I would be very thankful if somebody peer reviewed my current configuration as I have managed to enable both Guest WiFi and IoT networks but I have the feeling that I may have inadvertedly generated backdoors due to my low networking skills.
This is the link to my current configuration. I have manually redacted my passwords just in case: https://pastebin.com/Rrn4fC2G
iot devices (kitus24) should not be able to connect to devices located on my main network (kitus), except from my NAS (192.168.5.2) and my home automation platform (192.168.5.5)
Enhancements:
in general, I would like to limit the connection above by hardening the firewall rules so that unless the communication was initiated from within the main network, the communication between the it network and the lan is not possible. I understand that using the "stablished" flag is what I'm looking for.
-- there is an exception to this: if my the communication is initiated by my projector (stating dhcp) from the iot network, it should get through to the NAS
-- at some point I will want to block communication from certain devices within the iot network to the cloud but not at this point
if you've read to this point, I'm already thankful for your time!!!
uci set firewall.@rule[15].family='ipv4'
uci set firewall.@rule[15].proto='all'
uci commit firewall
fw3 restart
uci add firewall rule
uci set firewall.@rule[-1].name='IOT-restricted-devices'
uci set firewall.@rule[-1].src='iotzone'
uci set firewall.@rule[-1].dest='wan'
uci set firewall.@rule[-1].family='ipv4'
uci set firewall.@rule[-1].proto='all'
uci add_list firewall.@rule[-1].src_ip='192.168.240.50'
uci add_list firewall.@rule[-1].src_ip='192.168.240.53'
uci set firewall.@rule[-1].target='REJECT'
Please allow me to process your answer just to muke sure I understand all your contributions well enough prior to applying them
But will I still be able to access my NAS and Home automation from the iot network? I would swear that I needed to include the forwarding rule because otherwise I was unable to access these devices
May I ask what those commands add to the configuration?
With these commands above you indicate what devices are whitelisted to go to the cloud, right?
Also, what about the rest of my configuration? do you see anything fishy in it?
One last question: what should I add to my configuration in order to make sure it works the way I want:
in general, I would like to limit the connection above by hardening the firewall rules so that **unless the communication was initiated from within the main network**, the communication between the it network and the lan is not possible.
No need to masquerade the lan firewall.lan.masq='1' @pavelgl has covered the rest you need to fix.
Adding a forwarding will allow all iot to access the lan. The rule is enough to let only a few devices access these 2 servers in the lan.
Adding the IPv4 will not trigger a warning when loading the IPv6 part of the firewall.
The proto='all' could be omitted I think and is the default.
Blacklisted, the action is to reject.
It's fine as you have it. Only open the access you need. Forwardings allow all devices in one zone to access another zone. If you need fine tuning you can create more specific rules.
hi again @pavelgl or @trendy, any idea how to implement this restriction that I mentioned in my earlier messages?
Is it possible to implement a global restriction for all the iot network but allow that just one of the hosts is able to initiate the communication?
Remove the IoT > lan forwarding in the Zone settings, then add an individual firewall traffic rule that accepts a specific IP within the IoT network to connect to the lan.
If you want the lan to be able to initiate connections to the IoT network, just make sure you have forwarding from lan > IoT (but not the other way, per my above comment). This way, IoT can respond, but not initiate (with the exception of the IP in the rule above).
