DD-WRT :: View topic - Restrict access to web gui to devices on lan

Restrict access to web gui to devices on lan

DD-WRT Forum Index -> Advanced Networking

Author

Message

Dd_Novice1
DD-WRT Novice

Joined: 04 Dec 2020
Posts: 3

Posted: Fri Dec 04, 2020 6:44 Post subject: Restrict access to web gui to devices on lan
I'm trying to prevent access to the DDWRT portal over wifi. And make it only accessible through a wired connection. I'm stuck and have no idea how to do it. Also, how would i set it up to only be accessible by a particular port?

Sponsor

egc
DD-WRT Guru

Joined: 18 Mar 2014
Posts: 12905
Location: Netherlands

Posted: Fri Dec 04, 2020 7:52 Post subject:

Welcome to the forum

To get the best out of DDWRT and the forum, read and follow the forum guidelines:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

We cannot answer your question without knowing the router model and build number, that is why the forum guidelines state to always include router model and build number Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

eibgrad
DD-WRT Guru

Joined: 18 Sep 2010
Posts: 9157

Posted: Fri Dec 04, 2020 7:58 Post subject:

Disabling wireless GUI access is pretty simple. Look under Wireless->Advanced Wireless Settings. The tricky part is limiting the wired access to a single port, because by default, all the ports are part of a common VLAN, usually vlan1. To isolate a single port would require creating a new VLAN (e.g., vlan3) for the remaining ports, which then necessitates moving the wireless network interfaces of the default bridge (br0) over to a new bridge (e.g., br1) along w/ the new VLAN, then finally assigning br1 its own IP network, DHCP server, DNS servers, etc. IOW, br1 effectively replaces br0 as the default network. Throw in some firewall rules to limit access by 192.168.2.0/24 to 192.168.1.0/24 and the GUI specifically, and you've got something close to what you want. But this all assumes you can reconfigure the VLANs, which isn't always the case, given they are proprietary, and typically only supported on dd-wrt w/ Broadcom chipsets.

In short, the denial of wireless access is trivial, but limiting wired access to a single port is a whoooooole 'nother ballgame. And unless you're prepared to deal w/ all that complexity, perhaps not worth the trouble. A good compromise might be to limit access to the GUI by specific LAN IPs and/or MAC addresses. That's pretty simple to do.

egc
DD-WRT Guru

Joined: 18 Mar 2014
Posts: 12905
Location: Netherlands

Posted: Fri Dec 04, 2020 8:24 Post subject:

Disabling wireless access in the GUI is dependant on router model only a subset of routers have that functionality, that is why we need to know the router model Smile

Dd_Novice1
DD-WRT Novice

Joined: 04 Dec 2020
Posts: 3

Posted: Fri Dec 04, 2020 11:56 Post subject:
I have an archer a7 v5.

egc
DD-WRT Guru

Joined: 18 Mar 2014
Posts: 12905
Location: Netherlands

Posted: Fri Dec 04, 2020 12:06 Post subject:

I think those will not have that feature Sad

Alozaros
DD-WRT Guru

Joined: 16 Nov 2015
Posts: 6445
Location: UK, London, just across the river..

Posted: Fri Dec 04, 2020 14:45 Post subject: Re: Restrict access to web gui to devices on lan

Dd_Novice1 wrote:

I'm trying to prevent access to the DDWRT portal over wifi. And make it only accessible through a wired connection. I'm stuck and have no idea how to do it.

Also, how would i set it up to only be accessible by a particular port?

If got you correctly, you'd like to disable DDWRT GUI for a WiFi and leave it on only for the LAN ports (switch)...

I can offer you a simple solution more robust than your need...
Instead you can disable general access to GUI and allow it only to a specific hosts, selected/permitted either bu MAC address or an IP...

for m mac you may need to add those to your start up script ---- insmod ipt_mac and insmod xt_mac

iptables -I INPUT 1 -i br0 -p tcp --dport 443 -j REJECT
iptables -I INPUT 2 -i br0 -p tcp --dport 80 -j REJECT
iptables -I INPUT 3 -i br0 -p tcp --dport 443 -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT
iptables -I INPUT 4 -i br0 -p tcp --dport 80 -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT

or via IP (its presumed you've given static IP to those hosts)
iptables -I INPUT -i br0 -p tcp -s 192.168.1.101 --dport 80 -j ACCEPT
iptables -I INPUT -i br0 -p tcp -s 192.168.1.101 --dport 443 -j ACCEPT
_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913

Display posts from previous:

Page 1 of 1

DD-WRT Forum Index -> Advanced Networking

All times are GMT

Navigation

Jump to:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum

Log in

Restrict access to web gui to devices on lan

Quick Links

Log in