Use "WAN" as an extra LAN port, with firewall limitations?

Hi!
I have a homehub5 with openwrt.
I don't use it as modem or router, I have a separate device for this.
I use it as dumb wifi AP & ethernet switch.
I don't use WAN ethernet port currently.
The device is next to my TV,which connected by RJ45 to one of the LAN ports.

I wish to block my TV access to some LAN devices on some time frames.
I was thinking it may be possible using firewall & WAN port to make a "firewalled extra LAN port".

So I allow connexion from WAN to LAN firewall zone ( currently "input reject, output accept, forward reject ).
I set my "WAN" interface to "umanaged" (target is that devices on WAN port are considered as LAN, receive DHCP from LAN etc... but maybe it's not the right way to do it?)

Then for testing, I added a traffic rule to reject :
Any traffic
From any host in wan
To IP range 192.168.0.0/16 in any zone

But this is not sufficient to block access from my TV to other devices on LAN (for example NAS).

Did I missed something ?

I'm a bit confused; how are you connecting this device to the upstream router? From your description, I presume that you are connecting it to one of the LAN ports.

If that's the case, then it makes more sense to connect the upstream port to the WAN port of HH5 (even if you are going to configure the switch to make this WAN port as an extra LAN port)--it just makes sense to have the port labelled as WAN connected to the upstream router.

Then for your TV, you would make a VLAN, assign one of the 4 "original" LAN ports to it, and configure the zones accordingly to allow access as you desire.

There are plenty of posts on the forum (and on the Wiki) about configuring VLANs.

Yes, your traffic never crosses the router or firewall, since you configured it as a switch.

So, you must run this device as a router to accomplish your goal (or bridge) - so the firewall will see and process your traffic.

Ok guys, here are a few answers:

@Hegabo
The internet is available on the LAN, provided by an other router.
I would prefer avoid VLAN: If I can do it by firewall rules, It much easier for me to either add a schedule or even use an external way to toggle it on/off.
Also the TV has several connexions to various services...I foresee troubles to comes If I want to make vlans works for all thoses.

@lleachii I have setup the zone forwarding on the firewall already and it works fine. My TV connected on the reconfigured WAN port receive IP from DHCP on LAN, can see my NAS etc...
It's a pretty similar situation as my guest AP I setup in an other port (where you answered too). Main difference is that I set my WAN interface as "unmanaged".
(here is the topic: Block access from wifi to LAN except gateway? I see now your answser was very similar, but @mk24 solutions worked like a charms :slight_smile:)

1 Like

There are two ways to use VLANs, tagged on a segment or untagged. For “normal” devices, untagged means that the device isn’t aware that elsewhere there’s a VLAN. You then use VLANs elsewhere to segregate and control that traffic and your TV is completely unaware. I find it helpful to think of VLANs as “wires”, within a switch, between devices, or for firewalls.

1 Like

Hi! Yes, I have a VLAN already on 2 port of the LAN for other purposes. it works fine.
But VLAN is not what I want to do here.

I think I may have found part of the issue this morning: I noticed that the wan port is still ticked in my LAN interface, so it's probably bridged with LAN, not what I wanted. I will modify when back home today

You want to reject your TV to access to "any" device between those times?
Why don't you reject based on source MAC address?

How would you do this ?

I have seen mac address filter on wifi, but not on ethernet?

If you go to firewall rules and click "edit" button for a "traffic rule" you can see that you can change it to deny access, define time range and also use "Source MAC address" to match packets.

If you do not want to use MAC address, you can still use IP address of the TV. Normally DHCP gives IPs randomly from a pool, but if you go to DHCP Server settings, there is static leases in the bottom and you can give a fixed IP to your TV (DHCP will always serve this IP to TV). Then deny that IP access to resources using normal firewall rules. Although, a smart/hacker person can open your TV and assign another IP manually and bypass this trick. But I am not sure if this is a problem for your home :slight_smile: If this is to stop your kids watching movies all day or something like that, it could be a good brain exercise for them to try to hack it :smiley:

There is one potential problem. If both devices are in the same network, they can communicate with each other without needing to pass through your OpenWRT box. (if at least one of them is not connected directly to OpenWRT box). But even if they are going through it, I am not sure exactly what OpenWRT firewalls rules do for bridged interface ports. Without actual routing requirements, packets may go through perhaps? If that is so, then the devices would have to be in different subnets so routing by OpenWRT must be required, so OpenWRT can intercept packets.

As I said I do not know exactly how OpenWRT applies the rules, as I never needed this functionality. Perhaps it should be enough that source zone is set to any zone...not sure... Let us know how it goes :slight_smile: