Author
Message
BassT DD-WRT Novice Joined: 01 Sep 2020 Posts: 36
Posted: Mon Aug 29, 2022 7:39 Post subject:
Per Yngve Berg wrote: Add the allow rules to the printer etc. before the den rule to the subnet.
Does only work, if the allow rule is AFTER the deny rule
Code:
#Replace with the appropriate interface of your VAP, e.g. wl0.1, wlan0.1 etc:
GUEST_IF="wl0.1"
#Net Isolation does not work on a WAP so keep it disabled, add for isolating VAP/Bridge from main network:
iptables -I FORWARD -i $GUEST_IF -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT
iptables -I FORWARD -i $GUEST_IF -d 192.168.10.0/24 -m state --state NEW -j REJECT
iptables -I FORWARD -i $GUEST_IF -d 192.168.20.0/24 -m state --state NEW -j REJECT
iptables -I FORWARD -i $GUEST_IF -d 192.168.30.0/24 -m state --state NEW -j REJECT
#Allow
iptables -I FORWARD -i $GUEST_IF -d 192.168.10.10 -j ACCEPT
iptables -I FORWARD -i $GUEST_IF -d 192.168.20.20 -j ACCEPT
#For isolating the WAP itself from the VAP:
iptables -I INPUT -i $GUEST_IF -m state --state NEW -j REJECT
iptables -I INPUT -i $GUEST_IF -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i $GUEST_IF -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i $GUEST_IF -p tcp --dport 53 -j ACCEPT
Back to top
Sponsor
BassT DD-WRT Novice Joined: 01 Sep 2020 Posts: 36
Posted: Mon Aug 29, 2022 19:49 Post subject:
And another question:
How to disable internet on some devices. Only LAN should work.
The Problem, can't read out the WAN IP, because the DD-WRT becomes the Internet over LAN from Fritzbox.
Or is thete another method to read out the WAN IP?
Back to top
Per Yngve Berg DD-WRT Guru Joined: 13 Aug 2013 Posts: 6855 Location: Romerike, Norway
Posted: Mon Aug 29, 2022 20:22 Post subject:
BassT wrote: Does only work, if the allow rule is AFTER the deny rule
The rule must be before, otherwise the deny will be executed first.
However when you insert, the last inserted rule will be the first in the chain.
Back to top
BassT DD-WRT Novice Joined: 01 Sep 2020 Posts: 36
Posted: Tue Aug 30, 2022 7:05 Post subject:
Per Yngve Berg wrote: The rule must be before, otherwise the deny will be executed first.
However when you insert, the last inserted rule will be the first in the chain.
You are right, the chain looks like this:
Code:
Chain FORWARD (policy ACCEPT 49M packets, 30G bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- wl0.1 * 0.0.0.0/0 192.168.20.20
0 0 ACCEPT all -- wl0.1 * 0.0.0.0/0 192.168.10.20
656 46185 ACCEPT all -- wl0.1 * 0.0.0.0/0 192.168.10.10
9098 543K REJECT all -- wl0.1 * 0.0.0.0/0 192.168.30.0/24 state NEW reject-with icmp-port-unreachable
91 5460 REJECT all -- wl0.1 * 0.0.0.0/0 192.168.20.0/24 state NEW reject-with icmp-port-unreachable
152 9120 REJECT all -- wl0.1 * 0.0.0.0/0 192.168.10.0/24 state NEW reject-with icmp-port-unreachable
8045 488K REJECT all -- wl0.1 * 0.0.0.0/0 192.168.21.0/24 state NEW reject-with icmp-port-unreachable
Do you also had an idea, how to deny internet access to some devices?
How to find the WAN IP, if WAN comes over LAN port?
Back to top
Per Yngve Berg DD-WRT Guru Joined: 13 Aug 2013 Posts: 6855 Location: Romerike, Norway
Posted: Tue Aug 30, 2022 15:26 Post subject:
The WAN: -o `get_wanface`
Back to top
BassT DD-WRT Novice Joined: 01 Sep 2020 Posts: 36
Posted: Tue Aug 30, 2022 16:34 Post subject:
Per Yngve Berg wrote: The WAN: -o `get_wanface`
The output is "br0" but blocking br0 will not work, because I hab a static route in the main router (FritzBox).
Also wan_ipaddr bring only 0.0.0.0 because WAN comes via LAN, ...
So, how to block WAN IP for some specific devices?
Back to top
Per Yngve Berg DD-WRT Guru Joined: 13 Aug 2013 Posts: 6855 Location: Romerike, Norway
Posted: Tue Aug 30, 2022 19:07 Post subject:
Use the not operator "!"
iptables -I FORWARD -s 192.168.10.10 !-d 192.168.0.0/16 -m state --state NEW -j REJECT
Back to top
BassT DD-WRT Novice Joined: 01 Sep 2020 Posts: 36
Posted: Tue Aug 30, 2022 21:25 Post subject:
Per Yngve Berg wrote: Use the not operator "!"
iptables -I FORWARD -s 192.168.10.10 !-d 192.168.0.0/16 -m state --state NEW -j REJECT
don't work
Back to top