[SOLVED] Which rules for DHCP? (making router almost invisible in LAN)

Hi All,

i'm at the end with all. With my knowledge, nerves and all of the rest >.> ... However.

What i want?
I will set the policys of the LAN Zone to drop/reject but with working DHCP.

What i need?
As far as i know some firewall rules with allow the DHCP ports.

What Rules are created for it:
forwarded traffic (as described in the Documentation) but its listed as input rule at luci
from LAN to Router at port 67
firewall.@rule[24].name='DHCP '

forwarding traffic (but should be an output rule as described in the documentation)
from router to LAN at port 68

What i think whats missing?
I think there is an output rule missing.
As the documentation describe. To create an output role only the dest. need to be set.
However, i dont know if i have it only wrong configured or i have thinking about this topic to long so that i oversee my failure.

Maybe some of you, without a tunnel vision and they not have thinking multiple times about this, can help me here to bring enlightenment :slight_smile:
That would be very great!
As for now thanks for your attentiveness.


can't say i understand your problem...
the default rules include dhcp-rules, maybe try a reset.

I get lost on your logic here. Both of those statements sound wrong. In neither rule both src and dest zones are defined so those are input/output rules. Those are not "forwarding" rules for passing traffic, but rules for incoming/outgoing traffic from the router's perspective. (dest_port is defined, but that is not the same thing as the source/destination zone).

[quote="Cinux, post:1, topic:3827"]
I will set the policys of the LAN Zone to drop/reject but with working DHCP.
[/quote]Setting "input" policy as reject/drop sounds somehow possible, but setting "output" policy to drop/reject sounds rather eccentric.

Similarly, if you set reject for LAN forwarding you should lose internet connectivity, I think.

What are you trying to accomplish? An almost invisible router also in LAN? Just remember to allow traffic from you admin PC before the change, or you may lose all connectivity to the router.

And how does the default config fail you?

Hi all,

thanks for your interesting at my issue.
I will try to answer your questions and to bring more details to unterstand it at all.

The first and only rule, except IPv6, is this one:
Because the source is wan this does not help me here.
I want to set the policy for LAN to drop/reject to and create rules only for specific ports.

I have looked into the luci and seen what action get triggered for which rule. An there i see for Rule 1 (LAN to Router at port 67) as action Input. So far so good. That should be right (i have done a mistake).

By the secound rule (router to LAN at port 68). I coincide with you that this should be an output rule. But its listed at luci as forwarding rule. I have no idea why. Maybe because of the dest_port. But this sounds not useful. Thats my first point where i get confused.
Because of this i have try to create an output role, however they is defined. I was not able to get an output rule which is listed at luci as action output. Maybe some one can help here go create one. I have no success :frowning:

Yes, you are right its eccentric but i want to controll which machine is communicat which an other also for an output. Easy example. Getting an new smart device (what ever it is) and i connect it to the network. I dont want that its start to send information to the vendor without my approval. And yes you are further right if you say that i lose the internet connection if the LAN forwarding is set to drop/reject. But for this i have create two roles (port 80 and 443) from LAN to WAN. Both are listed correct as forwarding action and i'm able to use the internet. The same for connection to the router, but thanks for the hint. :wink:

I think the last sections answer your last three questions. If not go on and ask again please :slight_smile:


how about setting up a new vlan and firewall zone for a specific port and connect your smart device to it? then deny all forwarding rules to the other vlans/firewallzones.

Hi rj-45,

with this scenario i can prevent that the smart device get an overview about my network and there connected components.
But i will prevent that the machine can call home. So its not help to put the device into a seperate vlan.

you should try it:

cat /etc/config/firewall: [...] config zone option name 'dummyzone' option input 'ACCEPT' option forward 'REJECT' option output 'ACCEPT' option network 'dummynet'

cat /etc/config/network: [code]
config interface 'dummynet'
option _orig_bridge 'false'
option ifname 'eth1.3'
option proto 'static'
option ipaddr ''
option netmask ''

config switch_vlan
option device 'switch0'
option vlan '3'
option vid '3'
option ports '0t 4' [/code]
cat /etc/config/dhcp: config dhcp 'dummynet' option start '100' option leasetime '12h' option limit '150' option interface 'dummynet'

example for a Archer C7

Hi rj-45,

i understand your example. Also how it should be help me.
But its not that what I want. I want to set the default policy for output and input to drop/reject. For some of you its sounds strange, however. I want it. And its possible.

The main issue is that its not possible to create an output rule from the luci. Furthermore no output rule get listed as output rule at the luci.

For this i have create an bug report: https://github.com/openwrt/luci/issues/1171

Because of this i will complete this thread.

Thanks for the help to everyone :slight_smile:

hmm, I dont understand your problem.

Every device in this vlan gets a ip from the router but they can't acces the internet or any other zone.