Preventing Wifi clients to access WAN from specific zone

Hello,

I had a network with 2 VLANs ('LAN' id:99 and 'DMZ' id:1)

I added a third VLAN/Interface: 'OFFLINE' id:2 with dhcp server on 172.17.0.0/24.
I then deployed a Wireless Network with option "network: 'OFFLINE'" and created a Firewall zone for network 'OFFLINE'.

From there, I expected my connected clients to be unable to access the internet, as there were no forwarding rules set between OFFLINE and WAN. However, my clients still had access to the internet.

I then tried to add an explicit traffic rule with : from: OFFLINE, to: WAN => drop but my clients still can access the internet !

Am I missing something obvious?

I'm trying from my phone, which gets the IP 172.17.0.168 from the DHCP server and I make sure it's not using 5G by browsing to http://ip.me to verify that it matches my home's public IP.

image2311×1206 499 KB

network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd0d:56a4:b54e::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'br-lan.99'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option vendorid 'neufbox_NB6V-XXXXXXXXXX'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'wwan'
	option proto 'dhcp'

config interface 'dmz'
	option proto 'static'
	option ipaddr '172.16.0.1'
	option netmask '255.255.0.0'
	option device 'br-lan.1'

config interface 'offline'
	option proto 'static'
	option ipaddr '172.17.0.1'
	option netmask '255.255.0.0'
	option device 'br-lan.2'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '2'
	list ports 'lan1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '99'
	list ports 'lan1:t'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'lan4:u*'

firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	list network 'dmz'
	option name 'dmz'
	option forward 'ACCEPT'

config zone
	option name 'offline'
	list network 'offline'
	option input 'REJECT'
	option output 'REJECT'
	option forward 'REJECT'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	option forward 'REJECT'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option src 'lan'
	list src_ip '192.168.1.23'
	option dest 'wan'
	option target 'DROP'
	option name 'Block Fan2'

config rule
	option name 'Block Vacuum2'
	option src 'lan'
	list src_ip '192.168.1.22'
	option dest 'wan'
	option target 'DROP'

config rule
	option name 'Block cam2'
	option src 'lan'
	list src_ip '192.168.1.87'
	option dest 'wan'
	option target 'DROP'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config redirect
	option target 'DNAT'
	list proto 'tcp'
	option src 'wan'
	option src_dport '80'
	option name 'http'
	option dest_ip '172.16.0.101'
	option dest 'dmz'

config redirect
	option target 'DNAT'
	list proto 'tcp'
	option src 'wan'
	option src_dport '443'
	option name 'https'
	option dest_ip '172.16.0.101'
	option dest 'dmz'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'ssh-git'
	list proto 'tcp'
	option src 'wan'
	option src_dport '22'
	option dest_ip '172.16.0.104'

config forwarding
	option dest 'wan'

config forwarding
	option src 'wan'

config forwarding
	option src 'dmz'
	option dest 'wan'

config rule
	option name 'Allow-IPSec-ESP-DMZ'
	list proto 'esp'
	option src 'wan'
	option dest 'dmz'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP-DMZ'
	list proto 'udp'
	option src 'wan'
	option dest 'dmz'
	option dest_port '500'
	option target 'ACCEPT'

config rule
	option name 'external-samba-445'
	list proto 'tcp'
	option src 'dmz'
	list src_ip '172.16.0.101'
	option dest 'lan'
	list dest_ip '192.168.1.101'
	option dest_port '445'
	option target 'ACCEPT'

config rule
	option name 'external-samba-139'
	list proto 'tcp'
	option src 'dmz'
	list src_ip '172.16.0.101'
	option dest 'lan'
	list dest_ip '192.168.1.101'
	option dest_port '139'
	option target 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'dmz'

config redirect
	option name 'http-lan'
	option dest 'dmz'
	option target 'DNAT'
	list proto 'tcp'
	option src 'lan'
	option src_dport '80'
	option dest_ip '172.16.0.101'
	option src_dip 'wan'
	option reflection_src 'external'

config redirect
	option name 'https-lan'
	option dest 'dmz'
	option target 'DNAT'
	list proto 'tcp'
	option src 'lan'
	option src_dport '443'
	option dest_ip '172.16.0.101'
	option src_dip 'wan'
	option reflection_src 'external'

config forwarding
	option src 'lan'
	option dest 'offline'

config rule
	option name 'Offline-zone'
	option src 'offline'
	option dest 'wan'
	option target 'DROP'

wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option network 'offline'
	option isolate '1'
	option encryption 'psk2'
	option key 'redacted'
	option ssid 'Tichette'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'sta'
	option network 'wwan'
	option ssid 'HelloYou!'
	option encryption 'psk2'
	option key 'redacted'
	option disabled '1'

Thanks

Your offline clients cannot even connect to the router for dhcp leases. Are things set with static ips? If not, double check the Ip and network they are using - devices often disconnect and try another known network if they can’t even get a dhcp lease. Also make sure there isn’t a second active network interface on the hosts used for testing.

Delete these vestiges:

And delete this since it is not necessary.

I see your problem now. The subnet mask is too big.
Change it to 255.255.255.0 for both of these networks.

Your offline network will still not be able to issue dhcp addresses because of the firewall zone configuration (input must be accept or you must create a rule to accept dhcp).

This was a desperate attempt, it was all on accept at the beginning. I've switched back to accept (and removed the vestiges).

By changing the mask to 255.255.255.0 it works! Thanks!

But why am I not allowed to use a /16 mask? For 172.16.0.0 ranges the minimal allowed mask should be /12, isn't it?

You can, but you defined 2 networks that overlap as a result of the /16. Smaller networks (/24) make it easier to avoid overlap. There are rarely reasons to use networks larger than /24 - only necessary if you have more than 254 hosts. And if you do have that many hosts, you need to be very deliberate about how the networks are configured - large networks become inefficient.

The problem was not the size of the network, it was just that you had 2 of them and they conflicted.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

I'm sorry I might be slow here, but how do they overlap?

172.16.0.0/16 goes from 172.16.0.0 up to 172.16.255.255 with the latter the broadcast address.
172.17.0.0/16 goes from 172.17.0.0 up to 172.17.255.255

And therefore there are no overlaps?

Am I missing something that obvious?

No, you’re not missing anything… that was my mistake (I somehow was thinking you were using the 3rd octet to differentiate the networks, but I now see you were using the 2nd).

So with that in mind, I’m not sure what made the difference here. You could experiment and set them back to /16 if you want. I think maybe it was the firewall. and/or network reload that fixed the problem.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.