fwbuilder? or something better?

[this cannot be changed]

I'm looking to build a bunch of rules for my network. Probably 50 devices (phones, TVs, Sky+ box etc. The usual junk we all have at home), most rules will be 'this device can only go to the internet', others will be 'only these ports'.

Is there a recommended tool & guidance on how to use? I've played around with fwbuilder but it's not particularly intuitive, and the scripts it's generating have a lot of extra config in them other than just the rules I was expecting.

Example here: https://github.com/RMerl/asuswrt-merlin/wiki/Iptables-tips only has NAT rules, no firewall rules.

This page: https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts mentions firewall-start, but it's not clear to me what stage the filewall is at, and hence what rules I should be applying.

Should I be using ipset? https://github.com/RMerl/asuswrt-merlin/wiki/Using-ipset

Happy to spend hours playing, but piecing together bits and bobs probably isn't the best way forward.

 

[ColinTaylor]

What's wrong with using the features built into the router, Network Services Filter or Parental Control?

 

[this cannot be changed]

One example:
I want my Samsung TV to only talk to my DNS server, my Plex server (on a single port), and the internet (since it's going to do that to get to Samsung). No need for my TV to be able to ping, for example, my phone.
A Kindle: Just want that to go to the internet, no local services (other than the DNS server).

NSF reads that it only blocks LAN->WAN, whereas I'm wanting to control LAN traffic.
Parental control? Thats one of those services under the Trend bit that I won't enable since I don't agree with the data collection policy, but I suspect it won't be flexible enough anyway.

 

[ColinTaylor]

NSF reads that it only blocks LAN->WAN, whereas I'm wanting to control LAN traffic.
Parental control? Thats one of those services under the Trend bit that I won't enable since I don't agree with the data collection policy, but I suspect it won't be flexible enough anyway.

Firewall rules will only effect WAN to LAN traffic (and vice versa) whether you do it via the GUI, from the command line or with fwbuilder. LAN to LAN traffic is switched so it doesn't hit the firewall.

DNS Filter (under Parental Control) is not part of the Trend stuff it's something that Merlin created. Basically it's just a front end for creating firewall rules that intercept client DNS requests and redirects them to a different DNS server. You can use it to force a particular client to go to OpenDNS for example.

 

[this cannot be changed]

Aha, thank you, didn't realise the lan<->lan was ignored since things like QoS can look at them (and disable cut-through). Looks like I'll need to look at vlans to segregate the clients and route between them then.

 

[Vexira]

Firewall rules will only effect WAN to LAN traffic (and vice versa) whether you do it via the GUI, from the command line or with fwbuilder. LAN to LAN traffic is switched so it doesn't hit the firewall.

DNS Filter (under Parental Control) is not part of the Trend stuff it's something that Merlin created. Basically it's just a front end for creating firewall rules that intercept client DNS requests and redirects them to a different DNS server. You can use it to force a particular client to go to OpenDNS for example.

yes but oddly that seems to stop working if you change nat loop back to merlin.

 

[Denna]

@this cannot be changed,

FWBuilder was abandoned years ago.

I started out using FWBuilder to get an idea of what rules look like.

In the end, I just had to learn how to use iptables.

Creating rules with a GUI on a PC isn't really available on a router.

You could try using FireHOL, but that doesn't have a GUI either.​