I am still fairly new to open wrt and have limited networking knowledge, so please forgive me if this is a dumb question.
I have a guest network setup on vlan 120 with an interface ip of 172.168.x.x. Device that connect to this network receive IPs from the correct IP range and access the internet without any issues. I have firewall zones setup so that devices on vlan 120 CANNOT talk to devices that are on my lan. This works as expected.
However, devices connected to vlan 120 are still able to reach open wrt's login by it's IP 10.10.x.x. I am assuming this is working as it should since devices on vlan 120 would need to talk to the router for DHCP etc.
My question is this, is there a way to prevent devices on vlan 120 from being able to access the router's login page via it's IP address?
Allow access to the router from that VLAN only for ports 67-68 (DHCP) and 53 (DNS). Default actions on the zone are:
input = reject
output = accept
forward = reject
Like this:
excerpt from /etc/config/firewall"
config zone
option name 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option network 'guest'
option input 'REJECT'
config forwarding
option dest 'wan'
option src 'guest'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option name 'dhcp-guest'
option src 'guest'
config rule
option enabled '1'
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option name 'dns-guest'
option src 'guest'[/details]
This not allow any device in the guest zone (in my example) to interact with any other zone (other than the WAN) or the router itself, except for ports 53 and 67-68.