A while ago Second Street Brewery asked for a good stable public wireless internet connection. Of course, the solution was obvious, openwrt! In this case a linksys wrt54gl. The office, point of sale and public networks all share the same gateway. The problem was segregating the public wireless network from the private office lan. Sam (http://thepromisedlan.org) and I set out to setup a firewall to protect them. This is what we came up with:
"secured office wifi" / ISP <-fw-> office LAN 10.1.10.0/24 <-fw-> (linksys) "open public wifi" (clients on public wifi cannot reach 10.1.10.0/24 or any other private subnet)
check if the following is in /etc/config/firewall otherwise, add it
config include option path /etc/firewall.user
and in /etc/firewall.user we put:
#Insert this into the chain, so 10.1.10.0/24 (office) can connect to public 192.168.10.0/24. #This rule gets repeated by the setup script /etc/init.d/firewall. iptables -I FORWARD 1 -m state --state RELATED,ESTABLISHED -j ACCEPT #block all traffic to any possible private network address (10.*.*.*, 172.16-32.*.*, 192.168.*.*) iptables -I FORWARD 2 -d 192.168.0.0/16 -j DROP iptables -I FORWARD 2 -d 172.16.0.0/12 -j DROP iptables -I FORWARD 2 -d 10.0.0.0/8 -j DROP
If you would like to have remote administration on the openwrt so you can access the luci web interface and ssh from the wan side of the router, you can change /etc/config/firewall wan zone to allow it. !!WARNING!! If you are directly connected to the internet, this will expose your open ports to the world. You should take precautions to secure them before changing this firewall rule.
config 'zone' option 'name' 'wan' option 'input' 'REJECT' #
or if you just want to allow remote ssh access
config rule option target 'ACCEPT' option src 'wan' option proto 'tcp' option dest_port '22' option name 'ssh'