Skip to main content
Super User

Return to Question

added 161 characters in body
Source Link
Bitshitch
Bitshitch
  • 1
  • 3

I have an Openwrt Router in Default Config plus those changes: Lan Network - 192.168.1.0/24 Admin Network - 193.168.2.0/24 Wan Network - 192.168.0.0/24

Iptables

Default Forward Deny

Admin+Lan

Forward Deny

In/Out Allow

Lan to Wan Forward Allow

Wan

Input Deny

Output Allow

Masquerading

Dropbear

Listen only on admin interface

EDIT: The switch is actually split into 3 segments with untagged Vlans. Wan, Lan, Admin. So the different interfaces are not all on the same Layer 2 device.

When I connect my laptop to the lan interface I cant reach devices in the admin zone as expected. But if it is an IP of the router itself, I can reach it in every subnet. So I can connect to services on all of the router IPs. 192.168.0.2, 192.167.1.1, 192.168.2.1

If I do ssh [email protected] --> connection refused

If I do ssh [email protected] --> I get a working ssh connection.

I dont want the ssh service accessible from Lan. Or for that matter no network service on another subnet than intended. What do I miss to make that zone distinction work even on the routers own IPs?

I used an Iptables rule to block everything from lan going to 192.168.2.1. This works but I want a setting that prevents this for all future networks.

I have an Openwrt Router in Default Config plus those changes: Lan Network - 192.168.1.0/24 Admin Network - 193.168.2.0/24 Wan Network - 192.168.0.0/24

Iptables

Default Forward Deny

Admin+Lan

Forward Deny

In/Out Allow

Lan to Wan Forward Allow

Wan

Input Deny

Output Allow

Masquerading

Dropbear

Listen only on admin interface

When I connect my laptop to the lan interface I cant reach devices in the admin zone as expected. But if it is an IP of the router itself, I can reach it in every subnet. So I can connect to services on all of the router IPs. 192.168.0.2, 192.167.1.1, 192.168.2.1

If I do ssh [email protected] --> connection refused

If I do ssh [email protected] --> I get a working ssh connection.

I dont want the ssh service accessible from Lan. Or for that matter no network service on another subnet than intended. What do I miss to make that zone distinction work even on the routers own IPs?

I used an Iptables rule to block everything from lan going to 192.168.2.1. This works but I want a setting that prevents this for all future networks.

I have an Openwrt Router in Default Config plus those changes: Lan Network - 192.168.1.0/24 Admin Network - 193.168.2.0/24 Wan Network - 192.168.0.0/24

Iptables

Default Forward Deny

Admin+Lan

Forward Deny

In/Out Allow

Lan to Wan Forward Allow

Wan

Input Deny

Output Allow

Masquerading

Dropbear

Listen only on admin interface

EDIT: The switch is actually split into 3 segments with untagged Vlans. Wan, Lan, Admin. So the different interfaces are not all on the same Layer 2 device.

When I connect my laptop to the lan interface I cant reach devices in the admin zone as expected. But if it is an IP of the router itself, I can reach it in every subnet. So I can connect to services on all of the router IPs. 192.168.0.2, 192.167.1.1, 192.168.2.1

If I do ssh [email protected] --> connection refused

If I do ssh [email protected] --> I get a working ssh connection.

I dont want the ssh service accessible from Lan. Or for that matter no network service on another subnet than intended. What do I miss to make that zone distinction work even on the routers own IPs?

I used an Iptables rule to block everything from lan going to 192.168.2.1. This works but I want a setting that prevents this for all future networks.

Source Link
Bitshitch
Bitshitch
  • 1
  • 3

Openwrt - router ips on different subnets accessible by default?

I have an Openwrt Router in Default Config plus those changes: Lan Network - 192.168.1.0/24 Admin Network - 193.168.2.0/24 Wan Network - 192.168.0.0/24

Iptables

Default Forward Deny

Admin+Lan

Forward Deny

In/Out Allow

Lan to Wan Forward Allow

Wan

Input Deny

Output Allow

Masquerading

Dropbear

Listen only on admin interface

When I connect my laptop to the lan interface I cant reach devices in the admin zone as expected. But if it is an IP of the router itself, I can reach it in every subnet. So I can connect to services on all of the router IPs. 192.168.0.2, 192.167.1.1, 192.168.2.1

If I do ssh [email protected] --> connection refused

If I do ssh [email protected] --> I get a working ssh connection.

I dont want the ssh service accessible from Lan. Or for that matter no network service on another subnet than intended. What do I miss to make that zone distinction work even on the routers own IPs?

I used an Iptables rule to block everything from lan going to 192.168.2.1. This works but I want a setting that prevents this for all future networks.