[SOLVED] Sorry to bug you for help... Firewall assistance needed

Afternoon techies!!

In my switch over from voxel firmware to openwrt hnyman build on my R7800 the thing I'm missing and can't get my noob head around is the "blocking services gui" tab in stock firmware as per the screenshot attached.

I want to replicate the function of this in openwrt, essentially blocking certain LAN devices by IP address to a range of ports on the WAN... On the stock firmware it's simple as shown, but on openwrt I'm stuck.

I've tried logging into the stock firmware and running this code to see the output, hoping I could see it and copy it over, but it's not there, so I'm guessing there's another config page with the ipset or netfilter rules listed, which I assume my requirements fit into...??

"root@NetgearR7800:/$ uci show /etc/config/firewall
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='lan'
firewall.@zone[0].network='lan'
firewall.@zone[0].input='ACCEPT'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='REJECT'
firewall.@zone[1]=zone
firewall.@zone[1].name='wan'
firewall.@zone[1].network='wan'
firewall.@zone[1].input='REJECT'
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].forward='REJECT'
firewall.@zone[1].masq='1'
firewall.@zone[1].mtu_fix='1'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].src='lan'
firewall.@forwarding[0].dest='wan'
firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-DHCPv6'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='udp'
firewall.@rule[2].src_ip='fe80::/10'
firewall.@rule[2].src_port='547'
firewall.@rule[2].dest_ip='fe80::/10'
firewall.@rule[2].dest_port='546'
firewall.@rule[2].family='ipv6'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-ICMPv6-Input'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='icmp'
firewall.@rule[3].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[3].limit='1000/sec'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-ICMPv6-Forward'
firewall.@rule[4].src='wan'
firewall.@rule[4].dest='*'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[4].limit='1000/sec'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='igmp'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].src='wan'
firewall.@rule[6].proto='udp'
firewall.@rule[6].dest='lan'
firewall.@rule[6].dest_ip='224.0.0.0/4'
firewall.@rule[6].target='ACCEPT'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user' "

Any one got a simple guide to achieve what I'm after??

network> firewall >> traffic rules >>> add ( non-v18 )

src zone: LAN
dest zone: WAN

the rest is fairly straight forward

2 Likes

Something like this?

Protocol TCP+UDP
Source zone LAN
Source address 192.168.1.16
Source port 444-65535
Destination zone WAN
Destination zone ANY (or do I need the 192.168.1.16)
Destination port any
Action Reject (or drop)

=

= source ip

no

@anon50098793

So in my original Netgear screenshot, I have for example, my phone set with static IP 192.168.1.16, and I have it blocked to all ports 444 - 65535.

So if I set up the luci traffic rule as...

Protocol TCP+UDP
Source zone LAN
Source address 192.168.1.16
Source port any
Destination zone WAN
Destination address ANY
Destination port 444 - 65535
Action Reject (or drop)

That would do the same thing??

1 Like

Looks good... you can add some other rules ( i.e. 993 ALLOW ...or say game server during certain times ) then use the icon on the right that looks 3 stacked books to slide them above that rule for anything that is specifically broken.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.