Hi all.
I loaded FW 2.2 and it works fine.
Now I'd like to set up firewall rules so that WiFi users aren't allowed to access the router configuration mask (available at http://192.168.1.1).
I configured ethernet ports in LAN group 1 (192.168.1.x) and WiFi access in LAN group 2 (192.168.2.x) and made several different attempts:
1. I enabled LAN separation, to stop traffic to and from LAN group1 and LAN group 2
2. I turned on Custom IP Filters, both on LAN group 1 and 2, with the following rule: block traffic from 192.168.2.0/255.255.255.0 to 192.168.1.1/255.255.255.255 port 80
3. I enabled Bridge Filters, both on LAN group 1 and 2, with the following rule: deny traffic from 00-00-00-00-00-00/WLAN to router_MAC/ANY protocol ANY
None of such rules seems to work: web access to the router is always available to WiFi users.
Any idea?
The output of the Gatway System Information window follows:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
213.205.xxx.xxx 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 br1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
239.0.0.0 0.0.0.0 255.0.0.0 U 1 0 0 br0
0.0.0.0 213.205.16.100 0.0.0.0 UG 0 0 0 ppp0
Address HWtype HWaddress Flags Mask Iface
192.168.1.2 ether 00:xx:xx:xx:xx:xx C br0
Chain PREROUTING (policy ACCEPT 1793 packets, 130K bytes)
pkts bytes target prot opt in out source destination
13 624 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:192.168.1.2:443
0 0 DNAT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:26934 to:192.168.1.2:26934
0 0 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23411 to:192.168.1.2:23411
0 0 DNAT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:32459 to:192.168.1.2:32459
0 0 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:32459 to:192.168.1.2:32459
Chain POSTROUTING (policy ACCEPT 21 packets, 1153 bytes)
pkts bytes target prot opt in out source destination
306 15861 MASQUERADE all -- * ppp0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 25 packets, 1620 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 5365 packets, 435K bytes)
pkts bytes target prot opt in out source destination
23 3165 ACCEPT all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
1167 98399 DROP all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 13823 packets, 4618K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- br1 * 192.168.2.0/24 192.168.1.1 tcp dpt:80
14342 13M ACCEPT all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
13 624 ACCEPT tcp -- ppp0 * 0.0.0.0/0 192.168.1.2 tcp dpt:443
0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 192.168.1.2 udp dpt:26934
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 192.168.1.2 tcp dpt:23411
0 0 ACCEPT udp -- ppp0 * 0.0.0.0/0 192.168.1.2 udp dpt:32459
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 192.168.1.2 tcp dpt:32459
0 0 DROP all -- ppp0 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- br0 br1 0.0.0.0/0 0.0.0.0/0
5 300 DROP all -- br1 br0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 8971 packets, 7244K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP icmp -- * ppp0 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 DROP icmp -- * ppp0 0.0.0.0/0 0.0.0.0/0 state INVALID
Bye
Arturo
Blocking access to the router web management console
I guess that using Access Control I block web traffic from br1 (WiFi access) both to the router and to all WAN web servers, don't I? (see rule below)
Chain INPUT (policy ACCEPT 12218 packets, 888K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- br1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Arturo
Chain INPUT (policy ACCEPT 12218 packets, 888K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP tcp -- br1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
Arturo
- thechief
- RouterTech Team
- Posts: 12067
- Joined: Wed Feb 01, 2006 10:22 pm
- Location: England, the Centre of Africa
- Contact:
Well, all volunteer efforts to produce better documentation will be welcome.
The Chief: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
No support via PM. Ask all questions on the open forum.
You're right.
Just some further consideration about Access control: I enabled Access control, inhibiting WLAN access to the router. I left LAN1 to LAN2 isolation enabled. But strange enough the two rules related to LAN isolation
DROP all -- br0 br1 0.0.0.0/0 0.0.0.0/0
DROP all -- br1 br0 0.0.0.0/0 0.0.0.0/0
disappeared in the Gatway System Information output!
So I un-flagged and then flagged again LAN isolation and the two rules came back again. But it seems like I can't save such a configuration ...
Bye
Just some further consideration about Access control: I enabled Access control, inhibiting WLAN access to the router. I left LAN1 to LAN2 isolation enabled. But strange enough the two rules related to LAN isolation
DROP all -- br0 br1 0.0.0.0/0 0.0.0.0/0
DROP all -- br1 br0 0.0.0.0/0 0.0.0.0/0
disappeared in the Gatway System Information output!
So I un-flagged and then flagged again LAN isolation and the two rules came back again. But it seems like I can't save such a configuration ...
Bye