I want to block from WiFi user to get to the router-how to?

David1234 · December 25, 2014, 11:47am

I want to be able to enter the router using HTTP only from the Ethernet connection
so if someone try to enter from the WiFi - he will get 404 error - or something

this is what I have done but it doesn’t work -

chain=forward action=drop src-address=0.0.0.0/0 dst-address=172.20.164.254

the Wlan IP is 172.20.164.254

I don’t want to change the port (80) - because this is not a solution for me

what am I missing or doing wrong?
this is doable I want to believe , no ?

what I do now it NAT to address I don’t use

chain=dstnat action=dst-nat to-addresses=172.20.164.5 
     dst-address=172.20.164.254 in-interface=wlan1

I can stay with this , but if I want to do NAT to an image inside the router - can it be done?

Thanks,

tinka · December 25, 2014, 11:37pm

i think that you have specify the input (not the forward) chain to block access to the router.

David1234 · December 28, 2014, 8:49am

have try this also -
still doesn’t block

tinka · December 30, 2014, 6:34pm

have you put the rules in the correct order?

i would suggest to make a log rule and use only src. place it on top of the rule list. Start accesing the router from the src address. Once you see packets hit the log rule you know it works. Now change the action to drop.

Be carefull because you can block yourself so make sure you can login with mac.

Now once this works try to change to your liking and check with each step if the rule gets triggered.

ShayanFiroozi · December 30, 2014, 8:00pm

Hi,
you can use In/Out interface in firewall rules , or IP addresses , chain is input , src address is you Wifi network subnet such as 192.168.200.0/24 or something like that , and your dest address is your router address action is drop or tarpit