OpenWrt Forum Archive

Topic: [V] How to ban the Internet WAN traffic for a specific Ethernet port?

The content of this topic has been archived on 13 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
mward15
22 Dec 2016, 13:07

A potentially malicious networking device with a closed-source firmware is attached to one Ethernet port of the OpenWRT WiFi router. I can't get rid of this device until next February, so meanwhile I want to ban the WAN traffic for this device to disable its' Internet access.

Problem is that this device could easily change its' MAC address by itself (I have observed it twice) --> cannot be banned by MAC address; and MAC whitelists are also not an option in my case. The only solution seems to ban the WAN traffic for a specific Ethernet port, to which this device is connected... but how?

(Last edited by mward15 on 25 Dec 2016, 11:17)

Post #2
bolvan
22 Dec 2016, 17:02

You have to split LAN to LAN1 and LAN2. To do that you need to create additional logical network interface, additional firewall zone for it and configure switch with 2 vlans

Post #3
mward15
24 Dec 2016, 22:38
bolvan wrote:

You have to split LAN to LAN1 and LAN2. To do that you need to create additional logical network interface, additional firewall zone for it and configure switch with 2 vlans

Thanks to you, bolvan, and mk24, the great contributing members of OpenWRT community, I was able to achieve what I wanted. Kudos to you! smile Below are my changes to the default config of TP-LINK TL-WR841ND router running OpenWRT. Hopefully it will be helpful to the people who are in the same situation as me:
1) have a suspicious device with closed source firmware, which they must to use for a while and be able to access it through the local network
2) can't use the MAC address whitelists because of a big amount of the not-permanent users of WiFi network (e.g. our Internet cafe)
3) want to block its' Internet access by the Ethernet port it is connected to - a stronger block than just by the MAC address, because a firmware of "hacked device" could change its' MAC address when it notices that it is unable to leak the information to Internet's remote server, and bypass a MAC address block --> but will not be able to get around the "Ethernet port block"

NOTE: this is also related to this thread ID 69079 on this forum, where mk24 helped me...

So here are the changed configs: (don't just copy paste, you will have to change a few lines)

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'XXXX:XXXX:XXXX::/XX'
# ^^^^^ YOUR GLOBALS ULA_PREFIX HERE

# <=== THIS LAN HAS THE INTERNET ACCESS (PORTS 1, 2, 3, AND ALSO WIFI USERS)
config interface 'lan'
        option ifname 'eth0.1'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
# <=== THIS LAN DOESN'T HAVE THE INTERNET ACCESS (ETHERNET PORT 4)
config interface 'lan2'
        option ifname 'eth0.2'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.11.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option ifname 'eth1'
        option proto 'dhcp'
        option macaddr 'XX:XX:XX:XX:XX:XX'
# ^^^^^ OVERRIDE WAN MAC ADDRESS HERE IF YOU WANT

config interface 'wan6'
        option ifname 'eth1'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'
# <=== ETHERNET PORTS 1, 2, 3 - PART OF LAN WITH THE INTERNET
config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 1 2 3'

# <=== ETHERNET PORT 4 - PART OF LAN WITHOUT THE INTERNET
config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 4'

/etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
# <=== ADDED LAN2 HERE - A COPY PASTE OF LAN WITH CHANGED NAMES
config dhcp 'lan2'                                
        option interface 'lan2'                   
        option start '100'                       
        option limit '150'                       
        option leasetime '12h'                   
        option dhcpv6 'server'                   
        option ra 'server' 

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'

/etc/config/firewall

config defaults
        option syn_flood        1
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT
 # <=== ADDED NEW LAN2 ZONE
config zone
        option name             lan2
        list   network          'lan2'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan
# <=== UNCOMMENT TO CANCEL THE LAN2 INTERNET BLOCK
##
## config forwarding
##      option src              lan2
##      option dest             wan
##
# <=== CONNECTION FROM LAN TO LAN2
config forwarding
        option src              lan
        option dest             lan2
# <=== CONNECTION FROM LAN2 TO LAN
config forwarding
        option src              lan2
        option dest             lan

# We need to accept udp packets on port 68,
# see # <=== REMOVED A LINK HERE, DOESN'T ALLOW TO POST THIS MESSAGE
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4
# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

config rule
        option name             Allow-IGMP
        option src              wan
        option proto            igmp
        option family           ipv4
        option target           ACCEPT
# Allow DHCPv6 replies
# see # <=== REMOVED A LINK HERE, DOESN'T ALLOW TO POST THIS MESSAGE
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option src_ip           fe80::/10
        option src_port         547
        option dest_ip          fe80::/10
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-MLD
        option src              wan
        option proto            icmp
        option src_ip           fe80::/10
        list icmp_type          '130/0'
        list icmp_type          '131/0'
        list icmp_type          '132/0'
        list icmp_type          '143/0'
        option family           ipv6
        option target           ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# include a file with users custom iptables rules
config include
        option path /etc/firewall.user
### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option dest             wan
#       option proto    tcp
#       option target   REJECT

# block a specific mac on wan
#config rule
#       option dest             wan
#       option src_mac  00:11:22:33:44:66
#       option target   REJECT

# block incoming ICMP traffic on a zone
#config rule
#       option src              lan
#       option proto    ICMP
#       option target   DROP
# port redirect port coming in on wan to lan
#config redirect
#       option src                      wan
#       option src_dport        80
#       option dest                     lan
#       option dest_ip          192.168.16.235
#       option dest_port        80
#       option proto            tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#       option src              wan
#       option src_dport        22001
#       option dest             lan
#       option dest_port        22
#       option proto            tcp
#
# <=== DONT WANT THAT PASSTHROUGH ! :P
#
# allow IPsec/ESP and ISAKMP passthrough
### config rule
###     option src              wan
###     option dest             lan
###     option proto            esp
###     option target           ACCEPT
###
### config rule
###     option src              wan
###     option dest             lan
###     option dest_port        500
###     option proto            udp
###     option target           ACCEPT
###
### FULL CONFIG SECTIONS
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port 80
#       option dest             wan
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp
#       option target   REJECT

#config redirect
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port         1024
#       option src_dport        80
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp

Output of "swconfig dev switch0 show" command

swconfig dev switch0 show
Global attributes:
        enable_vlan: 1
Port 0:
        pvid: 0
        link: port:0 link:up speed:1000baseT full-duplex txflow rxflow 
Port 1:
        pvid: 1
        link: port:1 link:up speed:100baseT full-duplex auto
Port 2:
        pvid: 1
        link: port:2 link:up speed:100baseT full-duplex auto
Port 3:
        pvid: 1
        link: port:3 link:up speed:100baseT full-duplex auto
Port 4:
        pvid: 2
        link: port:4 link:up speed:100baseT full-duplex auto
VLAN 0:
        vid: 0
        ports: 0t 
VLAN 1:
        vid: 1
        ports: 0t 1 2 3 
VLAN 2:
        vid: 2
        ports: 0t 4

(Last edited by mward15 on 24 Dec 2016, 22:50)

Post #4
bolvan
25 Dec 2016, 17:47

It must be very evil device if it tries to change MAC address to bypass legitimate blocking.
Most IoTs or TVs will not do this if not infected with specially targeted malware or implanted with NSA-level crap.
But I agree if you want it blocked absolutely your solution is good.
Although if infected with very evil payload device can scan available hosts and try to utilize their vulnerabilities

The discussion might have continued from here.