bolvan wrote:You have to split LAN to LAN1 and LAN2. To do that you need to create additional logical network interface, additional firewall zone for it and configure switch with 2 vlans
Thanks to you, bolvan, and mk24, the great contributing members of OpenWRT community, I was able to achieve what I wanted. Kudos to you! Below are my changes to the default config of TP-LINK TL-WR841ND router running OpenWRT. Hopefully it will be helpful to the people who are in the same situation as me:
1) have a suspicious device with closed source firmware, which they must to use for a while and be able to access it through the local network
2) can't use the MAC address whitelists because of a big amount of the not-permanent users of WiFi network (e.g. our Internet cafe)
3) want to block its' Internet access by the Ethernet port it is connected to - a stronger block than just by the MAC address, because a firmware of "hacked device" could change its' MAC address when it notices that it is unable to leak the information to Internet's remote server, and bypass a MAC address block --> but will not be able to get around the "Ethernet port block"
NOTE: this is also related to this thread ID 69079 on this forum, where mk24 helped me...
So here are the changed configs: (don't just copy paste, you will have to change a few lines)
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'XXXX:XXXX:XXXX::/XX'
# ^^^^^ YOUR GLOBALS ULA_PREFIX HERE
# <=== THIS LAN HAS THE INTERNET ACCESS (PORTS 1, 2, 3, AND ALSO WIFI USERS)
config interface 'lan'
option ifname 'eth0.1'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
option ip6assign '60'
# <=== THIS LAN DOESN'T HAVE THE INTERNET ACCESS (ETHERNET PORT 4)
config interface 'lan2'
option ifname 'eth0.2'
option force_link '1'
option type 'bridge'
option proto 'static'
option ipaddr '192.168.11.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
option macaddr 'XX:XX:XX:XX:XX:XX'
# ^^^^^ OVERRIDE WAN MAC ADDRESS HERE IF YOU WANT
config interface 'wan6'
option ifname 'eth1'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
# <=== ETHERNET PORTS 1, 2, 3 - PART OF LAN WITH THE INTERNET
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0t 1 2 3'
# <=== ETHERNET PORT 4 - PART OF LAN WITHOUT THE INTERNET
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 4'
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
# <=== ADDED LAN2 HERE - A COPY PASTE OF LAN WITH CHANGED NAMES
config dhcp 'lan2'
option interface 'lan2'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv6 'server'
option ra 'server'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
/etc/config/firewall
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
# <=== ADDED NEW LAN2 ZONE
config zone
option name lan2
list network 'lan2'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# <=== UNCOMMENT TO CANCEL THE LAN2 INTERNET BLOCK
##
## config forwarding
## option src lan2
## option dest wan
##
# <=== CONNECTION FROM LAN TO LAN2
config forwarding
option src lan
option dest lan2
# <=== CONNECTION FROM LAN2 TO LAN
config forwarding
option src lan2
option dest lan
# We need to accept udp packets on port 68,
# see # <=== REMOVED A LINK HERE, DOESN'T ALLOW TO POST THIS MESSAGE
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see # <=== REMOVED A LINK HERE, DOESN'T ALLOW TO POST THIS MESSAGE
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option src_ip fe80::/10
option src_port 547
option dest_ip fe80::/10
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
# include a file with users custom iptables rules
config include
option path /etc/firewall.user
### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
# option src lan
# option src_ip 192.168.45.2
# option dest wan
# option proto tcp
# option target REJECT
# block a specific mac on wan
#config rule
# option dest wan
# option src_mac 00:11:22:33:44:66
# option target REJECT
# block incoming ICMP traffic on a zone
#config rule
# option src lan
# option proto ICMP
# option target DROP
# port redirect port coming in on wan to lan
#config redirect
# option src wan
# option src_dport 80
# option dest lan
# option dest_ip 192.168.16.235
# option dest_port 80
# option proto tcp
# port redirect of remapped ssh port (22001) on wan
#config redirect
# option src wan
# option src_dport 22001
# option dest lan
# option dest_port 22
# option proto tcp
#
# <=== DONT WANT THAT PASSTHROUGH ! :P
#
# allow IPsec/ESP and ISAKMP passthrough
### config rule
### option src wan
### option dest lan
### option proto esp
### option target ACCEPT
###
### config rule
### option src wan
### option dest lan
### option dest_port 500
### option proto udp
### option target ACCEPT
###
### FULL CONFIG SECTIONS
#config rule
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 80
# option dest wan
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
# option target REJECT
#config redirect
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 1024
# option src_dport 80
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
Output of "swconfig dev switch0 show" command
swconfig dev switch0 show
Global attributes:
enable_vlan: 1
Port 0:
pvid: 0
link: port:0 link:up speed:1000baseT full-duplex txflow rxflow
Port 1:
pvid: 1
link: port:1 link:up speed:100baseT full-duplex auto
Port 2:
pvid: 1
link: port:2 link:up speed:100baseT full-duplex auto
Port 3:
pvid: 1
link: port:3 link:up speed:100baseT full-duplex auto
Port 4:
pvid: 2
link: port:4 link:up speed:100baseT full-duplex auto
VLAN 0:
vid: 0
ports: 0t
VLAN 1:
vid: 1
ports: 0t 1 2 3
VLAN 2:
vid: 2
ports: 0t 4
(Last edited by mward15 on 24 Dec 2016, 22:50)