Removing wan from lan to isolate management

@jeff @lleachii sorry guys I took a picture from the internet just for reference, I didn't meant to circle the forwarding part, I have edited my picture

Despite that, my previous response is still valid. @jeff's response also remains relevant:

If you want to stop the router's Management IP from reaching the Internet, you can also create an ACCEPT OUTPUT rule from the management's IP to the LAN's 192.168.xxx.0/24 IPs. THEN, immediately under this rule, OUTPUT DROP all traffic from this same IP to 0.0.0.0/0. You can then safely change the default OUTPUT TO DROP OR REJECT. BUT; I highly suggest you don't create these rules. Again, entering these rules erroneously will likely lock you out of your router, again!

@Tuxy, I honestly think you're not understanding the LuCI FIrewall pages, iptables, etc. If you created and placed the rule to allow HTTP and SSH at the top of your firewall, and never delete them, you shouldn't have these lockout issues.

@jeff @lleachii sorry guys if Im a pain in the ..... sometimes i think it would be easier to pay someone but at the same time teach me what I was to accomplish and how it works, but that is another story.
Yeah I agree, I think I got confused reading so many post and not reading the wiki properly, but I just want to make sure I understand this properly, so after configuring the new vlan and firewall zone as per @lleachii comments and although I could ping google from the router (due to output=accept) it does not mean that the outside world has access to my management vlan, right?

The other part I don't understand is why did I needed to create a new vlan when I had removed the bridging for vlan1 which removed the wifi and other lan ports from vlan1, the CPU was tagged, I had removed the wan forwarding, so wasn't that the same as creating a new vlan and firewall zone?

  • Your management VLAN shouldn't have a Public Global IP, so it can't be accessible from the outside world, unless you made a port forward.
  • It is highly suggested you understand iptables firewalling before proceeding, answers to your inquiry should be understood at this point.
  • By default, OpenWRT is configured so you cannot access internal networks from the WAN.

I don't actually understand what removing bridging does, except breaking the WiFi and LAN ports (unless you have no intention of plugging clients to the switch or connecting them to the WiFi of the router, then the device isn't being used for routing). Also, I'm not sure what you mean by "wasn't that the same..." but again, I noted that you don't do both. It seems you choose to anyways:

No, I only chose one and it was "make a separate management vlan" which I did my following exactly as above but for vlan1 for port 2 only, all I added was to remove the bridging to VLAN1 as I made 1 new separate VLAN that does wifi+lan on reaming ports but without having access to vlan1, so I have a total of 2 separate subnets, this is what I meant by "wasn't that the same" as making a new vlan8 as below?

Is this done by having the wan INPUT to REJECT(default config)? I been binding my IP as per the secure your router wiki, is this step required then?
https://wiki.openwrt.org/doc/howto/secure.access

In a default config, the WAN doesn't allow access, **hence why the firewall exists. ** Also, it now seems you're playing with the service ports and their listening interfaces at the same time as the firewall...I think you're making this extremely difficult, and you're still struggling with iptables.

  • I've never seen the Wiki you refer to, I'm not sure what steps you're following in this document anyways, so I'm not sure what step you're asking about

If you're accessing your router from WAN (I surmise this because you say you have to drive to the router if you lock yourself out), then obviously, you have to do one of 2 things to get your SSH and Web GUI wokring:

  • Set them to listen on WAN and make INPUT rules (I would suggest this if you continue to have difficulty); or
  • Make port forwards to their instance on LAN

Again, YOU DO NOT DO BOTH. I also should note again, I think you're not understanding the security paradigm of OpenWRT. The Wiki also appears to disable HTTP and enable HTTPS for LuCI, that would make the web port 443, not 80!

Im so confused, I know my English is bad but it cant be that bad, so let me clear some stuff

  1. By IP I meant lan IP 192.168.x.x not ISP IP, search for webui or the wiki for uhhtpd as it explained better
  2. I don't remember saying I have remote access to my router, I would never due that
  3. Why do you keep saying don't do both? I have only set one thing as you told me, everything else is the same from the default config
  4. No, im not mixing my http or s ports

@Tuxy

To clear up things, would you describe what you want to do, from where, as well as what you don't want to allow?

For example:

  • I want to access ssh and the LuCI interface from a wired computer connected to the router
    • I'm OK with configuring a VLAN on that wired computer or
    • I'm OK with using a single cable to directly plug the computer into a dedicated port on the back of the router
  • I don't want access to ssh or the LuCI interface by anyone on wireless
  • I don't want access to ssh or the LuCI interface by anyone else on the wired (LAN) network (within reason)
  • I don't want access to the LuCI interface by anyone "outside" (WAN side)
  • I want to be able to access ssh from the WAN side

@jeff you basically summarized it all :grin:
I want to access ssh and the LuCI interface from a wired computer connected to the router (absolutely, I currently do this, I dont need wifi hence why I removed bridging)
Iā€™m OK with configuring a VLAN on that wired computer or (yes I can do this part)
I donā€™t want access to ssh or the LuCI interface by anyone on wireless (absolutely)
I donā€™t want access to ssh or the LuCI interface by anyone else on the wired (LAN) network (within reason) (yes I know it would be within reason because anyone could just plug into my defined LuCI port)
I donā€™t want access to the LuCI interface by anyone ā€œoutsideā€ (WAN side) (absolutely)
I want to be able to access ssh from the WAN side (no I dont need this)

Jeff I can copy my config later or tomorrow, I might already have it configured properly, but I could be wrong, thank you

Then, from a "stock" configuration, the steps I'd take would be:

  • Pick a VLAN number for your management VLAN, call it 15 for an example (you can pick any valid, otherwise unused VLAN number, but it requires more config if you pick a number that is higher than the number of VLANs your router's switch manages)
  • Create a VLAN sub-interface on your least-loaded interface. Hard to say if the the WAN-side or LAN-side is more heavily loaded. It doesn't matter too much for most people. Say that you picked eth0. You should now have eth0.15
  • Pick an IP address for the new interface from any of the private address spaces that is on a different subnet than all the others. Call it 172.16.0.16 for example. Assign it to eth0.15
  • Add VLAN 15 to your switch config, tagged for all "LAN" ports and tagged for eth0 (assigning to all port assumes that you don't believe anyone on your wired network would know/snoop the VLAN and IP addresses and configure their computer as a "rogue")
  • Plug your computer into any LAN port.
  • Configure your computer with an IP from the same subnet as eth0.15 and confirm that you can ping the router from your computer on 172.16.0.16
  • Confirm that you can access ssh and LuCI from your computer on 172.16.0.16
  • Set the firewall to block all FORWARD traffic between the ETH0.15 zone and all other zones.
  • Confirm that you can access ssh and LuCI from your computer on 172.16.0.16
  • Create "custom" rules to block ssh/http/https INPUT on the LAN zone

Check everything (can still access the outside world, can access ssh/LuCI from computer on 172.16.0.16, can't access ssh/LuCI from other machines on the wireless/wired LAN)

1 Like