Hello,
Goal - Allow luci access only on mgmt vlan
My plan -
Set firewall zones input to 'reject' and add DNS/DHCP explicitly via rules.
Explicitly allow http/80 to the management vlan interface (x.x.30.0)
Explicitly allow ssh/22 to the management vlan interface (x.x.30.0)
ssh/dropbear is currently setup to listen on mgmt vlan and I can connect
Will any of this soft brick me?
Assuming you do this correctly, no, but I wouldn't recommend your approach.
Instead...
Do this only for the non-management networks. That is to say guest, iot, and maybe even your regular lan don't need access to the router itself. But whatever network you use for management should be associated with a zone that has input = accept.
This becomes unnecessary if you do as I recommend above.
I don't recommend changing the listen-on address. It doesn't actually serve any security purpose, and may only cause issues later. Revert this so it listens at all addresses. (the firewall is what limits access).
This is good information, thanks as always
EDIT: The main reason I want to specify the interface is to prevent ssh from WAN interface
The firewall prevents access from the wan in the default state.
Ah, that makes sense... doh
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.