I have played with the setup of my router, trying to achieve the following diagram:
I duplicated what was working for lan network through tun0:
I created a second interface lan-guest using a new bridge (br-lan-guest) attached to a new vlan (vlan 3) which tags only cpu eth1. I also added new firewall zones for lan-guest and vpn tun1.
Using pbr it seems to work fine.
on lan-guest, only radio1 is attached as an AP for clients to connect.
I was wondering in the lan-guest interface setting, what difference does it make when using either the bridge (br-lan-guest) or selecting the wireless interface instead:
The firewall is set like this:
Because zones are separate, I believe I dont need to add such rules, is that correct?
I am also trying to block access to LuCi from lan-guest, however it has not worked when adding the two rules:
- to block access to the router IP
- to allow dhcp and dns
Is a rule missing to make it work?
Many thanks in advance
Delete the first rule, remove port 68 from the second rule. Change input from lan_guest to reject (in the drop-downs shown in the second screenshot from Luci).
Thanks for the reply.
I confirm the firewall blocks lan_guest to lan without specific rules.
Regarding Block-Guest-Luci, I tried what you suggested by removing the rule and changing the zone setting to reject input but it would stop all internet browsing from lan_guest.
Instead I have reverted on the lan_guest zone to ACCEPT input and specified in the firewall rule to drop input from lan_guest to the IP of LuCi like it was setup in my original post, but I have specified destination ports to 22, 80 and 443.
Internet works fine on lan_guest and LuCi is not accessible via a web browser, is that enough to block access to LuCi or should I add something else?
No, this should not happen. The
Input rule refers to traffic that is destined for the router itself. It does not impact traffic that is destined for other zones (such as the wan). If you experienced a problem here, it is most likely related to DNS -- you can add a rule to accept port 53 from the guest network. Or you can advertise an alternate DNS server (such as a public DNS like Google or Cloudflare), using DHCP option 6.