I need to have only ethernet port connected to web, and wifi connected only on the local network.
When i begin with default configuration i have ethernet an wlan on a same bridge, i tested to add a rules in firewall but I block all connections, including ethernet.
someone can helpme for configure just this rule please .
Okay lets see if this makes sense.
you have wired LAN
you have a wifi
a. is the wifi on the same subnet as the LAN?
b. do you want the wifi on a different subnet?
c. should wifi be able to access wired LAN
d. should wifi be able to access the internet
e. should the wired LAN be able to access the internet
f. is there a shared device on the wired LAN that wifi users need access to (printer)?
a. is the wifi on the same subnet as the LAN?
the wifi is on the same subnet.
b. do you want the wifi on a different subnet?
i want wifi to be on the same subnet
c. should wifi be able to access wired LAN
i want wifi access to the equipment connected on the wired LAN
d. should wifi be able to access the internet
I want that when you are connected to wifi you do not have access to the internet
e. should the wired LAN be able to access the internet
I want that when you are connected by LAN you have access to the internet
f. is there a shared device on the wired LAN that wifi users need access to (printer)?
yes that’s right.
The easy answer is NOT to have the wifi on the same subnet.
It is very easy to put wifi on a VLAN or a different LAN, your choice.
Then via firewall filter rules you will only allow LAN(wired) to internet
and you will allow the VLAN or wifi LAN subnet to only access the single wired LANIP.
By putting them on the same subnet you are in effect connecting them at layer 2 which
you cannot control at layer 3 by firewall rules and thus its simple and easy to
put them on different subnets. I have many vlans at my house one for guest wifi for example.
If you want to have Wifi devices only as “local devices” such as a printer etc, and not them being able to connect to internet,
you could simply assign those clients static IP adresses, and then put them into an address list.
Then one of your first firewall forward rules would be to drop traffic from source=your_block_address list and out interface WAN.
That way no need to do VLAN (which I think is more complex compared to above solution).
Well that depends…
From a security router admin standpoint, no access is granted unless required.
Meaning if the wifi users ONLY need access to the LAN for the shared printer that also means there is no requirement for them to access the rest of the LAN.
Thus one only needs the following filter rule (when using vlan)
add action=accept chain=forward source address=vlansubnet in-interface=vlan destination address=IP of printer
Even further and better security would be too narrow down access to the IP and further limit that access to specific ports and protocols…
I think you should get the sense of what good security practices entail.
Security practices have a global affect that is positive. For example in both cases the wifi connections cannot get to the net and less likely to be hacked in that way.
However the wifi devices through USB or their own cellular email connections or browsing can still get infected and in my scenario cannot endanger the LAN devices as they are not granted access but in your setup they could be used by malware to hop to the LAN.