OpenWrt Forum Archive

Topic: Firewall settings to block traffic from wifi to lan

The content of this topic has been archived on 6 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hi Guys an hello! I hope you can help me with my problem!

That's the situation: my uncle has a small lan at home with 2 desktops and printers, internet via a broadband modem with router/switch, no wifi.
Now he wants wifi added for his son.
Ok, no rocket sience. I had an old unused Linksys WRT54GL. I flashed it with an OpenWrt image with LuCI, set LAN interface to static IP (same subnet as modem of course), gateway and DNS to IP of broadband router, disabled DHCP Server (because DHCP is enabled on broadband router), WIFI to AP and interface to DHCP.
Everything works fine, WIFI clients get IP from LAN and can access internet.
But here comes the problem: my uncle wants to block WIFI clients from accessing LAN, they should just use internet. I tried firewall settings and iptables, but nothing works. I'm not a newbie to OpenWrt but still a beginner.

Any ideas? Many thx!

Is the OpenWrt device configured as a "dumb access point"? In other words, are the interfaces bridged together?

Yes, the interfaces are bridged together.

I could be mistaken, but I do not think OpenWrt is ready to filter traffic in the context of bridged interfaces, so you will probably have to configure iptables yourself from scratch. After a quick search on Google, this page seems to have a nice explanation on how to do it: http://www.sjdjweis.com/linux/bridging/

Hope this helps!

The OP on this discussion thread seems to encounter a problem accessing his/her router from WiFi. Perhaps, this is what you are looking for?

VLANs would be the best way to do this, it's exactly what they're made for. You need the WRT54GL on a separate VLAN from the rest of the network, so that all it can see is the gateway router.

The problem is that this need to be configured on the gateway router, not the access point. Does it, or can it run OpenWRT? If not, I guess you can check the features of whatever firmware it runs - but most home routers don't enable this functionality, unfortunately.

If you have no success with the VLANs on the gateway, I guess your other option would be to reset the WRT54GL to it's default configuration, plug it's WAN port into the LAN, and set up some firewall rules to drop traffic to IPs in the LAN subnet (except the gateway of course). It's icky because it's 2 layers of NAT, but it should work.

(Last edited by Degeneratescum on 2 Oct 2015, 21:04)

Unfortunately the gateway is locked by the provider. I can't access it.
I reset the Linksys to default, but when I use the WAN port it won't get access to the LAN an internet?

Hmmm.  With the default OpenWRT config, the WAN port should be configured as a DHCP client, so if you plug it into a LAN port on the gateway, it should get an IP assigned from your home network as the "ISP".

Maybe there's an IP range clash? Make sure the Linksys LAN ip range is set to a different subnet than the gateway gives out.

Edit: I originally said IP range, but to be clearer, it has to be a different subnet. So if the gateway is on 192.168.1.1, subnet mask 255.255.255.0, then the Linksys could use 192.168.2.1 and 255.255.255.0.

(Last edited by Degeneratescum on 2 Oct 2015, 21:59)

Ah, ok. Actually I set the protocol of LAN to a static IP within the same subnet as the gateway to reach it.
What protocol should I set for LAN then?

If the linksys uses the same subnet as the gateway it can't route, see my edit above.

You want the standard LAN configuration of static IP and DHCP server, but if the ip of the gateway was, say 192.168.1.1, then make the linksys LAN 192.168.2.1.

What we're aiming for here is a situation where you can set firewall rules to drop all traffic to and from the gateway's subnet, except the gateway itself. Then you will have achieved the isolation of networks that you desire. Without VLANs, it wasn't possible to do it at the mac level with the networks bridged, so instead we're doing it with separated networks at the IP level. Hence the need for different IP subnets.

BTW, just thinking aloud here, I think eduperez's suggestion above about manual configuration of iptables is also a valid solution, probably too complicated for a beginner, but maybe the best from a technical standpoint if you have the time to figure it out. I also think there might be another solution using relayd, but I suspect this will perform worse than 2 layers of NAT.

(Last edited by Degeneratescum on 2 Oct 2015, 22:35)

Ok. I set the static IP of LAN to 192.168.2.1 and enabled dhcp. Now I get a 192.168.2.x for my devices via WIFI and they can connect to internet.
Great, many thx so far!!!

But I still can reach my devices on 192.168.1.x. How exactly do I have to config the firewall now?

OK, we've got to a point where you can use the firewall to block the traffic. Unfortunately I haven't a lot of experience with firewall configuration, so maybe this is where someone else can help you, or you can study the firewall docs and figure it out.

What I do know is that the order of the firewall rules is important. You custom rules will need to go first.

1. Rules to allow traffic to and from the gateway.
2. Rules to block traffic to the subnet 192.168.1.* (won't affect the gateway traffic as it has already been accepted at 1.)
3. The standard rules that will already be configured for all other traffic (won't affect the LAN blocking as the packets have already been blocked at 2.)

Ok. Thx again for your big help, Degeneratescum!!

Can anyone please help me with the correct firewall configuration?

I tried it by myself last night, but I didn't find it out. Doesn't matter what I do, I still can access the clients on 192.168.1.x. I tried firewall rules in LuCI an I tried iptables. But I failed.
Thx!!

(Last edited by webjunkie on 3 Oct 2015, 10:15)

This might help a bit:

https://forum.openwrt.org/viewtopic.php?id=31865

Also, remember it's outbound traffic to that subnet that you want to filter. Most firewall rules are concerned with incoming traffic, so that might be where you're going wrong.

(Last edited by Degeneratescum on 3 Oct 2015, 10:43)

Sorry, I didn't get it. I tried:

iptables -I INPUT -i wan -s 192.168.1.0/24 -j DROP
iptables -I FORWARD -i wan -s 192.168.1.0/24 -j DROP

in the custom rules, but nothing happened.

Also
iptables -I INPUT -i lan -s 192.168.1.0/24 -j DROP
iptables -I FORWARD -i lan -s 192.168.1.0/24 -j DROP
didn't do anything?!?

Sorry, it took me some nights to realize what you meant...

Then I tried

#1. Rules to allow traffic to and from the gateway.
iptables -I INPUT -s 192.168.1.1 -j ACCEPT
iptables -I FORWARD -s 192.168.1.1 -j ACCEPT

#2. Rules to block traffic to the subnet 192.168.1.*
iptables -I INPUT -s 192.168.1.0/24 -j REJECT
iptables -I FORWARD -s 192.168.1.0/24 -j REJECT

But it didn't work...

After a few hours again I changed the order:
1. Rules to block traffic to the subnet 192.168.1.*
2. Rules to allow traffic to and from the gateway.

And guess what, it works!!!!!:

iptables -I INPUT -s 192.168.1.0/24 -j REJECT
iptables -I FORWARD -s 192.168.1.0/24 -j REJECT

iptables -I INPUT -s 192.168.1.1 -j ACCEPT
iptables -I FORWARD -s 192.168.1.1 -j ACCEPT

Thx!!
Topic can be closed.

What is the difference between your "guest wlan" solution stated above vs setting up the OpenWrt router's wifi as "lan" and the ethernet as "wan" interface.
I used this setup a year ago with a WR703 and if I recall correctly, from the devices in my wifi environment I could not access the other devices in the (wired) home network nor the main router.

@webjunkie
In which file did you write the iptable commands? Or did you use Luci?

(Last edited by halfdome on 3 Nov 2015, 00:03)

Hi halfdome,

I used Luci.

Just to verify:

In Network --> Firewall -->
1) "Custom Rules": you placed your "iptables -I ..." commands?
2) "General Settings" / "Port forwards" / "Traffic Rules": in these sections you changed / added nothing?

ad 1): yes
ad 2): no

2) so what did you change in these sections?

Nothing.
I meant "no, i didn't change/add nothing". Sorry! ;-)

The discussion might have continued from here.