Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
S
S
Sergey Evstifeev2015-09-03 21:46:35
System administration
Sergey Evstifeev, 2015-09-03 21:46:35

Access point behind nat Prohibition of access to the local network from wifi how?

Good day
There is a local area network with stupid switches.
There is a task to set up wifi with Internet access but without access to the local network (to which the point is connected by a WAN port. There is a TPLink
WA701 available. because it is impossible to organize this using standard firmware;
does not work.via wifi from the access point you can get into the local
network.Settings:

[email protected]:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'



config interface 'WLAN'
         option ifname 'wlan0'
        option proto 'static'
        option ipaddr '192.168.88.1'
        option netmask '255.255.255.0'
        option dns '208.67.222.222'

config interface 'WAN'
         option ifname 'eth0'
        option proto 'dhcp'

[email protected]:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'WLAN'
        option forward 'REJECT'

config zone
        option name 'wan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'WAN'
        option input 'ACCEPT'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule
        option src 'lan'
        option name 'BLOCK LAN'
        option dest_ip '10.38.14.0/24'
        option target 'DROP'
        option dest '*'

It seems that everything was done correctly and the addresses 10.38.14.0/24 from wifi are still available.
Can someone show me where my mistake is?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
D
DastiX, 2015-09-04
@DastiX

VLAN+Routes+Firewall

Report
S
Sergey Evstifeev, 2015-09-04
@eserDEN

After reading about opernWRT, I learned that you can use iptables.
Removed all contents of /etc/config/firewall except for lines

config include
        option path '/etc/firewall.user'

in /etc/firewall.user wrote
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i wlan0 -d 10.38.14.0/24 -j DROP

And everything worked as it should, but why it didn’t work out with the firewal configuration with zones, the question remained open

Similar questions
A
Alexey Kostyukhin2017-10-16 10:20:04
Why does a group of computers with the same configuration lose connection to the gateway at the same time? 2Reply
V
vlarkanov2017-10-16 14:49:23
CEPH: how to mount CephFS on a machine with an old (3.16) kernel? 2Reply
D
DVoropaev2017-10-17 15:50:10
How to reconfigure postfix on centos? 2Reply
N
Novichok Admin2017-10-23 16:09:19
Is the default gateway not available on the local network? 1Reply
D
Dmitry2017-10-24 12:03:46
How does Windows check Internet access? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question