I have a dd-wrt router with two Wi-Fi interfaces (
ath1). I want everything that’s on
ath0 to not have any kind of WAN access. Only LAN (to and from the device).
How would I do this in the easiest and most robust manner?
Before I’ve tried this using ath1 aswell by adding a virtual AP, a new bridge for the AP and some advanced routing and firewall settings. This was overly complicated though and I figured it should be a lot easier to just use my, unused anyway,
ath0 (5GHz) interface for this purpose.
I am using OpenVPN as a client which makes things a bit more complicated. When using iptables firewall with the old approach I would always have to manually re-set the firewall settings because a file in /etc/ is overwriting my rules (
-I at the top) because of the VPN, allowing everything WAN access as long as its over the VPN. Because of squashFS I couldn’t find a way to prevent that and always having to manually overwrite it after saving settings/rebooting the router isn’t so nice. Also I’m not sure if it won’t overwrite it again later.
I don’t want
ath0 to have VPN access either. I can’t use iptables with a source IP because it should be for all clients on that SSID/interface and as soon as they connect, so I won’t really know an IP in advance.
I’ve tried looking this up but I couldn’t find anything that’d work for my case except for the overly advanced virtual AP/bridge solution.