Block access from GUEST wireless to DD-WRT web admin GUI?



  • Am trying to figure out how to block access from captive portal guess wireless access point to the router's web admin UI.  For example, my guess wireless access point is running DD-WRT and it's IP is 192.168.1.2.

    I was able to setup a firewall rule to block access from my GUEST (OPT1) wireless access point (192.168.0.2) network to my PFSENSE router (192.168.0.1).  However if you're connected to the guest wireless AP and authenticate on the captive portal login screen, you can then http://192.168.1.2 and are prompted for the DD-WRT admin login.  I've been unable to figure out how to prevent a user connected to the guest wireless AP from even accessing 192.168.1.2 (HTTP 80).

    Also – for convenience I have the DD-WRT router set without any encryption (open, broadcasting SSID) but protected by the captive portal user account.  Has everyone found that this is safe enough?  My intent is not to encrypt the traffic but rather to 1.) make it simply for guests to find and connect to the AP without having to configure WPA/WPA2, etc. and 2.) ensure that no one can access the internet on the GUESTS network without authenticating via the captive portal.

    Thanks in advance.



  • My guess would be that pfSense doesn't even see the access attempt you are trying to prevent and consequently can't do anything about it.

    I don't know DD-WRT but I would be surprised if it didn't have some means of blocking access to the administration interface.



  • Sorry, just dropped in here, and saw the question.

    I have myself several AP's using DD-WRT on a OPT1 interface, captive portal enabled on OPT1.
    Of course, I wouldn't like it that my 'clients' could hammer on my AP's.

    Can I presume that the IP of your AP = 192.168.1.2 ?

    Open the web interface of your DD-WRT
    Goto Administartion => Shell
    Paste this code into the "fire wall" block.
    Save.

    #!/bin/sh
    /usr/sbin/iptables -N logdrop
    /usr/sbin/iptables -F logdrop
    /usr/sbin/iptables -A logdrop -j LOG
    /usr/sbin/iptables -A logdrop -j DROP
    /usr/sbin/iptables -I INPUT -i br0 -s 192.168.1.0/24 -p tcp --dport 80 -j logdrop
    /usr/sbin/iptables -I INPUT -i br0 -s 192.168.1.0/24 -p tcp --dport 22 -j logdrop
    /usr/sbin/iptables -I INPUT -i br0 -s 192.168.1.0/24 -p tcp --dport 23 -j logdrop
    ## end
    

    With this code, YOU can administer your AP from the LAN interface (192.168.0.0/24) - [DO NOT forget to ADD to Services => Captive Portal => Allowed IP addresses => Direction = Both IP = 192.168.1.2 and hit Save. - This way the AP itself can now communicate with the net to play games, update the time, have a chat, and answer to YOU when you want to login from anywhere except 192.168.1.0/24 ]
    No one, coming form the subnet 192.168.1.0/24 can access the DD-WRT interfaces.


Locked