Re: [lime-users] Protecting home LAN from LiMe network

Hey Ilario! 1. Thanks for your reply! It made me understand that I might need to configure a transparent (Layer 2) firewall if I keep wanting to solve it just by configuring my private home router. I am not sure though. If anyone could confirm... And I do not know how to configure that, I guess I would have to face once and for all the scary world of iptables -if that's how OpenWRT filters packets, I'm not even sure : / 2. Another solution -easier- I've just thought of, it would be to configure the firewall in the LiMe router (the one directly connected to my home router). But then I would need to know what is applied first when traffic originated from a host in the LiMe network has the Internet as destination: NAT or Packet Filtering. I need to know if NAT is applied before packet filtering or the other way around so that I can properly define the firewall rules. Does anybody know the order? 3. By the way, Am I too paranoid? Am I the only one worried about protecting my home LAN? Or maybe you guys do not use this double NAT architecture? How do you do it? Maybe through VLANs?

On jue, 2016-06-23 at 00:38 +0200, Ilario Gelmetti wrote: > On 06/21/2016 08:59 PM, Amuza wrote: > > Hi, > > Hi Amuza! > > > I have my private home network connected to the Internet and then the > > LiMe network I am deploying. In order to let the LiMe network access > > the Internet, I connect the WAN port of a LiMe router to a switch port > > (LAN) of my private home router. And it just rocks, double NAT works, > > and routers spread the Internet all around the mesh. > > Yeah! > > > But now I am trying to deny any traffic from LiMe hosts (10.x.x.x) to > > my private home network (192.168.x.x). > > Have you verified that this doesn't already happen? > For example trying to ping a 192... machine while connected with a 10... > IP?> > > I have been playing with the LuCI web interface of my private home > > router but somehow I do not manage to restrict the undesired traffic. > > This is what I've tried: > > > > 1. I assign a static IPv4 address to the LiMe router (I did not manage > > do it with IPv6). > > Mmh... So, are you setting this directly in LiMe or in your main router > DHCP server? > I have no experience with the LiMe web interface, but from the terminal > interface you can specify the IPv6 address (as well the IPv4) in the > /etc/config/lime (taking inspiration from /etc/config/lime.example). > > > 2. I create a traffic rule which DROPS ANY traffic coming from the > > statically assigned IPv4 address (192.168.A.A) of the connected LiMe > > router (which is in the LAN zone and with a defined source MAC > > address) with destination ANY LAN zone -so that they can access only > > the Internet (WAN). > > > > 3. I enable the rule and put it up to the top of the list > > > > Why can I still reach my home private router from the LiMe network? > > "reach the router"? > If I got it correctly the router is your gateway, so it's good if you > can reach it... The problem comes with other devices on the LAN side. > Did I get it correctly? > > > Is this "zone" thing working? > > How should I configure it? > > I'm not experienced with OpenWrt firewall configuration, sorry :/ > > > Please let me know. Either through the LuCI web interface or the > > command line -step by step, please. > > > > Thank you! > > Bye!! > Ilario > > _______________________________________________ > users mailing list > users(a)lists.libre-mesh.org > https://lists.libre-mesh.org/mailman/listinfo/users