I want to have two wifi SSIDS, a guest network G and a trusted host network H.
I want to ensure that my web configuration GUI is only accessable from H, and users of G can get no access.
I don't think I can use firewall rules for this, nor firewall zones. I suspect I have to write lua code which checks which network a GUI user is connected to and then close the connection. But I am hoping there is another way which allows me to filter without even accepting the GUI connection.
Firewall rules will work fine, along with ideally restricting the IP addresses on which LuCI listens. By default, OpenWrt configures
uhttpd to listen on "all" addresses. Step one, for me, would be to change that to the address of the subnet which is permitted. (I'm assuming your guest network is already on a different subnet). Step 2 is to prevent forwarding from the guest network to the network on which your trusted hosts reside (a good idea, in general).
I will shift guest network users to their own subnet, and then do it with firewall rules. Sounds like a plan.
I have created a new TrustedZone firewall ZONE and TrustedWifi SSID attached to that. Firewall rules allow access to LuCI only from IP addresses in the new trusted IP address subnet range.
Q1: By this do you mean the manual iptables firewall rule I created? Or is there also something I can do directly from the Firewall Zones LuCI GUI?
Lets imagine somebody on my guest network does not use automatic guest DHCP and instead manually assigns themselves an IP address from the trusted subnet. Q2: What will prevent this traffic from the guest network from seeing the GUI?
Related question Q3: Does iptables see all the traffic which passes between my two on-router subnets?
Yes you can, just edit the new zone appearing on on the Firewall Page - it should already be disabled already.
Yes, as long as they're passing thru an interface, which it seem like you configured it to do by separate Interfaces/Zones.
Hope this helps.
I have confirmed that traffic between one subnet and another subnet on the same router does NOT go through iptables
If it happens in the switch fabric, that is correct. For most people "that need to ask", this likely indicates improper configuration.
If it happens in the TCP/IP stack, then it should be visible to software.
you likely need to learn something about VLANs, you want your networks on separate VLANs. the guest Network tutorials on the wiki will explain. see if that helps.
How will VLANs help in this case? There is just a single router which has two SSIDs defined. Can I use VLANs usefully to seperate the two SSIDs?
Yes, one software bridge for each VLAN that associates the virtual interface for the SSID with the desired virtual interface for the VLAN, such as
Traffic from one SSID to another SSID does goes through iptables, but wired traffic from one switch port to another switch port doesn't. If you separate switch ports into separate vlans then it will go through the CPU in order to route.