Block LAN access, allow only Internet + some restrictions

robertEIT · February 26, 2019, 11:29pm

Hi guys,
I’m trying to figure out this:

I have a LAN, 192.168.88.0/24

One IP within this LAN is assigned to a Ubiquity AP wich serves Internet access to a small park. The IP is 192.168.88.254 via static DHCP. The AP has it’s own DHCP and subnet (10.10.10.0/24). I would like to block access to my 192.168.88.0/24 LAN for users connected to that AP, leaving them only with Internet access and that’s it. I know this isn’t the best setup and that I should use a dedicated port and network for that AP but unfortunately I don’t have total control on the network.

I can’t figure out how to make the rules in the firewall. I’m thinking about dropping forwarding from 10.10.10.0/24 to 192.168.88.0/24 or…?

Sent from my Mi A2 Lite using Tapatalk

vecernik87 · February 26, 2019, 11:40pm

Since the AP is connected to particular interface, it would be more failproof to make firewall rules based on interfaces:

First firewall filter rule: Accept forward from unifi to wan:

in-interface: your port where unifi is connected (i assume it is not bridged with anything else)
out-interface: your wan port
action: accept

Second firewall filter rule: Deny forward from unifi (Even though it is safe approach, this second rule is not necessary if you follow principle “accept specified, deny everything else” and your firewall is already set up that way. If you are unsure, better to use this rule.)

in-interface: your port where unifi is connected
action: drop

this way, only packets destined to WAN will be forwarded from your unifi. Anything else from unifi will be dropped. You won’t have to worry about spoofed IP or exceptions, you won’t need to update your rule anytime you add another subnet etc…

anav · February 26, 2019, 11:52pm

What I would do is turn all that traffic into a vlan.
So lets say eth3 is a port that is directly wired to the AP.
create a guest-bridge (pvid=1) ingress filtering=yes
create vlanAP_30
associate the vlan to the guest bridge when identifying the vlan interface
add address with interface being vlanAP_30
add ip pool 192.168.30.2-192.168.30.3
etc…
Create a vlan DHCP-server services and DHCP-server network
add address with interface being vlanAP_30
192.168.30.0/24 etc
etc…
In other words your are going to give a VLAN LANIP to the ap.

associate the vlan to the guest bridge when identifying the vlan interface
/bridge port
add bridge=guest bridge interface=eth3 pvid=30 admit only untagged frames.

/bridge interface vlan
add bridge=guest bridge tag=bridge untag=eth3 vlanid=30

The only firewall rule you will require is
add chain=forward action=accept in-interface=vlanAP_30 out-interface=wan
(allow vlan to wan traffic)

There all traffic coming from the AP is on a separate VLAN with only access to the internet.
There are probably 20 ways to do this…