I have an Openwrt Router in Default Config plus those changes: Lan Network - 192.168.1.0/24 Admin Network - 193.168.2.0/24 Wan Network - 192.168.0.0/24
Iptables
Default Forward Deny
Admin+Lan
Forward Deny
In/Out Allow
Lan to Wan Forward Allow
Wan
Input Deny
Output Allow
Masquerading
Dropbear
Listen only on admin interface
EDIT: The switch is actually split into 3 segments with untagged Vlans. Wan, Lan, Admin. So the different interfaces are not all on the same Layer 2 device.
When I connect my laptop to the lan interface I cant reach devices in the admin zone as expected. But if it is an IP of the router itself, I can reach it in every subnet. So I can connect to services on all of the router IPs. 192.168.0.2, 192.167.1.1, 192.168.2.1
If I do ssh [email protected] --> connection refused
If I do ssh [email protected] --> I get a working ssh connection.
I dont want the ssh service accessible from Lan. Or for that matter no network service on another subnet than intended. What do I miss to make that zone distinction work even on the routers own IPs?
I used an Iptables rule to block everything from lan going to 192.168.2.1. This works but I want a setting that prevents this for all future networks.