I’m using a Flint 2 router. I have a device - a printer - that I want accessible by all devices on my LAN, but I want to block all access to/from the WAN. In addition, it would be nice if devices in my guest network could access the printer (and nothing else on the LAM), but that’s not critical.
I started by adding a new firewall zone to the OpenWRT firewall definitions with LuCI but I have no idea how to get the printer into that new zone. If this is the right direction, what do I do next? If this is the wrong direction, what should I do?
I saw a suggestion of using Parental Control, but I would have to turn off Network Acceleration, and it would do nothing for the guest network access.
Best is to not use a firewall zone, zones only work per network interface, which mean you put the printer under a whole different network (which is overkill).
Here is what you can do:
Find the mac address of the printer, once you obtained it, do not share it because it needs to be unique and some devices derive their ipv6 address on the internet based on the mac address, don't worry for ipv6 is still a firewall involved which often people make a misunderstanding from with not having a NAT, a NAT is not the same as firewall.
Navigate in luci where you found the firewall zones, click on the tab traffic rules scroll down and click add rule and configure it like:
name: the name you want
Source zone: lan
Destination zone: wan
Action: reject
--
now click on tab advanced settings,
here you fill in source mac,
and here you put in the mac of the printer.
Also you do not need to create a seperate rule for inbound, firewalls work like this:
If the device iniated a packet first, the other line is allowed to respond on the same line, but if your device didn't iniated the first packet, but the remote device did, it gets blocked, basically all unsolicitated packets get blocked by the firewall, so with blocking outgoing this is more than fine.
That’s certainly easier than what I was trying. However, I can’t put in the MAC address. The device doesn’t appear in the drop-down list of MAC addresses (even though it appears in the Admin Panel’s Clients list). And when I try to manually enter the MAC address in the –custom– line it stays greyed out so I can’t select it.
I believe when you have the dropdown of the field, if you scroll down you have a option to put in a mac address manually.
If that doesn't work, like pressing enter in the dropdowns text field it is a mobile bug it will 100% work on a pc browser.
It may not show the mac address there because the device is having a static ip?, fixed ip don't use arp which luci relies on for discovery and the dhcp leases file more than GL-iNets ui.
I went back into the firewall definition and the device showed up so I’ve set up the definition. I don’t know of any way to test this except to wait for the printer to try to “phone home”.
You could in theory add a mobile phone temporary to the mac list if you have access to luci with a other device.
Or if for advanced install the plugin tcpdump, install a ssh client like putty on pc and connect to the router, credentials are the same as the web ui, it will first ask to accept public keys then click yes.
From there you have access to a CLI prompt and you can use this command:
tcpdump -i eth1 host ip-of-printer
eth1 is the wan device, but this can be different per router model, in luci you can check what device holds the wan interface in luci -> network -> interfaces or via cli command in ssh: ip r the default route often is the wan route.
My “main” computer is an Ethernet-attached PC. I could temporarily add my laptop to the MAC list and see if its internet connection is blocked. I should still be able to get a Remote Desktop connection to the laptop and access a NAS on the LAN from the laptop. I may try that when I have time.
I just checked; I already have it installed. I don’t think I’ve used it on this router, though.