Use of Wireguard for internet connections but not for private IPs

I have 2 routers, 1 is a ISP modem/router with a home network with printers and a Pi etc., and 1 is a OpenWRT router connected to a Wireguard VPN via the ISP modem/router.

Setting up Wireguard was easy thanks to this step by step guide. However, when a computer is connected to the OpenWRT router it can't access the ISP modem/router anymore. I want to allow 1 computer with the MAC address *************** to access IPs 192.178.1.1 -- 192.178.1.255. Would the following firewall rule do what I want without creating a security problem?

Zones:
lan = OpenWRT router
wan = ISP modem/router
WGZONE = Wireguard connection

How is the computer connected to the OpenWrt router? Ethernet/Wifi, or via Wireguard?

First, this is wrong -- it should be 192.168.1.1 - 192.168.1.254, or more generically, 192.168.1.0/24

It isn't clear to me if you are trying to allow a specific computer that is connected via WG to access the upstream modem+router, or if it is connected via ethernet/wifi locally. Over WG, the MAC address will not be an option, but you could limit via IP address. Locally, this will can be done.

Please provide more detail.

Wifi

Thank you for the check! But the router, a FRITZ!Box, has the unusual IP 192.168.178.1

The specific computer, that is connected to the Wifi radio0 of the OpenWRT router, should be allowed to access the upstream modem+router.

Take another look at your rule -- you have 192.178.1.1 which is incorrect (maybe it is supposed to be 192.168.178.1, but you have a typo if that is the case).

What you'll want to do with the firewall is to create a rule that allows the computer with the permitted MAC address to access the 192.168.178.0/24 network, and then drop all others attempting to access that network.

Now I see. Thank you! I'll copy and paste from now on.

Would this allow only the permitted MAC address to access the 192.168.178.0/24 network?

If I understand it correctly then "drop" means that traffic is not allowed except when there is an explicit rule that allows it. Could I create a second "forward rule" where the "Source MAC address" is "any" instead of "***************" and where the "Action" is "drop" instead of "accept"?
Also, would a rule "drop" be necessary? Right now, a computer connected to the Wifi of the OpenWRT router can't access the 192.168.178.0/24 network.

The rule you showed should, in theory, allow the specific system to connect to the upstream network. A second rule with the action drop would be necessary (and the order matters).

If things aren't working, please post the following files (ssh into the router and use the cat command; copy and paste into a reformatted text block):
/etc/config/network
/etc/config/firewall

It worked, thanks! At first it didn't work because the 2 rules were in the wrong order but then I noticed that you had written that the order matters.

New rules in Network | Firewall | Traffic Rules:

This added the following to /etc/config/firewall

config rule
        option target 'ACCEPT'
        option src 'lan'
        option name 'computer --> upstream router'
        option src_mac '**:**:**:**:**:**'
        option dest 'wan'
        option dest_ip '192.168.178.0/24'

config rule
        option src 'lan'
        option name 'rule "drop" lan --> upstream router'
        option dest 'wan'
        option dest_ip '192.168.178.0/24'
        option target 'DROP'

Those rules look good! Glad it is working :slight_smile:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.