[FS#3577] Traffic allowed by guest zones to other routers in the wan zone

Sun Jan 17 16:21:09 EST 2021

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.

A new Flyspray task has been opened.  Details are below. 

User who did this - ncompact (ncompact) 

Attached to Project - OpenWrt/LEDE Project
Summary - Traffic allowed by guest zones to other routers in the wan zone
Task Type - Bug Report
Category - Documentation
Status - Unconfirmed
Assigned To - 
Operating System - All
Severity - Medium
Priority - Very Low
Reported Version - openwrt-19.07
Due in Version - Undecided
Due Date - Undecided
Details - As per the title, no additional rules are allowed for traffic from guest zone to wan but no restrictions have been implemented if there are other routers after the wan interface.

Please implement an additional rule to the documentation
https://openwrt.org/docs/guide-user/network/wifi/guestwifi/start
keep in mind to limit outgoing traffic from the guest zone to
only internet traffic and which cannot send packets to others
router present in the wan

Personally I have created a new rule that blocks traffic to private networks (but perhaps there are valid alternatives to this but I ignore it).

Attached is a standard rule to add (if considered optimal and functional to the needs).

uci -q delete firewall.guest_private
uci set firewall.guest_private = "rule"
uci set firewall.guest_private.name = "Drop forward guest zone to private nets"
uci set firewall.guest_private.src = "guest"
uci set firewall.guest_private.target = "DROP"
uci set firewall.guest_private.family = "ipv4"
uci set firewall.guest_private.dest_ip = "192.168.0.0/16 172.16.0.0/12 10.0.0.0/8"
uci set firewall.guest_private.dest = "*"
uci set firewall.guest_private.proto = "tcp udp icmp"

More information can be found at the following URL:
https://bugs.openwrt.org/index.php?do=details&task_id=3577

You are receiving this message because you have requested it from the Flyspray bugtracking system.  If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.