Restrict access to web gui to devices on lan

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
Dd_Novice1
DD-WRT Novice


Joined: 04 Dec 2020
Posts: 3

PostPosted: Fri Dec 04, 2020 6:44    Post subject: Restrict access to web gui to devices on lan Reply with quote
I'm trying to prevent access to the DDWRT portal over wifi. And make it only accessible through a wired connection. I'm stuck and have no idea how to do it.

Also, how would i set it up to only be accessible by a particular port?
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 7449
Location: Netherlands

PostPosted: Fri Dec 04, 2020 7:52    Post subject: Reply with quote
Welcome to the forum

To get the best out of DDWRT and the forum, read and follow the forum guidelines:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

We cannot answer your question without knowing the router model and build number, that is why the forum guidelines state to always include router model and build number Smile

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
WireGuard Documents & Guides:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397
OpenVPN Documents & Guides: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398
IPSET: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327261
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8687

PostPosted: Fri Dec 04, 2020 7:58    Post subject: Reply with quote
Disabling wireless GUI access is pretty simple. Look under Wireless->Advanced Wireless Settings. The tricky part is limiting the wired access to a single port, because by default, all the ports are part of a common VLAN, usually vlan1. To isolate a single port would require creating a new VLAN (e.g., vlan3) for the remaining ports, which then necessitates moving the wireless network interfaces of the default bridge (br0) over to a new bridge (e.g., br1) along w/ the new VLAN, then finally assigning br1 its own IP network, DHCP server, DNS servers, etc. IOW, br1 effectively replaces br0 as the default network. Throw in some firewall rules to limit access by 192.168.2.0/24 to 192.168.1.0/24 and the GUI specifically, and you've got something close to what you want. But this all assumes you can reconfigure the VLANs, which isn't always the case, given they are proprietary, and typically only supported on dd-wrt w/ Broadcom chipsets.

In short, the denial of wireless access is trivial, but limiting wired access to a single port is a whoooooole 'nother ballgame. And unless you're prepared to deal w/ all that complexity, perhaps not worth the trouble. A good compromise might be to limit access to the GUI by specific LAN IPs and/or MAC addresses. That's pretty simple to do.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 7449
Location: Netherlands

PostPosted: Fri Dec 04, 2020 8:24    Post subject: Reply with quote
Disabling wireless access in the GUI is dependant on router model only a subset of routers have that functionality, that is why we need to know the router model Smile
_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
WireGuard Documents & Guides:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397
OpenVPN Documents & Guides: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398
IPSET: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327261
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Dd_Novice1
DD-WRT Novice


Joined: 04 Dec 2020
Posts: 3

PostPosted: Fri Dec 04, 2020 11:56    Post subject: Reply with quote
I have an archer a7 v5.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 7449
Location: Netherlands

PostPosted: Fri Dec 04, 2020 12:06    Post subject: Reply with quote
I think those will not have that feature Sad
_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
WireGuard Documents & Guides:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397
OpenVPN Documents & Guides: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398
IPSET: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327261
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 4237
Location: UK, London, just across the river..

PostPosted: Fri Dec 04, 2020 14:45    Post subject: Re: Restrict access to web gui to devices on lan Reply with quote
Dd_Novice1 wrote:
I'm trying to prevent access to the DDWRT portal over wifi. And make it only accessible through a wired connection. I'm stuck and have no idea how to do it.

Also, how would i set it up to only be accessible by a particular port?


If got you correctly, you'd like to disable DDWRT GUI for a WiFi and leave it on only for the LAN ports (switch)...

I can offer you a simple solution more robust than your need...
Instead you can disable general access to GUI and allow it only to a specific hosts, selected/permitted either bu MAC address or an IP...

for m mac you may need to add those to your start up script ---- insmod ipt_mac and insmod xt_mac

iptables -I INPUT 1 -i br0 -p tcp --dport 443 -j REJECT
iptables -I INPUT 2 -i br0 -p tcp --dport 80 -j REJECT
iptables -I INPUT 3 -i br0 -p tcp --dport 443 -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT
iptables -I INPUT 4 -i br0 -p tcp --dport 80 -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT

or via IP (its presumed you've given static IP to those hosts)
iptables -I INPUT -i br0 -p tcp -s 192.168.1.101 --dport 80 -j ACCEPT
iptables -I INPUT -i br0 -p tcp -s 192.168.1.101 --dport 443 -j ACCEPT

_________________
Atheros
TP-Link WR740Nv1 -----DD-WRT 45993 BS AP,NAT
TP-Link WR740Nv4 -----DD-WRT 44251 BS WAP/Switch
TP-Link WR1043NDv2 ---DD-WRT 46329 BS AP,NAT,AP Isolation,Ad-Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---DD-WRT 46166 BS AP,NAT,AD/Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Qualcomm/IPQ8065
Netgear R7800 -----DD-WRT 46259 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT
Broadcom
Netgear R7000 -----DD-WRT 46259 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,VLAN's,DoT,VPN
-----------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum