I'm trying to setup a firewall for an access point that does something like the "isolate clients" option in the wireless configuration page plus some firewall rules that block access to both the access point and the main router configuration page.
this is the network configuration:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr 'static ip'
option gateway 'main router ip'
config interface 'wireless'
option proto 'none'
option auto '1'
option ifname 'br-lan'
This is how I would setup the firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
config forwarding
option src 'lan'
option dest 'wan'
config include
option path '/etc/firewall.user'
config zone
option name 'wireless'
option forward 'REJECT'
option output 'ACCEPT'
option network 'wireless'
option input 'REJECT'
config forwarding
option dest 'wan'
option src 'wireless'
config rule
option target 'ACCEPT'
option src 'wireless'
option name 'AcceptDNS'
option proto 'udp'
option src_port '67-68'
option enabled '0'
option dest 'lan'
option dest_ip '192.168.1.1'
config rule
option target 'ACCEPT'
option src 'lan'
option name 'AcceptDNSLAN'
option proto 'udp'
option src_port '67-68'
option enabled '0'
option dest 'lan'
option dest_ip '192.168.1.1'
config rule
option target 'ACCEPT'
option src 'wireless'
option name 'AcceptDHCPWireless'
option src_port '53'
option enabled '0'
option dest 'lan'
option dest_ip '192.168.1.1'
config rule
option target 'ACCEPT'
option src 'lan'
option name 'AcceptDHCPLan'
option src_port '53'
option enabled '0'
option dest_ip '192.168.1.1'
option dest 'lan'
config rule
option target 'ACCEPT'
option src 'lan'
option name 'AcceptInputIP'
option enabled '0'
option src_ip 'mycomputerip'
option src_mac 'mycomputermac'
option dest 'lan'
option dest_ip 'accesspointip'
When I set the input rule to drop requests for the lan interface
option name 'lan'
option input 'REJECT'
I can't access anything. What do I have to do to make the access point work like I explained in the beginning of the thread?