I’m trying to configure Guest and IOT VLANS where the IOT VLAN is not supposed to have internet access. However something is wrong, and the firewall rules never seem to apply properly. So no I tried to completely disable internet access also for the main LAN and I’m still able to access the internet. What could be wrong? Shouldn’t the firewall setup below disable all internet access on the network? (the zerotier service is disabled for now)
Good day
I have an example for you to work through below where there is no internet access
This was done via a WiFi test SSID
Please see below images to help with a guide
Also note, the heads give descriptions for you to understand them better, if you hover your mouse over the Zones heading “Forward” for example,
Hi! Thanks! Seems like the difference is that you have set Output to “Reject” for the zone and Forward to Accept. But if there is only one network in the zone, the forward rule shouldn’t matter right? But setting output to reject seems unwise, no? Isn’t traffic from the router to the device blocked then? Anyways, I changed Output to Reject and Forward to Accept but I still have internet access. I am also able to access devices on the LAN network, even though I have not allowed forwarding from the IOT zone to the lan zone.
I use the following rule to enable DHCP and DNS even when Input is set to reject. But it actually also does not matter. The clients get an ip adress even when the rule is disabled (the adress is in the right range 10.99.103.X, which is the IOT interface and not the main interface (10.99.1.X for me).
Could there be something wrong with how the interfaces are set up?
Edit: after som more probing I realized that when im on the IOT network (with IP 10.99.103.X) I cannot reach the router with ping or http, but I am still assigned an ip adress…
My connection is only over mobile by the way, if that matters.
Think perhaps I fixed it. There were two strange rules in my /etc/config/firewall:
I removed them and now its working as expected. So the invalid rules with no “src” must have allowed all forward traffic to the lan and wan zones.