This is how to only route whitelisted IPs on OpenWRT:
- First decide where to restrict access. I created an extra vlan with one switch port.
- Then create an “interface” with that vlan in it.
- Assign a static ip and a netmask to the vlan interface.
- Go to the “Firewall Settings” tab and create a new zone.
- Enable Masquerading for the zone.
- You could now “Allow forward to destination zone: wan” to allow all internet traffic.
- But we will rather go to “Network->Firewall->Traffic Rules” and create rules from our zone to wan for some IPs.
- Be aware that the default for traffic rules is to only allow tcp+udp.
- Now just set the destination address.
- And we are good to go.
That was complicated, wasn’t it? Well, let’s look at the config diff between our router and a fresh openwrt setup. Wow, that’s messy. Unfortunately changes in lucy lead to a complete reparse and rewrite of the default config. I went through the diff and these are the interesting bits:
diff --git a/config/firewall b/config/firewall index 7be01d2..28391ab 100644 --- a/config/firewall +++ b/config/firewall @@ -183,6 +183,20 @@ config rule # option dest_port 120 # option proto tcp # option target REJECT +config zone + option name 'limited' + option input 'ACCEPT' + option forward 'REJECT' + option output 'ACCEPT' + option network 'limited_lan' + +config rule + option target 'ACCEPT' + option src 'limited' + option dest 'wan' + option name 'berlin-ccc-dns' + option proto 'all' + option dest_ip '126.96.36.199' #config redirect # option src lan diff --git a/config/network b/config/network index e15871a..737cfb2 100644 --- a/config/network +++ b/config/network @@ -33,10 +33,21 @@ config switch config switch_vlan option device 'switch0' option vlan '1' - option ports '1 2 3 4 5t' + option ports '1 2 3 5t' config switch_vlan option device 'switch0' option vlan '2' option ports '0 5t' +config switch_vlan + option device 'switch0' + option ports '4 5t' + option vlan '42' + +config interface 'limited_lan' + option proto 'static' + option ifname 'eth0.42' + option ipaddr '10.23.42.1' + option netmask '255.255.255.0' +