Topic: Firewall:allow connection Wifi -> LAN only for selected clients

Hello,

I was able to allow LAN->WIFI connection only for certain wifi clients, but I am struggling make it work other direction. Could someone see error in my config?

network

config interface 'lan'
    option ifname 'eth0 eth2'
    option force_link '1'
    option type 'bridge'
    option proto 'static'
    option netmask '255.255.255.0'
    option ipaddr '10.0.5.1'
    option ip6assign '64'

config interface 'wifi'
    option proto 'static'
    option ipaddr '10.0.6.1'
    option netmask '255.255.255.0'
    option delegate '0'

   
dhcp

config dhcp 'lan'
    option interface 'lan'
    option start '100'
    option limit '150'
    option leasetime '24h'
    option dhcpv6 'server'
    option ra 'server'
    option ignore '0'
    list dhcp_option '6,10.0.5.1'
    
config dhcp 'wifi'
    option interface 'wifi'
    option start '100'
    option limit '150'
    option leasetime '2h'
    list dhcp_option '6,10.0.6.1'
    

firewall

config zone
    option name 'lan'
    list network 'lan'
    list network 'vpn0'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'    
    
config zone
    option name 'wifi'
    option network 'wifi'
    option forward 'REJECT'
    option output 'ACCEPT'
    option input 'REJECT'

   
Working rule:

config rule
    option name 'LAN -> Wifi client'
    option src              'lan'
    option dest             'wifi'
    option dest_ip          '10.0.6.xxx'
    option target           'ACCEPT'
    option family        'ipv4'

Not working rule:

config rule
    option name 'Wifi client -> LAN'
    option src              'wifi'
    option dest             'lan'
    option src_ip          '10.0.6.xxx'
    option target           'ACCEPT'
    option family                    'ipv4'    

Thanks in advance

Re: Firewall:allow connection Wifi -> LAN only for selected clients

Have you configured forwarding options between LAN and WIFI?

Re: Firewall:allow connection Wifi -> LAN only for selected clients

ulmwind wrote:

Have you configured forwarding options between LAN and WIFI?

If you mean

config forwarding
    option src 'lan'
    option dest 'wifi'

config forwarding
    option src 'wifi'
    option dest 'lan'

Then no, because when I setup that way, then all wifi clients can access LAN..

Re: Firewall:allow connection Wifi -> LAN only for selected clients

As far as I've understood, you want to enable but to restrict forwarding between zones. You should enable it like you've written and after that configure firewall rules to reject forwarding for specific clients.

Re: Firewall:allow connection Wifi -> LAN only for selected clients

ulmwind wrote:

As far as I've understood, you want to enable but to restrict forwarding between zones. You should enable it like you've written and after that configure firewall rules to reject forwarding for specific clients.

But connection from LAN to Wifi enabled only for 1 client works, even without specific forwarding rules (lan to wifi)..

I cant reject specific clients, as it could be practically anyone on Wifi... I need allow only a few devices to be able to access LAN..

6 (edited by ulmwind 2017-03-21 22:16:50)

Re: Firewall:allow connection Wifi -> LAN only for selected clients

We can't see any answer, as you can see.
To my mind, you should use negation rules for IPs with !:

        option src_ip           !192.168.1.100

You can also define different zones:

        option subnet           '10.21.0.0/16'