Hi to all. I use openwrt-lede with davidc502 builds.
What I need help is to restrict a connected client(TV) to go to the internet, local network is just dine,how is that possible; CLI preferably.
Thanx a lot in advance.
In /etc/config/firewall:
config rule
option enabled '1'
option src 'lan'
option dest 'wan'
option name 'Drop_device'
option family 'ipv4'
option proto 'all'
option src_ip '192.168.xxx.xxx'
option target 'DROP'
1 Like
Do not forget to assign a fixed IP address to that device at "/etc/config/DHCP".
1 Like
In /etc/config/dhcp:
config host
option ip '192.168.xxx.xxx'
option mac 'xx:xx:xx:xx:xx:xx'
option name 'xxxx'
1 Like
I don't know why but it doesn't seem to work, TV is still able to go to the internet browsing, my config files is:
/etc/config/firewall
config rule
option enabled '1'
option src 'lan'
option dest 'wan'
option name 'Drop_device'
option family 'ipv4'
option proto 'all'
option src_ip '192.168.144.100'
option target 'DROP'
I run /etc/init.d/firewall restart after edited the file
config rule
option name 'no internet for tv'
option src 'lan'
option src_mac 'BA:DC:00:FF:EE:00' <= MAC address from tv
option dest 'wan'
option target 'DROP'
option enabled '1'
option proto 'all'Still nothing, maybe it matters I use client openvpn connection;
REJECT is usually a better strategy than DROP in most cases, avoiding lengthy timeouts.
How is your tv connected to the router, via wifi oder cable?
Did you made some changes to the openwrt config?
Tv is connected to router via wifi. Changes I've only made are for the openvpn,
config zone
option name 'vpnfirewall'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'nordvpntun'
config forwarding
option src 'lan'
option dest 'vpnfirewall'
Do you have a separate network for the wifi or is it connected to lan?
Its the same lan. Maybe there is a recipe for GUI settings;
That is the recipe I noted in post #2. All CLI/UCI rules to sections that have a corresponding LuCI app - are identical. Therefore, it's the same in LuCI.
I'll write it as LuCI would read in Traffic Rules:
Disgard forward IPv4-traffic From 192.168.144.100 in lan to any host in wan. (ENABLED)
It definitely does matter, as your interface to disgard forward to should be your VPN and not wan.
config rule
option enabled '1'
option src 'lan'
option dest 'vpn'
option name 'Drop_device'
option family 'ipv4'
option proto 'all'
option src_ip '192.168.144.100'
option target 'DROP'
Disgard forward IPv4-traffic From 192.168.144.100 in lan to any host in vpn. (ENABLED)
Alternatively, you can assign an invalid gateway to your TV, so that it can only access local subnet.
In Network - Interfaces - LAN - DHCP Server - Advanced Settings - DHCP Options, issue
3,192.168.144.0,192.168.144.100
This option means assign 192.168.144.0 as default gateway (which is invalid) to client 192.168.144.100
Then click the + button, save & apply
Reboot your TV
1 Like
I had to assign option dest to 'vpnfirewall', works fine 
Thank you all
@LGA1150 thank you also. Also another thing discovered is in that way I can bypass vpn for some clients.
1 Like
This is how you would do so:
- You make a route to that other interface, and place it on an unused second routing table (i.e. 2)
- You then make a rule for each IP to use that route
In /etc/config/network:
config route
option interface 'wan'
option target '0.0.0.0'
option netmask '0.0.0.0'
option gateway '192.168.144.1'
option table '2'
config rule
option src '192.168.144.xxx'
option dest '0.0.0.0/0'
option priority '2'
option lookup '2'
Thank you so much for that hint.
1 Like
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.