Preventing machines in a subdomain to reach openWRT via ssh or LuCI

I have a subdomain for iot. OpenWRT router IP on this subdomain is 192.168.20.1. I do not want any machine with IP 192.168.20.* to be able reach OpenWRT via ssh nor web UI.

With the option forward 'REJECT', I thought machines could not communicate in the same subdomain:

config zone
	option name 'iotzone'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'iotlan'
	
config forwarding
	option src 'iotzone'
	option dest 'wan'

I added this, hoping it would stop the unwanted behevior, but it did not:

config rule 'iot_reject_private_ip'
	option src 'iotzone'
	option name 'Reject forward iotzone to private nets'
	option dest '*'
	option target 'REJECT'
	list dest_ip '192.168.0.0/16'
	list dest_ip '172.16.0.0/12'
	list dest_ip '10.0.0.0/8'
	list proto 'all'

It seems I did not understand something about firewall

traffic to the router is in the "input" chain not "forward" ...

but i see your setting is "option input 'REJECT'" how are you checking that your "iotlan" network has the ability to access "ssh" or "luci" on the router?

you can show your current configuration and attach a scan with "nmap" from your pc on the "iotlan" network of the router should give something like this:

nmap 192.168.20.1
Starting Nmap 7.80 ( https://nmap.org ) at current_date
Nmap scan report for name_your_router (192.168.20.1)
Host is up (0.00100s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
53/tcp open  domain

should be able to steal stuff from https://openwrt.org/docs/guide-user/network/wifi/guestwifi/configuration_webinterface

in what sense?
or maybe I missed something?

ps: hoping I don't make the mistake of assuming the configuration hasn't changed too much

that's why I kindly asked for the current configuration...

unless it has changed its previous configuration ...

separately adds a rule to prevent specific traffic from being forwarded:

Sorry, I messed up with forward and input. Doing too much try and error, I did not see input option was 'ACCEPT'. Now it's working as it should.

I set up 3 subnets. "iotlan" for cameras, "serverlan" for a Nextcloud server and "trustedlan" for the computers. I wonder if I should also create a fourth one for the AndroidTV as, for now, I've been unable to make it work in the iot zone. More questions to come…

ok

You can create as many zones as you want (in case you want to further segment your networks)

As ncompact said, "want to...". But the question is why? What is it about Android TV that you want to shield from other IOT devices?

My guess is that he wants to shield his inside net from Android TV ... (I would)

.

Well, he already has IOT which I presume is shielded from the inside net. I have all my IOT (connected and offline) on a single network as I don't see a reason of shielding an Android TV from a light switch. Having said that I don't treat cameras as IOT, just to make sure no one can see the feed if an IOT device is compromised They have a dedicated CCTV VLAN.

I genuinely as for the reason, might learn something and could change the setup. Currently migrating from DD-WRT to OpenWRT and setting everything up fresh, so might as well change how the things are organised if there's a better approach.

I may be paranoid (might even be a good thing, wrt. security)
But i see Android boxes as high risk devices.
Intelligent, capable, jumphost'able , and possibly snooping.

And i would never let anything untrusted access my IoT/HVAC Vlan.

I actually have a separate MMedia Vlan for ATV, Receivers & other MMedia devices.
And one for IoT/HVAC, one for Cams (Security) , and one for Phones/Pads ... etc.

Have 14 vlans in all here ... Maybe a bit to the "heavy side" (Occupation hazzard)

My philosopy
Divide & block/allow ...
Vlans are free, and if you have made the segmentation from the beginning, it's not that hard to maintain.

That said .. I use pfSense as my main router/fwall.
My oWRT boxes are setup as "Dumb" L2 AP's.

.