I want to be able to set up a firewall rule to stop all traffic to and from one device. I know how to set up a rule to stop and start traffic from the LAN to the WAN, but I want to control traffic from the LAN to this one node on the LAN.
This particular machine is a virtual machine on my NAS and gets a DHCP (reserved) address when it boots so I know its address. I am guessing I need to set up a VLAN for it, but I am unsure of how to do it. The examples I've looked at all have static addresses. Do I need to set it up with a static address on a different subnet (192.168.3.x)? If it is a different subnet, how do I route traffic to/from it? My LAN is all 192.168.2.x. My guess is that I can set up a firewall rule to reject all packets from this vlan if I can set that up.
As @Stefan1 has already said, you really need to do this as a separate network. In general, you cannot block traffic between hosts on the same network using your router because the traffic is switched (L2) and does not actually hit the router's routing engine/firewall to be filtered (L3). That is why it must be done on separate networks.
Installing kmod-br-netfilter should allow you to isolate a single device in a network. It requires to have the device connected separatly to the Openwrt bridge (e.g. with a dedicated port or via VLAN)
Ok, so I have read through it a number of times and read other sources. I only half get it.
I set up another network (I am trying to turn off access to the minecraft server from the LAN at night)
Is this right that I want the 'Device' to be br-lan?
I was able to set the IP address on the Minecraft VM to 10.10.2.2
I can ping it and SSH into it from devices on my main LAN (192.168.2.x)
I think on the firewall is where I have screwed up a bit. I added a zone
If I understand correctly, I do not think I can do this in my case. The 'device' I am trying to isolate is actually a VM running on my nas, so a connection to a specific port on my router (r7800) is not really possible.
I have a few VMs runnign myself on a device I call host. I use openvswitch to connect to the VMs as this with KVM allows to assign VLANs to the NIC of the VM.
I believe you need to do something similar. To isolate the VM from the rest of the network use a VLAN. On the OpenWrt router you can then either use a separate network/interface for the VLAN with 'normal' routing or use kmod-br-netfilter to isolate the VLAN in the bridge and use traffic rules to seperate the VLAN from the rest.
I thought I had this correct, but did not. I reverted to my previous config until I can figure out how to have another private network address scheme set up and be able to route to it... I am on 192.168.2.x and want this particular VM to be on 10.10.2.2 with a static address. I set up a separate 'interface' and thought that was how you set up a vlan. When I set it up everything was routed to it and both networks were accessable from each other. Once I deleted that 'interface' I can no longer reach that VM on 10.10.2.2. Do not know how to go forward from here as this is a bit over my head...
This is too vague for anyone to be able to help. Can we see your config files (specifically /etc/config/network and /etc/config/firewall as well as a quick drawing of the physical topology of your network.
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'xxxx:xxxx:xxxx::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
option type 'bridge'
option peerdns '0'
list dns '192.168.2.3'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
option type 'bridge'
option reqaddress 'try'
option reqprefix 'auto'
option peerdns '0'
list dns 'xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0t'
I commented out the ipv6 addresses.
This is my firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config rule
option src 'lan'
option dest 'wan'
option target 'REJECT'
option start_time '00:01:00'
option name 'Turn-off-internet'
option stop_time '04:45:00'
option weekdays 'Mon Tue Wed Thu Fri'
config rule
option name 'Turn Off Internet W/E'
option src 'lan'
option dest 'wan'
option target 'REJECT'
option start_time '01:01:00'
option stop_time '06:00:00'
option weekdays 'Sun Sat'
config include 'qcanssecm'
option type 'script'
option path '/etc/firewall.d/qca-nss-ecm'
option family 'any'
option reload '1'
config include 'bcp38'
option type 'script'
option path '/usr/lib/bcp38/run.sh'
option family 'IPv4'
option reload '1'
I removed the redirects and the MAC/time based rules
This is a basic install. I have a single device on my network (VM on the NAS) which I have set up with a static address of 10.10.2.2. The rest of my network is 192.168.2.x. I would like to allow devices on my 192.168.2.x network to access the device on 10.10.2.2 and also allow others outside my network to access that via a redirect.
Once I have that working, I would like to shut off LAN access to that single address on a timee based basis.
Once that works, I would like to, maybe, change other devices connected to this LAN to 10.10.2.x as well with static addresses.
My router is connected to the fiber modem on its WAN port and most of my LAN is connected via LAN1. Lan2 is my PiHole and Lan3 is a network TV tuner.
I would have to do a lot of re-configuring of the house to be able to specifically use a LAN port for certain devices. The router is on the 2nd floor and the modem is in the basement as well as an unmanaged switch to distribute wired ethernet to the house.
Since this is a VM on your NAS, you may need to change the configuration on your NAS's VM manager. Specifically, the VM manager must have NAT masquerading disabled and must allow routing from the NAS's main network connection to the VM's 10.10.2.0/24 network for virtual hosts.
You will probably need to add a static route on your OpenWrt router so that the router understands where to send the data. In theory, your NAS has an address on your main network in the 192.168.2.0/24 network. So the static route would be 10.10.2.2 via 192.168.2.x (where x is the address of the NAS on the LAN).
or it could look like this: 10.10.2.0/24 via 192.168.2.x if you have multiple virtual hosts on that NAS.
Once you have that, you can craft firewall rules to permit/prohibit connectivity as desired.
@psherman I am trying to do this, but am unsure of what to put where. I tried to add a route, but it does not allow any pings from 192.168.2.x.
I am pretty sure my FreeNAS allows access because at one time I had a config on my router and could route to it.
@psherman Yes, that was from my router (R7800). I was able to get something working: I can ping from 192.168.2.x to 10.10.2.2
Tell me where I went wrong.
My NAS allows me to set up a full stack for each VM, so I can have it DHCP or set it statically, so it should be fine and no real changes are needed on it, I do not think. On my router, I did this.
Created an interface:
Created a route:
# ip addr show eth0
2: eth0: <BROADCAST,MULTICAST,DYNAMIC,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether b8:27:eb:f0:6b:34 brd ff:ff:ff:ff:ff:ff
inet 192.168.2.191/24 brd 192.168.2.255 scope global eth0
valid_lft forever preferred_lft forever
...
# ping 10.10.2.2
PING 10.10.2.2 (10.10.2.2) 56(84) bytes of data.
64 bytes from 10.10.2.2: icmp_seq=1 ttl=63 time=1.18 ms
From 192.168.2.1 icmp_seq=2 Redirect Host(New nexthop: 10.10.2.2)
64 bytes from 10.10.2.2: icmp_seq=2 ttl=63 time=1.22 ms
From 192.168.2.1 icmp_seq=3 Redirect Host(New nexthop: 10.10.2.2)
64 bytes from 10.10.2.2: icmp_seq=3 ttl=63 time=1.13 ms
64 bytes from 10.10.2.2: icmp_seq=4 ttl=63 time=0.646 ms
64 bytes from 10.10.2.2: icmp_seq=5 ttl=63 time=0.824 ms
64 bytes from 10.10.2.2: icmp_seq=6 ttl=63 time=0.495 ms
^C
--- 10.10.2.2 ping statistics ---
6 packets transmitted, 6 received, +2 errors, 0% packet loss, time 5078ms
rtt min/avg/max/mdev = 0.495/0.915/1.223/0.278 ms
This does not use any sort of VLAN and everything is static on 10.10.2.x. So how would I stop traffic from my 192.168.2.x lan to this host on a time basis? I have tried to create a rule and I cannot stop a ping:
The static route that you created is redundant and doesn't actually do anything because the router already knows about its own networks. But I really don't think your router should have the 10.10.2.0/24 network defined in its interface.
You do not appear to have followed my advice about the static route from earlier.
I think the key thing to understand is the configuration of the NAS. Can you show how the NAS is setting up the 10.10.2.0/24 network that it is assigning to the VM?
@psherman I appreciate the help.
I am really struggling to learn this. I deleted the route but when I do, I can on longer ping that VM on my network. The VM is actually a Jail on my FreeNAS server.
To set it up, I unselected DHCP Autoconfigure IPv4 and put in the IP address of 10.10.2.2 for it and 10.10.2.1 for the router.
With it set like this, I can access it and ping it but I do not know how I can turn off access to it from my LAN.
I apologize if this is 'not the right way', but with my hacking around, I was able to route packets to and from it. I tried to understand the VLAN stuff posted for OpenWRT, but how I do not understand how I would be able to do it what is outlined with my setup since I cannot have the specific device plugged to a specific port on the router and most all of my network is plugged through LAN1.
So let's start at the basics... please draw a diagram of your network, including the addresses and VLANs, and critically the network addresses and configuration of the NAS.
Your NAS is performing some sort of routing (likely NAT masquerading) to setup the 10.10.2.0/24 network. This means that the vast majority of the configuration will happen on the NAS. This has almost nothing to do with your OpenWrt router because the network does not exist on that device.
If you wish to make it possible for devices on the 192.168.2.0/24 network to connect to the MineOS jail (10.10.2.0/24), you need to set a static route on your OpenWrt router which would look like this: 10.10.2.0/24 via 192.168.2.198
or 10.10.2.2/32 via 192.168.2.198
You would then need to set the NAS to route appropriately from one network to the other (possibly by disabling NAT masquerading, if that is currently enabled on the NAS).
If you don't want to allow access from 192.168.2.0/24 > 10.10.2.2, then the route should not be installed on the OpenWrt router at all.
Beyond that, all of the remaining configuration in terms of allowances/restrictions of that VM need to be configured on the NAS itself. There is nothing that the OpenWrt router can do in terms of isolating that VM.
I appreciate the help.
The NAS allows me to turn off NAT on a 'per jail' basis and I do this for all jails because I need to be able to 'see' the jails on my 192.168.2.x LAN.
When I setup this jail initially, I allowed DHCP to autoconfigure it and then looked on my router to get the spoofed MAC that the NAS generates so that I could give it an IP that I know.
When I set this jail's IP to 10.10.2.2, I turned off DHCP and set the IP manually and put in a 'router IP' of 10.10.2.1. When I did this plus the configuration on my Router, I can connect to the 10.10.2.2 device from my 192.168.2.x LAN
This is the 'Basic Setup' screen for my jail on TrueNAS.
