Preventing devices on a separate vlan from accessing OpenWrt's login page

katalyzt · February 5, 2019, 3:02am

Hello,

I am still fairly new to open wrt and have limited networking knowledge, so please forgive me if this is a dumb question.

I have a guest network setup on vlan 120 with an interface ip of 172.168.x.x. Device that connect to this network receive IPs from the correct IP range and access the internet without any issues. I have firewall zones setup so that devices on vlan 120 CANNOT talk to devices that are on my lan. This works as expected.

However, devices connected to vlan 120 are still able to reach open wrt's login by it's IP 10.10.x.x. I am assuming this is working as it should since devices on vlan 120 would need to talk to the router for DHCP etc.

My question is this, is there a way to prevent devices on vlan 120 from being able to access the router's login page via it's IP address?

Thanks in advanced!

psherman · February 5, 2019, 4:17am

Allow access to the router from that VLAN only for ports 67-68 (DHCP) and 53 (DNS). Default actions on the zone are:
input = reject
output = accept
forward = reject

Like this:

excerpt from /etc/config/firewall"

config zone
	option name 'guest'
	option forward 'REJECT'
	option output 'ACCEPT'
	option network 'guest'
	option input 'REJECT'

config forwarding
	option dest 'wan'
	option src 'guest'

config rule
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '67-68'
	option name 'dhcp-guest'
	option src 'guest'

config rule
	option enabled '1'
	option target 'ACCEPT'
	option proto 'tcp udp'
	option dest_port '53'
	option name 'dns-guest'
	option src 'guest'[/details]

This not allow any device in the guest zone (in my example) to interact with any other zone (other than the WAN) or the router itself, except for ports 53 and 67-68.

anon50098793 · February 5, 2019, 10:11am

Restricting listening exposure will make firewall rulesets a lot easier......

> ssh ROUTERIP
> vi /etc/config/uhttpd

adjust your listen directives as per below;

	# HTTP listen addresses, multiple allowed
	list listen_http	10.2.3.1:80
#	list listen_http	[::]:80

For dropbear: /etc/config/dropbear

root@c5v2-2019:~# cat /etc/config/dropbear 

config dropbear
	option PasswordAuth 'on'
	option Port '22'
	option Interface 'lan' ( or br-lan etc... )

You can verify with: netstat -lnp

root@c5v2-2019:~# netstat -lnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 10.2.3.1:80             0.0.0.0:*               LISTEN      1308/uhttpd
tcp        0      0 10.2.3.1:22             0.0.0.0:*               LISTEN      1248/dropbear
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
unix  2      [ ACC ]     STREAM     LISTENING        514 725/ubusd           /var/run/ubus.so

katalyzt · February 5, 2019, 3:39pm

Thanks for the replies guys!

I will give this a shot when I get a chance to work on it some more.

system · February 15, 2019, 3:39pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.