Preventing Ap clients from accessing WAN

Hello everyone. I have my main router running OpenMPTCProuter that is proving Wan access to my house, I have some devices in the garage connected to a separate AP (an old netgear router, running Openwrt) for coverage reasons.
The AP has a static 192.168.188.208 ip, and it's providing 192.168.1.x ips to the clients (and I would like to keep it this way).
I tried to create some firewall rules in OMR to prevent this AP from accessing Wan interfaces (and the OMR vpn interface) but clients can still access the web. What am I missing?


Firewall rules created into OMR (main router with WAN access)

What do you want the devices on the ap to be able to access?

They should access only my lan (or more specifically only home assistant, but only lan access is fine)

You can create a set of firewall rules. One accepts traffic to the main lan (192.168.188.0/24) and the other drops all traffic.

So I should configure those rules on AP's openwrt, correct?

Yes.

Or, you can set up a rule on your main router they blocks all traffic from the ap’s ip address. (If masquerading is in use on openwrt) or the source network 192.168.1.0/24 if you have masquerading disabled)

It sounds to me it's the same thing I've done in the screenshot above, or is there something to change?

No idea... that singular screenshot doesn't tell us enough. What's up with the VPN zone there (you haven't mentioned anything about that)?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

EDIT: that rule won't work anyway since it's not referencing the OpenWrt lan (192.168.1.0/24). But nonetheless, there seems to be more stuff going on if there is a VPN... we still need to see the complete config.

The main router is using OpenMPTCPRouter (a fork of Openwrt).
From my understanding the WAN1 and WAN2 are my two isp (dsl and lte respectfully) and the VPN is referred to the VPS managing the multipath traffic

root@omr:~# cat /etc/config/network

config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option multipath 'off'
        option macaddr '00:00:00:00:00:00'
        option metric '5'
        option device 'lo'

config globals 'globals'
        option ula_prefix 'fddb:d669:eb09::/48'
        option multipath 'enable'
        option mptcp_path_manager 'fullmesh'
        option mptcp_scheduler 'blest'
        option mptcp_checksum '0'
        option mptcp_debug '0'
        option mptcp_fullmesh_num_subflows '1'
        option mptcp_fullmesh_create_on_err '1'
        option mptcp_ndiffports_num_subflows '1'
        option mptcp_rr_cwnd_limited 'Y'
        option mptcp_rr_num_segments '1'
        option mptcp_subflows '3'
        option mptcp_add_addr_accepted '1'
        option mptcp_add_addr_timeout '120'
        option mptcp_version '0'
        option congestion 'bbr'
        option mptcp_syn_retries '2'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipv6 '0'
        option delegate '0'
        option multipath 'off'
        option ip4table 'lan'
        option metric '6'
        option addlatency '0'
        option defaultroute '0'
        option peerdns '0'
        option macaddr '6c:4b:90:1c:82:70'
        option ipaddr '192.168.188.2'
        option device 'eth0'

config rule 'lan_rule'
        option lookup 'lan'
        option priority '100'

config interface 'wan1'
        option proto 'static'
        option ip4table 'wan'
        option defaultroute '0'
        option type 'macvlan'
        option masterintf 'eth0'
        option macaddr '62:04:d8:02:07:e5'
        option ipv6 '0'
        option metric '3'
        option peerdns '0'
        option addlatency '0'
        option netmask '255.255.255.0'
        option gateway '192.168.188.1'
        option ipaddr '192.168.188.69'
        option device 'wan1'
        option multipath 'master'
        option uploadspeed '20000'
        option downloadspeed '32000'

config device 'wan1_dev'
        option name 'wan1'
        option type 'macvlan'
        option ifname 'eth0'
        option macaddr '62:04:d8:02:07:e5'
        option mode 'vepa'

config interface 'omrvpn'
        option ifname 'tun0'
        option ip4table 'vpn'
        option multipath 'off'
        option leasetime '12h'
        option type 'tunnel'
        option txqueuelen '100'
        option metric '1200'
        option proto 'none'
        option device 'tun0'

config interface 'omr6in4'
        option proto '6in4'
        option ip4table 'vpn'
        option multipath 'off'
        option ipaddr '10.255.255.2'
        option peeraddr '10.255.255.1'
        option auto '0'
        option metric '1201'
        option ip6addr 'fe80::a00:2/126'
        option gateway 'fe80::a00:1/126'

config interface 'wan2'
        option proto 'static'
        option type 'macvlan'
        option masterintf 'eth0'
        option addlatency '0'
        option netmask '255.255.255.0'
        option defaultroute '0'
        option metric '8'
        option ipaddr '192.168.188.70'
        option macaddr '0a:77:fa:48:b6:fc'
        option ipv6 '0'
        option peerdns '0'
        option gateway '192.168.188.3'
        option device 'wan2'
        option multipath 'on'

config device 'wan2_dev'
        option name 'wan2'
        option type 'macvlan'
        option ifname 'eth0'
        option macaddr '0a:77:fa:48:b6:fc'
        option mode 'vepa'

config interface 'iPhone'
        option proto 'dhcp'
        option addlatency '0'
        option macaddr 'f2:99:b6:00:0e:8f'
        option metric '10'
        option ipv6 '0'
        option multipath 'on'
        option defaultroute '0'
        option peerdns '0'
        option device 'eth1'

config device 'iPhone_dev'
        option name 'eth1'

config device 'lan_dev'
        option name 'eth0'

config interface 'docker'
        option device 'docker0'
        option proto 'none'
        option auto '0'
        option multipath 'off'
        option metric '12'

config device
        option type 'bridge'
        option name 'docker0'

root@omr:~# cat /etc/config/wireless
cat: can't open '/etc/config/wireless': No such file or directory
root@omr:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option dnssec '1'
        option noresolv '1'
        option nonegcache '1'
        option sequential_ip '1'
        option port '53'
        list server '192.168.188.2#5353'
        list server '/lan/'
        list ipset '/googlevideo.com/omr_dscp-cs4,omr_dscp6-cs4'
        list ipset '/s3.ll.dash.row.aiv-cdn.net/omr_dscp-cs4,omr_dscp6-cs4'
        list ipset '/d25xi40x97liuc.cloudfront.net/omr_dscp-cs4,omr_dscp6-cs4'
        list ipset '/aiv-delivery.net/omr_dscp-cs4,omr_dscp6-cs4'
        list ipset '/vevo.com/omr_dscp-cs4,omr_dscp6-cs4'
        list ipset '/audio-fa.scdn.com/omr_dscp-cs4,omr_dscp6-cs4'
        list ipset '/deezer.com/omr_dscp-cs4,omr_dscp6-cs4'
        list ipset '/sndcdn.com/omr_dscp-cs4,omr_dscp6-cs4'
        list ipset '/last.fm/omr_dscp-cs4,omr_dscp6-cs4'
        list ipset '/v.redd.it/omr_dscp-cs4,omr_dscp6-cs4'
        list ipset '/ttvnw.net/omr_dscp-cs4,omr_dscp6-cs4,omr_dscp-cs4,omr_dscp6-cs4'
        list ipset '/googletagmanager.com/omr_dscp-cs2,omr_dscp6-cs2'
        list ipset '/googleusercontent.com/omr_dscp-cs2,omr_dscp6-cs2'
        list ipset '/google.com/omr_dscp-cs2,omr_dscp6-cs2'
        list ipset '/fbcdn.net/omr_dscp-cs4,omr_dscp6-cs4,omr_dscp-cs2,omr_dscp6-cs2'
        list ipset '/akamaihd.net/omr_dscp-cs2,omr_dscp6-cs2'
        list ipset '/whatsapp.net/omr_dscp-cs2,omr_dscp6-cs2'
        list ipset '/whatsapp.com/omr_dscp-cs2,omr_dscp6-cs2'
        list ipset '/zoom.us/omr_dscp-cs2,omr_dscp6-cs2'
        list ipset '/googleapis.com/omr_dscp-cs2,omr_dscp6-cs2'
        list ipset '/1e100.net/omr_dscp-cs2,omr_dscp6-cs2'
        list ipset '/hwcdn.net/omr_dscp-cs2,omr_dscp6-cs2'
        list ipset '/download.qq.com/omr_dscp-cs1,omr_dscp6-cs1'
        list ipset '/steamcontent.com/omr_dscp-cs1,omr_dscp6-cs1'
        list ipset '/gs2.ww.prod.dl.playstation.net/omr_dscp-cs1,omr_dscp6-cs1'
        list ipset '/dropbox.com/omr_dscp-cs1,omr_dscp6-cs1'
        list ipset '/dropboxstatic.com/omr_dscp-cs1,omr_dscp6-cs1'
        list ipset '/dropbox-dns.com/omr_dscp-cs1,omr_dscp6-cs1'
        list ipset '/log.getdropbox.com/omr_dscp-cs1,omr_dscp6-cs1'
        list ipset '/drive.google.com/omr_dscp-cs1,omr_dscp6-cs1'
        list ipset '/drive-thirdparty.googleusercontent.com/omr_dscp-cs1,omr_dscp6-cs1'
        list ipset '/docs.google.com/omr_dscp-cs1,omr_dscp6-cs1'
        list ipset '/docs.googleusercontent.com/omr_dscp-cs1,omr_dscp6-cs1'
        list ipset '/gvt1.com/omr_dscp-cs1,omr_dscp6-cs1'
        list ipset '/mmg-fna.whatsapp.net/omr_dscp-cs1,omr_dscp6-cs1'
        list ipset '/upload.youtube.com/omr_dscp-cs1,omr_dscp6-cs1'
        list ipset '/upload.video.google.com/omr_dscp-cs1,omr_dscp6-cs1'
        list ipset '/windowsupdate.com/omr_dscp-cs1,omr_dscp6-cs1'
        list ipset '/update.microsoft.com/omr_dscp-cs1,omr_dscp6-cs1'
        list ipset '/selfservicerepair.eu/omr_dst_bypass_all,omr6_dst_bypass_all'
        list ipset '/moovitapp.com/omr_dst_bypass_wan1,omr6_dst_bypass_wan1'
        list ipset '/ebay.it/omr_dst_bypass_all,omr6_dst_bypass_all'
        list ipset '/ipinfo.io/omr_dst_bypass_wan2,omr6_dst_bypass_wan2'
        list ipset '/netflix.com/omr_dst_bypass_all,omr6_dst_bypass_all'
        list ipset '/nflxso.net/omr_dst_bypass_all,omr6_dst_bypass_all'
        list ipset '/nflxext.com/omr_dst_bypass_all,omr6_dst_bypass_all'
        list ipset '/nflxvideo.net/omr_dst_bypass_all,omr6_dst_bypass_all'
        list ipset '/cookielaw.org/omr_dst_bypass_all,omr6_dst_bypass_all'

config dhcp 'lan'
        option interface 'lan'
        option dhcpv4 'server'
        option limit '200'
        option force '1'
        option start '10'
        option leasetime '12h'
        list ra_flags 'none'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'WAN2'
        option interface 'WAN2'
        option start '100'
        option limit '150'
        option leasetime '12h'

config host
        option name 'apiot'
        option dns '1'
        option mac '04:A1:51:9B:56:34'
        option ip '192.168.188.208'
        option leasetime 'infinite'

root@omr:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option forward 'REJECT'
        option input 'REJECT'
        option output 'REJECT'

config zone 'zone_lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option mtu_fix '1'
        list network 'lan'
        option auto_helper '1'

config zone 'zone_wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option auto_helper '1'
        list network 'wan1'
        list network 'wan2'
        list network 'iPhone'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled '0'

config include
        option path '/etc/firewall.user'
        option reload '1'

config rule
        option target 'ACCEPT'
        option name 'Allow-All-LAN-to-VPN'
        option dest 'vpn'
        option src 'lan'

config rule
        option target 'ACCEPT'
        option name 'Allow-All-Ping'
        option proto 'icmp'
        option dest '*'
        option src '*'
        option icmp_type 'echo-request'

config rule
        option target 'ACCEPT'
        option name 'Allow-VPN-ICMP'
        option proto 'icmp'
        option src 'vpn'

config rule
        option target 'ACCEPT'
        option name 'Allow-Lan-to-Wan'
        option dest 'wan'
        option src 'lan'

config rule
        option target 'ACCEPT'
        option name 'ICMPv6-Lan-to-OMR'
        option src 'lan'
        option family 'ipv6'
        option proto 'icmp'
        option limit '1000/sec'
        option icmp_type 'echo-reply destination-unreachable echo-request router-advertisement router-solicitation time-exceeded'

config include 'omr_server'
        option path '/etc/firewall.omr-server'
        option reload '1'

config include 'gre_tunnel'
        option path '/etc/firewall.gre-tunnel'
        option reload '0'

config forwarding 'fwlantovpn'
        option src 'lan'
        option dest 'vpn'

config rule 'blockquicproxy'
        option name 'Block QUIC Proxy'
        option proto 'udp'
        option dest_port '443'
        option target 'DROP'
        option src 'lan'

config rule 'blockquicall'
        option name 'Block QUIC All'
        option proto 'udp'
        option src '*'
        option dest '*'
        option dest_port '443'
        option target 'DROP'

config rule 'allowicmpipv6'
        option proto 'icmp'
        option target 'ACCEPT'
        option src 'wan'
        option name 'Allow IPv6 ICMP'
        option family 'ipv6'
        option icmp_type 'neighbour-advertisement neighbour-solicitation router-advertisement router-solicitation'

config rule 'allowdhcpv6546'
        option target 'ACCEPT'
        option src 'wan'
        option proto 'udp'
        option dest_port '547'
        option name 'Allow DHCPv6 (546-to-547)'
        option family 'ipv6'
        option src_port '546'

config rule 'allowdhcpv6547'
        option target 'ACCEPT'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option name 'Allow DHCPv6 (547-to-546)'
        option family 'ipv6'
        option src_port '547'

config rule 'allow_dhcp_request_vpn'
        option name 'Allow-DHCP-Request-VPN'
        option src 'vpn'
        option proto 'udp'
        option dest_port '67'
        option target 'ACCEPT'
        option family 'ipv4'

config include 'v2ray'
        option path '/etc/firewall.v2ray-rules'
        option reload '0'

config include 'omr_bypass'
        option path '/etc/firewall.omr-bypass'
        option reload '0'

config include 'ss_rules'
        option path '/etc/firewall.ss-rules'
        option reload '1'

config zone 'zone_vpn'
        option name 'vpn'
        option masq '1'
        option input 'REJECT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        list network 'omrvpn'
        list network 'omr6in4'
        option mtu_fix '1'
        option auto_helper '1'

config include 'ttl'
        option path '/etc/firewall.ttl'
        option reload '1'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config zone 'docker'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'docker'
        list network 'docker'

config include 'bcp38'
        option type 'script'
        option path '/usr/lib/bcp38/run.sh'
        option family 'IPv4'
        option reload '1'

config rule
        option name 'test'
        list proto 'all'
        option src 'lan'
        list src_ip '192.168.1.0/24'
        option dest 'vpn'
        option target 'REJECT'

config rule
        option name 'test2'
        list proto 'all'
        option src 'lan'
        list src_ip '192.168.1.0/24'
        option dest 'wan'
        option target 'REJECT'

root@omr:~#

I'm confused.... where was that firewall rule screenshot? Main router or AP?

Did you want to implement the rule on the main router or the AP?

If you're trying to create the rule on the OpenMPTCPRouter device, you need to ask them for help.

We can help you here for all things official OpenWrt, of course. Is the AP running OpenWrt obtained from the official project? If so, we can help you implement a firewall rule on that device.

It's from the Main Router.

The best way to impLement it would be on the main router in my opinion, but I guess aso on the Ap would be ok.

Yes, the AP is running the "original" Openwrt

Feel free to post the configs from the AP and we can help you out.

I generally agree with this, but you'll have to ask the OpenMTCPRouter community for help if that is what you want to do.

It sounds like the garage router is doing NAT. The clients connected to the garage AP will appear at the man router having the IP of the garage router's WAN (192.168.188.208), not their original 192.168.1.0 IPs.

There are a few approaches to this:

  • Use 192.168.188.208 as the IP to block. This will have the side effect that the garage router itself is also treated as a garage client, and blocked from the Internet.
  • Set up symmetric routing, by adding a route in the main router 192.168.1.0/24 via 192.168.188.208. Then turn off NAT in the garage router. To the main router's firewall, the garage clients will keep their original 192.168.1.0 IPs.
  • If it's a wired connection from the main router to the garage, put the whole garage network in an isolated VLAN at the main router. There will be the same side effect as the first case.

That is my assumption, too. Even if NAT Masquerading isn't being used, it should be possible to craft the right firewall rules on the AP to block traffic. But we obviously need to see the config, first.

AP Config:

{
        "kernel": "5.15.134",
        "hostname": "OpenWrt",
        "system": "Atheros AR7241 rev 1",
        "model": "Netgear WNR2200 (8M)",
        "board_name": "netgear,wnr2200-8m",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.0",
                "revision": "r23497-6637af95aa",
                "target": "ath79/generic",
                "description": "OpenWrt 23.05.0 r23497-6637af95aa"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdbb:b93c:cb40::/48'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 2 3 4 0t'

config interface 'wwan'
        option proto 'dhcp'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'
        option disabled '1'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'sta'
        option network 'wwan'
        option ssid 'redacted'
        option encryption 'psk2'
        option key 'redacted'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall

That's why I thought the best approach was to block directly WAN access to the AP from the main router, using it's ip address (192.168.188.208).

You may want to upgrade to 23.05.3 which is the most current.

The firewall file is missing.... can you post that, please.

Oh, sorry. Here it is

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

Add these two rules to your OpenWrt AP's firewall:

config rule
	option name 'AllowLocalLanToUpstreamLan'
	list proto 'all'
	option src 'lan'
	option dest 'wan'
	list dest_ip '192.168.188.0/24'
	option target 'ACCEPT'

config rule
	option name 'BlockAllElse'
	list proto 'all'
	option src 'lan'
	option dest 'wan'
	option target 'REJECT'
1 Like

I don't know if it worked before, but I cannot access AP's Luci (192.168.188.208) from my main network 192.192.188.x. Disabling the rules does not help

That is expected based on your firewall.

When the upstream is trusted (and only in this situation; NEVER when the upstream is connected to an untrusted network/intenret), you can change the input rule on the wan firewall zone to ACCEPT like this

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'

This will allow you to access the router itself from the upstream (wan side of the OpenWrt device).

1 Like