Also from guests.
ok... let's see the latest complete firewall file.
Also, from a host on the guest network, run a dns lookup on your domain name to make sure it's resolving as expected (to 192.168.3.15)
root@enrutador:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option flow_offloading '1'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'telecentro'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'invitados'
option output 'ACCEPT'
list network 'invitados'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option src 'invitados'
option dest 'wan'
config rule
list dest_ip '224.0.0.251'
option dest_port '5353'
option target 'ACCEPT'
option src 'invitados'
list proto 'tcp'
list proto 'udp'
option name 'mDNS-Invitados'
option family 'ipv4'
config rule
option target 'ACCEPT'
option src 'invitados'
option dest 'lan'
option family 'ipv4'
list proto 'tcp'
list proto 'udp'
option dest_port '8008-8009 8443 32768-61000'
option name 'Chromecast para Invitados'
config zone
option name 'netbook'
option output 'ACCEPT'
list network 'netbook'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option src 'netbook'
option dest 'wan'
config redirect
option target 'DNAT'
option name 'wireguard-netbook'
list proto 'udp'
option src 'wan'
option src_dport '51820'
option dest_port '51820'
option dest_ip '192.168.3.11'
option dest 'netbook'
config redirect
option target 'DNAT'
option name '80-nginx-netbook'
list proto 'tcp'
option src 'wan'
option src_dport '80'
option dest_port '80'
option dest_ip '192.168.3.15'
option dest 'netbook'
config redirect
option target 'DNAT'
option name '443-nginx-netbook'
list proto 'tcp'
option src 'wan'
option src_dport '443'
option dest_port '443'
option dest_ip '192.168.3.15'
option dest 'netbook'
config redirect
option dest 'netbook'
option target 'DNAT'
option src 'lan'
option src_dport '53'
option dest_port '53'
option dest_ip '192.168.3.12'
option name 'Reenviar DNS de lan a AdGuardHome'
config redirect
option dest 'netbook'
option target 'DNAT'
option src 'invitados'
option src_dport '53'
option dest_port '53'
option dest_ip '192.168.3.12'
option name 'Reenviar DNS de invitados a AdGuardHome'
config rule
option name 'Bloquear servidores DNS en netbook'
option src 'netbook'
option dest 'wan'
option target 'DROP'
option dest_port '53 853'
list src_ip '!192.168.3.14'
config rule
option name 'DNS y DHCP para invitados'
option src 'invitados'
option dest_port '53 67'
option target 'ACCEPT'
config rule
option name 'DNS para netbook'
option src 'netbook'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Permitir entrada de WireGuard en netbook'
option src 'netbook'
list src_ip '192.168.3.11'
option target 'ACCEPT'
config forwarding
option src 'lan'
option dest 'netbook'
config rule
option name 'nginx-80'
list proto 'tcp'
option dest_port '80'
option target 'ACCEPT'
option src_port '80'
option dest 'netbook'
list dest_ip '192.168.3.15'
option src '*'
config rule
option name 'nginx-443'
list proto 'tcp'
option dest_port '443'
option target 'ACCEPT'
option src_port '443'
option dest 'netbook'
list dest_ip '192.168.3.15'
option src '*'
From a guest I can not access 192.168.3.15 or through the domains.
I think that the forwarding rule below is why you can access from your LAN. It seems that the two other rules below that are likely not doing anything.
try adding the following:
config forwarding
option src 'invitados'
option dest 'netbook'
If you later want to tighten this down, we can do that, too... but first thing is to prove that the connections can be made if you have a broad forwarding rule.
Yes, I can access netbook from lan with that rule. As I said, to be able to access, configure and use. I configured netbook guest zone forwarding and now I can access the servers via IP and domains as in lan. I also deleted those two rules.
Good. Is this working the way you want, or do you need to change things (like making the firewall more restrictive)?
Yes, I would like them to only be able to access the services through the domain only.
You cannot control 'domain only' vs IP address -- the domain gets resolved to an IP and that is how the packets actually travel around. When you go to forum.openwrt.org, it gets transformed into an IP address (in the case of IPv4: 139.59.210.197).... you can use OpenWrt forums via the IP address alone, but you can't use it at all if you don't allow access via IP addressing.
What I was asking about before was regarding your server's VLAN -- if you want to restrict the forwarding to only allow certain types of traffic (i.e. web) from the lan & guest > netbook, or if you want only that single server host to be reachable from those networks, we can adjust your firewall... right now, the lan and guest networks can actually reach other hosts on the netbook network.
For now I'm going to allow forwarding to from guests as well. Thanks for your help!
Sounds good.
If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.