FS#3577 - Traffic allowed by guest zones to other routers in the wan zone #8610
Labels
Comments
|
jow-: It is a wiki, feel free to add an appropriate example |
|
ncompact: thanks |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
ncompact:
As per the title, no additional rules are allowed for traffic from guest zone to wan but no restrictions have been implemented if there are other routers after the wan interface.
Please implement an additional rule to the documentation
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/start
keep in mind to limit outgoing traffic from the guest zone to
only internet traffic and which cannot send packets to others
router present in the wan
Personally I have created a new rule that blocks traffic to private networks (but perhaps there are valid alternatives to this but I ignore it).
Attached is a standard rule to add (if considered optimal and functional to the needs).
uci -q delete firewall.guest_private
uci set firewall.guest_private = "rule"
uci set firewall.guest_private.name = "Drop forward guest zone to private nets"
uci set firewall.guest_private.src = "guest"
uci set firewall.guest_private.target = "DROP"
uci set firewall.guest_private.family = "ipv4"
uci set firewall.guest_private.dest_ip = "192.168.0.0/16 172.16.0.0/12 10.0.0.0/8"
uci set firewall.guest_private.dest = "*"
uci set firewall.guest_private.proto = "tcp udp icmp"
The text was updated successfully, but these errors were encountered: