Posted: Fri Dec 04, 2020 6:44 Post subject: Restrict access to web gui to devices on lan
I'm trying to prevent access to the DDWRT portal over wifi. And make it only accessible through a wired connection. I'm stuck and have no idea how to do it.
Also, how would i set it up to only be accessible by a particular port?
Disabling wireless GUI access is pretty simple. Look under Wireless->Advanced Wireless Settings. The tricky part is limiting the wired access to a single port, because by default, all the ports are part of a common VLAN, usually vlan1. To isolate a single port would require creating a new VLAN (e.g., vlan3) for the remaining ports, which then necessitates moving the wireless network interfaces of the default bridge (br0) over to a new bridge (e.g., br1) along w/ the new VLAN, then finally assigning br1 its own IP network, DHCP server, DNS servers, etc. IOW, br1 effectively replaces br0 as the default network. Throw in some firewall rules to limit access by 192.168.2.0/24 to 192.168.1.0/24 and the GUI specifically, and you've got something close to what you want. But this all assumes you can reconfigure the VLANs, which isn't always the case, given they are proprietary, and typically only supported on dd-wrt w/ Broadcom chipsets.
In short, the denial of wireless access is trivial, but limiting wired access to a single port is a whoooooole 'nother ballgame. And unless you're prepared to deal w/ all that complexity, perhaps not worth the trouble. A good compromise might be to limit access to the GUI by specific LAN IPs and/or MAC addresses. That's pretty simple to do.
Joined: 16 Nov 2015 Posts: 6445 Location: UK, London, just across the river..
Posted: Fri Dec 04, 2020 14:45 Post subject: Re: Restrict access to web gui to devices on lan
Dd_Novice1 wrote:
I'm trying to prevent access to the DDWRT portal over wifi. And make it only accessible through a wired connection. I'm stuck and have no idea how to do it.
Also, how would i set it up to only be accessible by a particular port?
If got you correctly, you'd like to disable DDWRT GUI for a WiFi and leave it on only for the LAN ports (switch)...
I can offer you a simple solution more robust than your need...
Instead you can disable general access to GUI and allow it only to a specific hosts, selected/permitted either bu MAC address or an IP...
for m mac you may need to add those to your start up script ---- insmod ipt_mac and insmod xt_mac