Posted: Wed Apr 18, 2018 14:31 Post subject: How to allow WAN GUI access ONLY (i.e. no LAN web GUI)?
I'm adding a new DD-WRT router to my *internal network* with wifi radios disabled. The goal is to isolate all traffic on the new subnet to be Internet-bound only.
I want to disable web admin GUI access from the LAN side and only allow GUI access from the WAN side. I've got the WAN side opened up via the appropriate admin options but now I want to close down the LAN side.
Joined: 16 Nov 2015 Posts: 6446 Location: UK, London, just across the river..
Posted: Wed Apr 18, 2018 20:40 Post subject:
hmmm i hope you know what you are doing... and there will be a good set of firewall rules to protect, when you open GUI on a Wan side....
do expect a lot of attacks if you expose GUI on WAN side
make sure you change default ports for telnet and ssh and do key lock it with receipted key
by default the local microserver listens on port 80 so, closing down port 80 on local side will restrict any access to it...
add this to firewall script
iptables -I INPUT -i br0 -p tcp --dport 80 -j REJECT _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
ISP -> DD-WRT router 1 (no open inbound ports) -> LAN -> DD-WRT router 2 (the one being set up) -> new isolated subnet
Only the LAN will have access to the WAN side of the second DD-WRT router. WLAN on router 1 can only head out to the Internet and has no access to the LAN. Only two machines exist on the LAN, both of which are strictly controlled. Unless you know something I don't, there shouldn't be any particular danger of attacks against the second router?
Thanks for the iptables rule. Exactly what I was hoping for.