Firewall Priority and blocking rules

chrismfz · December 18, 2017, 8:05pm

If I want to block Internet access (0.0.0.0/0) to a full /24 ip block BUT let specific IPs to get internet and
to “force” someone (evil, sneak peak, naughty person) to use specific subnet to get online what’s the proper way?

Let’s say we have 10.23.1.0/24, 10.23.50.0/24 and 10.23.40.0/24
On 10.23.40.0/24 there are some specific devices that I want to be online (one routerboard, 4 APs connecting 2 people, etc)
On 10.23.50.0/24 there are PC that wirelessly connects to 10.23.40.1 and get internet from me.
10.23.1.0 is my own network.

Someone can get internet using IP addresses on 10.23.40.x. So I want to block 10.23.40.0 off the internet except for example 2-3-4 IPs
which are the APs and I want them to be online for updates. Let’s they they are 10.23.40.1-2-3-4.

I need to do that to “force” the other side of the wireless network to use 10.23.50.0/24 so I can throttle / queue it more easily.

What’s the proper way to do that?
First DROP anything from 10.23.40.0/24 and THEN allow only the 2-3 devices?

himvas · December 19, 2017, 3:43pm

You should create address list with allowed IPs from 10.23.40.0/24 subnet.
Then you should first allow access to internet fo this address list and second disable access for all 10.23.40.0/24 subnet.

To force wireless clients to use another subnet you should primarily assign address from 10.23.50.0/24 to interface of ROS device so it can receive and route packets and:

Setup DHCP server on AP so it assign 10.23.50.0/24 addresses to wireless clients. In this case assign address from 10.23.50.0/24 to the same interface that have address from 10.23.40.0/24.
or
Configure VLAN on ROS device and AP and wrap wireless clients traffic to this VLAN. In this case assign address from 10.23.50.0/24 to VLAN interface.