Restrict access in VLAN to single IP and Port

Redyellow · March 29, 2020, 10:28am

I am new to openWrt but have previously worked with dd-wrt and now trying to replicate my settings from my old router on my mox running TurrisOS 4.05.

I have setup a VLAN in which:

(1) only one special MAC should have full internet access
(2) other clients should be only able to communicate with a specific port an a specific IP

In order to enable this I have added the following traffic rules.
My understanding from dd-wrt was that in iptables the rules are being applied from top to bottom until a matching rule is found.

With these rules applied the special MAC has full internet access but all others cannot reach that one special IP on the defined port.

Does anyone have an idea what I am doing wrong?

Redyellow · March 30, 2020, 7:36pm

It seems to be working now. Although I have not changed the rules.

Redyellow · March 31, 2020, 9:21pm

I have investigated a little more and I have found out that the rules are correct.

The problem was cause by an active OpenVPN connection which I was not aware of. That got me lost in tracking down the problem.

Just for reference if anyone has a similar problem.

Redyellow · April 4, 2020, 8:15pm

Investigating more revealed that I had not taken into account that machines trying to reach the specific machine were trying to reach it via the domain name.

As the VLAN had 8.8.8.8 and 8.8.4.4 as DNS servers the IP address could not be resolved which lead to my observed problems. Changing the DNS to the router finally solved it.

Pepe · April 5, 2020, 7:32pm

Cross-reference: