'AcceptDNSLAN'
	option proto 'udp'
	option src_port '67-68'
	option enabled '0'
	option dest 'lan'
	option dest_ip '192.168.1.1'

config rule
	option target 'ACCEPT'
	option src 'wireless'
	option name 'AcceptDHCPWireless'
	option src_port '53'
	option enabled '0'
	option dest 'lan'
	option dest_ip '192.168.1.1'

config rule
	option target 'ACCEPT'
	option src 'lan'
	option name 'AcceptDHCPLan'
	option src_port '53'
	option enabled '0'
	option dest_ip '192.168.1.1'
	option dest 'lan'

config rule
	option target 'ACCEPT'
	option src 'lan'
	option name 'AcceptInputIP'
	option enabled '0'
	option src_ip 'mycomputerip'
        option src_mac 'mycomputermac'
	option dest 'lan'
	option dest_ip 'accesspointip'

When I set the input rule to drop requests for the lan interface

	option name 'lan'
	option input 'REJECT'

I can't access anything. What do I have to do to make the access point work like I explained in the beginning of the thread?

2
  1. This part of configuration is on the Access point or the Router?
  2. Which device is running OpenWrt?
  3. What devices are they?
  4. Have you noticed that all your firewall rules are not enabled?
  5. I can see only LAN and wireless interfaces, but there is also a WAN zone in firewall. Is that used?
  6. Which device is DHCP and DNS? DHCP packets cannot cross the broadcast domain without special configuration.

FYI: DNS -> UDP/53, DHCP server -> UDP/67

3
  1. Access point
  2. Acess point is running openwrt, main router is running stock firmware
  3. does it matter?
  4. Yes, I left them like that because once I enable them and set the lan interface to drop input requests I can't access both the main router and the access point configuration page
  5. No, the device running openwrt is an access point so it only has those interfaces
  6. The main router has DHCP server enabled
4

If you don't bridge LAN and Wifi you'll have to enable DHCP server on the Openwrt and subsequently add an IP/Mask address on the Wifi interface.
Decide how you want to proceed with that and we can see the rest of the configuration.
It helps to troubleshoot if we know the model of the router and the Openwrt version installed.

5

In an AP configuration, traffic from the wireless clients goes straight to the wired interface (and the main router) and does not traverse the firewall.

Either you configure the AP as a router, as @trendy suggested, or you (manually) configure ebtables to filter the traffic at the bridge level.