Most of the untrusted devices connect via wifi using the AP, but I also have some other wired devices to improve performance.
Currently the devices in the 10.0.0.x network can talk to devices in the 192.168.8.x network. I don’t want that to happen.
I am reading a bit more about iptables so I can add a few rules (or rule) to block all the packets that go to any host in the 192.168.8.x network (other than .1 which is the router).
Anyway, I wanted to know if you have any thoughts or anyone has a similar setup. If so, what rules have you added to openwrt to block traffic?
You can make VLAN and put all devices with another different IP with adding another network interface in Luci…and it will pass in the same LAN cable> make tagged and assign in that network interface.
Search in the net, there is a lot of easy tutorials on YT. How to make vlan openwrt.
I was trying to do this for testing: dropping all icmp packets coming from the 10.0.0.x network and going to any machine in the 192.168.8.x network other than 192.168.8.1.
From a machine within the IOT network (10.0.0.x) I ping a machine on the 192.168.8.x network. I keep the ping running.
I had a couple of port forwarding entries setup to give access to the http openwrt server and also ssh to a machine within the IOT network (10.0.0.0/24). Those two entries will not work if you only add those two iptables rules I sent earlier. We need to add one more rule to fix this. Here are the new commands:
Notice the first entry. That’s what does the trick.
I think the reason why that rule fixes the issue is because we are telling iptables to load the connection tracker. Then, let’s say I open a socket from a machine in the 192.168.8.0/24 network to port 8080 on the little mango. Rule #2 will kick in and let the packet pass. At that point, iptables tracks the connection. Incoming packages on that connection will go through now because rule #1 (since the packages belong to a ESTABLISHED connection), before that, rule #3 was kicking in and dropping all packets on that type of connections.
# cat >> /etc/firewall.user
# Only let traffic to the router from the IOT network
# But let established connections from the 192 network to the IOT network
iptables -I FORWARD 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -I FORWARD 2 -d 192.168.8.1 -j ACCEPT
iptables -I FORWARD 3 -d 192.168.8.0/24 -j DROP
<Ctrl-c>
I like /etc/firewall.user better than using /etc/config/firewall because /etc/config/firewall does not use iptables cmds but abstractions of them (check the file and you’ll see what I mean).