Not sure if "sandboxing" is the right term but I'm thinking of building a Windows machine for a specific use. I don't use Windows otherwise and want it to have only limited access to the internet. This machine will be accessed remotely, probably using NoMachine.
What I want to do is pretty much deny access to pretty much everything on WAN except maybe allowing a couple of sites to be accessed for driver updates or something. I'm not a network guru so I can't really think of how to set this up. I generally set all machines to DHCP and in OpenWRT I assign a static IP based on MAC. Any tips on how to set this up, or if I have to do this outside of OpenWRT?
There are two ways to handle this:
- If you are okay with the Windows machine existing on the same network as your other devices, just set one or more firewall rules that govern the allowed internet access from that device (by IP address).
- If you want to isolate that machine entirely from your existing network and also control what can be accessed on the internet, you can create another network/VLAN for this purpose. Generally speaking, for this you'd follow the guest wifi tutorial... you can adapt this to include a wired port on your router (and/or to not setup wifi and make it only wired).
Thanks for the info. it's fine that it's on the local network, I need it on the network to access it remotely. I just want to keep it off the internet.
Looking at the firewall rules setup in Luci, it's kind of confusing. I'm not sure exactly how this needs to be setup. Do I need to setup rules like:
To generally block everything....
Reject- Source LAN(windowsIP)->Destination WAN(NoIP)
Reject- Source WAN(NoIP)->Destination LAN(windowsIP)
To selectively allow for each domain...
Accept- Source LAN(windowsIP)->Destination WAN(SpecificDomain)
Accept- Source WAN(SpecificDomain)->Destination LAN(windowsIP)
and do this for every domain on the internet I want it to be able to access?
Yes, this is generally the process. The only thing that makes it complicated is that the firewall works with IP addresses, not domain names. As long as there is a (hopefully not extensive) list of IPs, it is fairly simple to make the firewall work. But as that list of IPs gets longer and/or if they are variable (due to dynamic IPs and such), it gets more complicated.
Another approach is to use a DNS based filtering solution... PiHole or Adblock or similar can be used to setup block lists and allow lists.
So I tried setting this up through luci pretty much just as I said. The first 2 rules seem to work to basically block everything in and out but as I kind of figured, the 2nd set of rules are pretty much overridden by the first. I used a site to translate the domain name into an IP and that's what I used for the accept rules.
So basically I said:
Block everything coming in
Block everything going out
allow website in
allow website out
So unless theres some way to setup those first 2 rules with an exclude list I don't think it will work to allow specific sites the way it is setup. I've used Pihole in the past but not for this purpose and it was on a separate single board computer (like a raspberry Pi). Is it wise to run Pihole on the same machine as OpenWRT? I'm using a small x86 PC for OpenWRT.
Actually is there something I can do with the XOR rule? I know what the logic of XOR is but not sure how it works in the context of OpenWRT/networking
Rules are dependent on the order. So you probably want the allow before the block rules.