SOLVED: Dumb Access Point: How to secure luci @VLAN?

Kornelius777 · October 13, 2024, 2:46pm

Dear all,

my OpenWrt Access Points all use the same SSID and password for all VLANs. The correct VLAN will then be assigned by a FreeRADIUS Server according to the MAC Address of the client.
One of my VLANs is my IOT VLAN.
Lately, I understood that the luci interface is visible on that VLAN to every member of the VLAN.
Using Dumb Access Points, the services firewall, dnsmasq and odhcpd are disabled.

How could I achieve the goal of hiding luci on the IOT interface on my Dumb Access Points?

Could anybody please give me a hint?

Kind regards,

brada4 · October 13, 2024, 2:47pm

You block input and permit input dns dhcp ping
(forward if permitted means internet)

Kornelius777 · October 13, 2024, 2:48pm

Wow, that was quick!

How would I block the input when the firewall service is disabled?

brada4 · October 13, 2024, 2:54pm

What is your router diverging multiple networks?

Kornelius777 · October 13, 2024, 2:56pm

Sorry, I don't quite understand your question. Could you please rephrase?

brada4 · October 13, 2024, 2:57pm

How isolated IOT subnet reaches your LUCI?

Kornelius777 · October 13, 2024, 3:00pm

Well... It's a VLAN, isn't it?
It has a VLAN tag, the main router is a opnsense router.
Was that you question?

Kornelius777 · October 14, 2024, 3:15pm

Answering my own question:

If the AP's LAN Interface is 192.168.1.2 and fd00::2 (IPv6), then one can restrict access to it with

uci -q delete uhttpd.main.listen_http
uci add_list uhttpd.main.listen_http="192.168.1.2:80"
uci add_list uhttpd.main.listen_http="[fd00::2]:80"

uci -q delete uhttpd.main.listen_https
uci add_list uhttpd.main.listen_https="192.168.1.2:443"
uci add_list uhttpd.main.listen_https="[fd00::2]:443"

uci commit uhttpd

/etc/init.d/uhttpd restart

No other interface will then respond any more.

Nice hack!