Provide internet access to OpenWRT but not on 'specific' connecting clients

am very bad at 'title' generation but if you have a good one and if the "title" can be changed, please recommend one.

anyways, this may really sound weird or maybe it is already...

so i have a router running in AP mode & disabled services like: "dnsmasq", "firewall" and "odhcpd"..., it also has a bunch of 'vlans' on it.

i have created multiple SSID's & linked them to whatever 'vlans' i need, & so far, everything is working wonderful, have internet access & without issues!

please refer to the pics below for more info.

image967×995 132 KB

image1433×967 113 KB

as you can see from the pic, i have made vlan404 as PVID (not sure if i sound right here...) as to make the AP 'configurably' accessible via the 'wan' port.

my motive is to prevent and/or disable internet access to this 'non-vlan' group [w/c is vlan404 (ironic..., i know), & please forgive me for being a noob]

i consider vlan404 as my 'management interface' and therefore, should not have internet access since the other 'vlans' i have created has/have proper internet access already defined.

vlan404 also serves DHCP as i sometimes need this functionality, but it should not serve dns or pass a gateway (btw, i have configured dhcp/dnsmasq like below)
note #1: hint in dhcp_option '3' & dhcp_option '6'
note #2: vlan404 DHCP is located on my 'main' OpenWRT x86 router.

config dhcp 'core'
        option interface 'core'
        option start '100'
        option limit '149'
        option leasetime '12h'
        list dhcp_option '3'
        list dhcp_option '6'

and as expected..., it is not showing DNS nor Gateway (issued 'ipconfig /all')

Now the 'fun' part..., i just realized that the AP itself does not have internet access...

how do i provide internet access to the AP? while preventing internet access to anything that connects to vlan404?

assuming the AP gateway is 10.10.10.x
change the configuration of your AP (gateway/dns)

you should find something similar on your AP (/etc/config/network)

config interface 'core'
        option proto 'static'
        option device 'br-x.404'
        option ipaddr '10.10.10.252'
        option netmask '255.255.255.0'
        option gateway '10.10.10.x'
        list dns '10.10.10.x'

ps: since this is already the second time this has happened, kindly avoid posting images of your configuration, prefer the configuration files directly (they are easier to understand and modify with the appropriate changes to be made) even if they make their own visual effect.

in this case you need to make changes to the firewall on your "my 'main' OpenWRT x86 router" create rules that define what can forward packets.

any data found on those images are not that critical..., but i'll take note of what you have advised.

noted on the firewall rule(s) to be made..., so, i need to find a way that would only allow the AP's 'ip' to get internet access and block the rest...

btw, do i have any other options for this aside from the firewall rule?, and lastly..., i thank you for your insights! much appreciated!

reject to forward

and allows ip list to forward

example /etc/config/firewall (only test):

config zone
        option name 'core'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'core'

config rule
        option src 'core'
        option dest 'wan'
        option target 'ACCEPT'
        option name 'Allow_only_ap_to_wan'
        option family 'ipv4'
        list proto 'tcp'
        list proto 'udp'
        list src_ip '10.10.10.252'

As far as I know, no, but why would you want alternatives to firewall rules?

​

just looking if there are any other options

anyways, here are some results, though, i changed interface 'core' from 'Static address' to: "DHCP client" (in the AP) since i am testing mwan3 on my 'main' OpenWRT and i am not sure how to put static entries (i should be fine for now with this).

i have changed the zone rule for core (in main OpenWRT), from: input 'REJECT' to: input 'ACCEPT'

config zone
        option name 'core'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'core'

confirming that internet access now works on the AP side, and any other devices connecting to vlan404 is prohibited.

thank you for helping me!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.