OpenWRT IP Whitelisting

This is how to only route whitelisted IPs on OpenWRT:

  • First decide where to restrict access. I created an extra vlan with one switch port.
  • Then create an “interface” with that vlan in it.
  • Assign a static ip and a netmask to the vlan interface.
  • Go to the “Firewall Settings” tab and create a new zone.
  • Enable Masquerading for the zone.
  • You could now “Allow forward to destination zone: wan” to allow all internet traffic.
  • But we will rather go to “Network->Firewall->Traffic Rules” and create rules from our zone to wan for some IPs.
  • Be aware that the default for traffic rules is to only allow tcp+udp.
  • Now just set the destination address.
  • And we are good to go.

That was complicated, wasn’t it? Well, let’s look at the config diff between our router and a fresh openwrt setup. Wow, that’s messy. Unfortunately changes in lucy lead to a complete reparse and rewrite of the default config. I went through the diff and these are the interesting bits:

diff --git a/config/firewall b/config/firewall
index 7be01d2..28391ab 100644
--- a/config/firewall
+++ b/config/firewall
@@ -183,6 +183,20 @@ config rule
 #	option dest_port	120
 #	option proto	tcp
 #	option target	REJECT
+config zone
+	option name 'limited'
+	option input 'ACCEPT'
+	option forward 'REJECT'
+	option output 'ACCEPT'
+	option network 'limited_lan'
+config rule
+	option target 'ACCEPT'
+	option src 'limited'
+	option dest 'wan'
+	option name 'berlin-ccc-dns'
+	option proto 'all'
+	option dest_ip ''
 #config redirect
 #	option src		lan
diff --git a/config/network b/config/network
index e15871a..737cfb2 100644
--- a/config/network
+++ b/config/network
@@ -33,10 +33,21 @@ config switch
 config switch_vlan
 	option device 'switch0'
 	option vlan '1'
-	option ports '1 2 3 4 5t'
+	option ports '1 2 3 5t'
 config switch_vlan
 	option device 'switch0'
 	option vlan '2'
 	option ports '0 5t'
+config switch_vlan
+	option device 'switch0'
+	option ports '4 5t'
+	option vlan '42'
+config interface 'limited_lan'
+	option proto 'static'
+	option ifname 'eth0.42'
+	option ipaddr ''
+	option netmask ''