Hello everyone,
the configuration should be done exclusively through IP addresses to ensure that only specific Internet connections are used through the router, rather than employing the less restrictive method of ‘Web Filtering’.
I have a Teltonika RUT241 router and want to configure it using the firewall file (/etc/config/firewall from the backup) with OpenWRT. The router should block all unnecessary internet connections. This means that only truly necessary internet connections should be allowed through the router. For this, I need the firewall configuration file (/etc/config/firewall) described in OpenWRT.
The router has set up three network segments:
- WAN,
- LAN, and
- GUEST.
The WAN has the internet connection and, for example, has the address 20.13.53.2.
In the LAN network with the address range 192.168.1.1/24, our IoT devices are located. An IoT device, for instance, has the IP address 192.168.1.201. And through this LAN network, one should be able to access the local web GUI of the router. When I connect to the network with a PC, I get, for example, the IP address 192.168.1.79 and can then access the local web GUI of the router via http://192.168.1.1/login in the browser.
The GUEST network has the address range 10.10.1.1/16. This network is provided to users via a free WiFi named “FREE_WLAN” and should allow users to use my website. This means GUEST needs access to the WAN for specific IP addresses to establish internet connections.
How could such a firewall file basically look like? Could someone please help me out here, because I’m not really making any progress.
I am aware that configuring via “Web Filtering” using white-domain lists is much simpler. However, I want a configuration without “Web Filtering” and only with firewall rules and IP addresses to ensure that only these specific internet connections are used through the router. Web Filtering, for example, allows the use of apps like Telegram, WhatsApp, etc.
config defaults '1'
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option drop_invalid '0'
option auto_helper '1'
option flow_offloading '0'
config zone '2'
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option network 'wan wan6 mob1s1a1'
option log '0'
option conntrack '0'
option masq '0'
option mtu_fix '0'
config zone '3'
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
option masq '1'
option mtu_fix '1'
config zone '4'
option name 'guest'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'guest'
option masq '1'
option mtu_fix '1'
config include '5'
option path '/etc/firewall.user'
config include '6'
option path '/etc/add-rs-rule.sh'
option reload '1'
config include 'pscan'
option port_scan '0'
option type 'script'
option reload '1'
option path '/usr/bin/port-scan-prevention'
config rule '9'
option src 'guest'
option name 'ALLOW_IPs'
option target 'ACCEPT'
option dest 'wan'
option enabled '1'
option proto 'all'
list dest_ip '12.34.56.78'
list dest_ip '12.34.56.91'
option utc_time '0'
option priority '1'
With Rule9 it should be possible to connect from GUEST network to both IP-Adresses: ‘12.34.56.78’ and ‘12.34.56.91’, but i get a timeout.
Many Thanks and BR