Three accesses: full , guest with no LAN and LAN without internet

I've been using OpenWrt for a while, mainly via Luci. However I'm not as advanced as I'd like to be :slight_smile: I have a local network behind OpenWrt + Internet. There are a few devices. I don't want some of them to access Internet. Also I don't want guest users to access LAN devices. Usual users should have access to everything. The idea is to have three ways to access:

  • WI-FI (full) - full access (already got it working)
  • WI-FI (guest) - guest - Internet only, no LAN access
  • Ethernet port (local) - LAN access, no Internet access
    and ideally if it's possible
  • WI-FI (local) - LAN access, no Internet access (same as above)

Thanks for any advice

5 admin network

That's is a very typical "guest network" setup, just repeated once over for an additional internet-restricted network. Did you try one of the guides to create a guest network yet?

(No, I have no idea what @brada4 wants to say.)

Dont do casual browsing near luci.

I got the guest network working. Thanks.

How can I make those working?

  • Ethernet port (local) - LAN access, no Internet access
    and ideally if it's possible
  • WI-FI (local) - LAN access, no Internet access (same as above)

That's just a variation of the guest network concept. You introduce a third network in the very same way you introduced the guest network, with its own SSID and that one LAN port attached (remove that one LAN port from the regular br-lan). And then in firewall forwardings you do the "opposite" of what you did with the guest network, you allow forwardings to LAN only instead of WAN only.

I run the following (Ethernet only for now). Then I edited br-lanonly and assigned Ethernet port 3 and 4. Similarly I did for br-lan where I removed port 3 and port 4.

uci -q delete network.lanonly_dev
uci set network.lanonly_dev="device"
uci set network.lanonly_dev.type="bridge"
uci set network.lanonly_dev.name="br-lanonly"
uci -q delete network.lanonly
uci set network.lanonly="interface"
uci set network.lanonly.proto="static"
uci set network.lanonly.device="br-lanonly"
uci set network.lanonly.ipaddr="192.168.7.1/24"
uci commit network
service network restart

uci -q delete dhcp.lanonly
uci set dhcp.lanonly="dhcp"
uci set dhcp.lanonly.interface="lanonly"
uci set dhcp.lanonly.start="100"
uci set dhcp.lanonly.limit="150"
uci set dhcp.lanonly.leasetime="1h"
uci commit dhcp
service dnsmasq restart

uci -q delete firewall.lanonly
uci set firewall.lanonly="zone"
uci set firewall.lanonly.name="lanonly"
uci set firewall.lanonly.network="lanonly"
uci set firewall.lanonly.input="REJECT"
uci set firewall.lanonly.output="ACCEPT"
uci set firewall.lanonly.forward="REJECT"
uci -q delete firewall.lanonly_lan
uci set firewall.lanonly_lan="forwarding"
uci set firewall.lanonly_lan.src="lanonly"
uci set firewall.lanonly_lan.dest="lan"
uci -q delete firewall.lanonly_dhcp
uci set firewall.lanonly_dhcp="rule"
uci set firewall.lanonly_dhcp.name="Allow-DHCP-lanonly"
uci set firewall.lanonly_dhcp.src="lanonly"
uci set firewall.lanonly_dhcp.dest_port="67"
uci set firewall.lanonly_dhcp.proto="udp"
uci set firewall.lanonly_dhcp.family="ipv4"
uci set firewall.lanonly_dhcp.target="ACCEPT"
uci commit firewall
service firewall restart

The full access network is 192.168.5.1/24. However, I can't see lanonly devices from it. When I ping them from there I'm getting

ping nsa
PING nsa.lan (192.168.7.220) 56(84) bytes of data.
From default.lan (192.168.5.1) icmp_seq=1 Destination Port Unreachable
From default.lan (192.168.5.1) icmp_seq=2 Destination Port Unreachable
From default.lan (192.168.5.1) icmp_seq=3 Destination Port Unreachable

You shouldn't need to open ports for DHCP and DNS from lanonly to lan, they are allowed to access it anyway.

For that you need to allow forwarding from lan to lanonly. At the moment you only allow forwarding from lanonly to lan.

I added the following but no luck

uci -q delete firewall.lan_lanonly
uci set firewall.lan_lanonly="forwarding"
uci set firewall.lan_lanonly.src="lan"
uci set firewall.lan_lanonly.dest="lanonly"
uci commit firewall
service firewall restart
PING nsa.lan (192.168.7.220) 56(84) bytes of data.
From default.lan (192.168.5.1) icmp_seq=1 Destination Host Unreachable
From default.lan (192.168.5.1) icmp_seq=2 Destination Host Unreachable

The settings look like that now

image

image

Hmm. This all looks good to me now. lan devices should be able to access lanonly devices like this. The lanonly firewall zone covers the br-lanonly network, right? Did you try applying the settings with prejudice, i.e. a reboot?

Failing that, a more complete picture might be helpful. Can you copypaste the contents of /etc/config/network and /etc/config/firewall (redact personal information of course)?

It's started working when I added following. That's when lanonly devices picked up their IP addresses

uci -q delete firewall.lanonly_dhcp
uci set firewall.lanonly_dhcp="rule"
uci set firewall.lanonly_dhcp.name="Allow-DHCP-lanonly"
uci set firewall.lanonly_dhcp.src="lanonly"
uci set firewall.lanonly_dhcp.dest_port="67"
uci set firewall.lanonly_dhcp.proto="udp"
uci set firewall.lanonly_dhcp.family="ipv4"
uci set firewall.lanonly_dhcp.target="ACCEPT"


uci commit firewall
service firewall restart

I may be completely wrong here, and my brain is mush today, but I think I see the problem: lanonly can access devices on lan, but DHCP is not coming from lan, it's coming from the router itself. For lanonly to access the router, its input chain must be set to "accept". Alternatively, your rule, if you don't want lanonly to access anything else on your router.

Anyhoo, I'm happy it works for you now.

Thanks for your help :slight_smile: