This is how to only route whitelisted IPs on OpenWRT:
- First decide where to restrict access. I created an extra vlan with one switch port.
- Then create an “interface” with that vlan in it.
- Assign a static ip and a netmask to the vlan interface.
- Go to the “Firewall Settings” tab and create a new zone.
- Enable Masquerading for the zone.
- You could now “Allow forward to destination zone: wan” to allow all internet traffic.
- But we will rather go to “Network->Firewall->Traffic Rules” and create rules from our zone to wan for some IPs.
- Be aware that the default for traffic rules is to only allow tcp+udp.
- Now just set the destination address.
- And we are good to go.
That was complicated, wasn’t it? Well, let’s look at the config diff between our router and a fresh openwrt setup. Wow, that’s messy. Unfortunately changes in lucy lead to a complete reparse and rewrite of the default config. I went through the diff and these are the interesting bits:
diff --git a/config/firewall b/config/firewall
index 7be01d2..28391ab 100644
--- a/config/firewall
+++ b/config/firewall
@@ -183,6 +183,20 @@ config rule
# option dest_port 120
# option proto tcp
# option target REJECT
+config zone
+ option name 'limited'
+ option input 'ACCEPT'
+ option forward 'REJECT'
+ option output 'ACCEPT'
+ option network 'limited_lan'
+
+config rule
+ option target 'ACCEPT'
+ option src 'limited'
+ option dest 'wan'
+ option name 'berlin-ccc-dns'
+ option proto 'all'
+ option dest_ip '213.73.91.35'
#config redirect
# option src lan
diff --git a/config/network b/config/network
index e15871a..737cfb2 100644
--- a/config/network
+++ b/config/network
@@ -33,10 +33,21 @@ config switch
config switch_vlan
option device 'switch0'
option vlan '1'
- option ports '1 2 3 4 5t'
+ option ports '1 2 3 5t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0 5t'
+config switch_vlan
+ option device 'switch0'
+ option ports '4 5t'
+ option vlan '42'
+
+config interface 'limited_lan'
+ option proto 'static'
+ option ifname 'eth0.42'
+ option ipaddr '10.23.42.1'
+ option netmask '255.255.255.0'
+