I added a couple of new virtual APs and they all work well. They are all on their own subnets with firewall rules dropping traffic between them and all that, so I am pretty proud of myself. But, there is something I am not sure of:
The virtual APs use wlan1 as the master interface. And all the new virtual APs have internet without having to add NAT rules. Why is this? Is it because wlan1 is added under bridge–>ports and all the virtual APs use wlan1 as the master interface therefore they all have internet automatically? The only NAT rule I have is the one for my ISP PPPOE connection.
I am not sure what config to extract for you guys to have a look at (maybe you guys will know without having to look at config ), so let me know what you need then I will extract it.
All LAN that you will create will have internet because of masquerade rule, there you have setup just exit interface, not source subnets, so it get all subnets
Your firewall config features some rules which I guess you intended to prevent clients in different subnets from connecting each other (the ones with src-address=subnet1/24 dst-address=subnet2/24). They are not doing that, they are preventing those clients from connecting to router (note chain=input) if the destination address is not in the same subnet as client. To block connections between clients from different subnets these FW rules should be in chain=forward.
There are a few filters that would make firewall better … it has been discussed a few times in this forum, I’m sure you can find them.
@ingdaka Thanks for the reply. I Google a bit and it makes a lot of sense now so thanks for pointing it out.
@mkx: Thanks for the input and helping out. I actually did have the rules as forward rules, but then I checked the following:
I had a forward rule preventing everyone on IP range 192.168.6.1/24 from connecting to 192.168.6.1 ports 80,8080,443,563, essentially so that they cannot get to the router interface. But then I was still able to get to the router web interface! Then I changed it to input, and then it worked correctly. Now the users on 192.168.6.1/24 cannot connect to 192.168.6.1 over those ports specified. I then figured that all these rules should be input rules…Was I wrong?
The way the rules are set currently (input rules) allows the clients in the subnets to have internet and see each other in the same subnet, but they cannot get to the web interface of the router. I havent tested if they can get to the other subnets using input rules and not forward rules, but a network scan did not show the other IP addresses from the other subnets. Then again, I have not set up routing rules or NAT yet, so the rules are not really necessary are they?
There are a few chains in the firewall, the most important two are input and forward:
chain=input rules govern connections to router itself. So use of chain=input to prevent LAN devices from connecting router’s http service is correct
chain=forward rules govern connections to other destinations where traffic flows through router. So use of chain=forward is correct one to block connections between devices in different subnets. It is the same chain that could forbid LAN devices from accessing internet (despites having NAT masquerade).
So you are using correct firewall rules for blocking access to router’s services, but you’re using wrong firewall rules to block connectivity between different subnets (e.g. between 192.168.6.13 and 192.168.7.42).
), so let me know what you need then I will extract it.