How to restrict router's services to a specific subnet/interface?

Currently, my Omnia is exposing Samba shares meant for the interface lan (192.168.1.1) on work-lan (192.168.2.1).

I’ve modified smb.conf.template to make it listen only on 192.168.1.1 but that doesn’t help, since someone like 192.168.2.100 can still access 192.168.1.1 and all its ports.

Is there a way to wall off everything except the necessary minimum on work-lan? Perhaps a custom firewall rule?

Cheers
Michal

hosts allow = 192.168.1.0/24 in smb.conf may do what you want (untested). I put /24 ,but adjust it to whatever your network configuration is.

You can also use hosts deny to do the opposite, to explicitly disallow access from work-lan. Both can accept multiple addresses, space separated.

Reference: https://bbs.archlinux.org/viewtopic.php?pid=854090#p854090

Thanks. While that’ll work for samba, I’m really looking for a more general mechanism that bars access to 192.168.1.1 from 192.168.2/24. Then I can stop relying on the security mechanisms of each service.

Check your firewall zones in Luci. You need a zone for each subnet, then you cann restrict access as needed. Everthing can be done via gui.

Take this howto for a guest wifi as an example (no copy & paste solition!)

https://wiki.openwrt.org/doc/recipes/guest-wlan-webinterface

Ask when you need further assistance

The link helped massively. I was missing ‘reject’ for the input chain. Doh!