I am setting up Tailscale on my openwrt router and I would like to ensure that only 1 machine in the lan can access the Tailscale network.
I am thinking of creating a dedicated interface for this specific machine with a different IP class and assign the Tailscale gateway via the PBR.
Will this be enough? Can I also limit it via firewall? How the configuration shall be? In every article I read, the Tailscale zone is always associated with the LAN, so I am afraid of any possible leak.
If you explicitly want to provide it for only one host, why not run it on the host ?
Both are behind CGNAT, so I can't use VPN.
I prefer on the router for being more simple to be managed later on (my dad is not very good with technology :))
This is my firewall now, I have 2 LANs: 192.168.2.1 for Wiregard and 192.168.1.1 for LAN.
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'intsw'
list network 'lan'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list device 'wg0'
list device 'tun+'
list device 'wg+'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
config rule
option name 'FWSW1'
list src_ip '192.168.2.1/24'
list dest_ip '192.168.1.1/24'
option target 'REJECT'
option dest '*'
list proto 'all'
option src '*'
config rule
option dest '*'
option target 'REJECT'
option name 'FWSW2'
list proto 'all'
list src_ip '192.168.2.1/24'
list dest_ip '192.168.1.1/24'
config rule
option name 'FWSW3'
list proto 'all'
option src '*'
list src_ip '192.168.1.1/24'
option dest '*'
list dest_ip '192.168.2.1/24'
option target 'REJECT'
config rule
option name 'FWSW4'
list proto 'all'
list src_ip '192.168.1.1/24'
option dest '*'
list dest_ip '192.168.2.1/24'
option target 'REJECT'
Network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option packet_steering '1'
option ula_prefix 'EDIT'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option peerdns '0'
list dns '1.1.1.1'
list dns '1.0.0.1'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config interface 'wg0'
option proto 'wireguard'
option private_key 'EDIT'
list addresses 'EDIT/32'
list addresses 'EDIT/128'
config wireguard_wg0
option description 'EDIT'
option public_key 'EDIT'
option preshared_key 'EDIT'
list allowed_ips '0.0.0.0/0'
list allowed_ips '::/0'
option route_allowed_ips '0'
option endpoint_host 'EDIT'
option endpoint_port '7500'
option persistent_keepalive '25'
config device
option type 'bridge'
option name 'br-sw'
list ports 'lan1'
list ports 'wlan1-2'
config interface 'intsw'
option proto 'static'
option device 'br-sw'
option ipaddr '192.168.2.1'
option netmask '255.255.255.0'
list dns '1.1.1.1'
list dns '1.0.0.1'