I've got an Actiontec MI424-WR router and would like to configure it such that the wireless access point in it only allows access to the internet (through the WAN port) and NOT to the LAN ports. A complicating factor is that DHCP and DNS are done from a Windows Server on the LAN and the wireless clients need to be serviced by that. I may be able to work around the DNS issue if necessary.
I tried one approach, but it didn't work. Under Firewall Settings, Advanced Filtering I tried to configure a rule. I used an Outbound Rule Set, Wireless Access Point Rules, Source Address of Any, Destination Address range of all LAN addresses except for the router, and set Operation to drop. I had also set up DHCP forwarding.
My presumption (the manual is of no real help here) was that the Wireless Access Point Rules applied to the Wireless Access Point only and that my configuration would allow traffic from wireless clients only to the excluded destination address (the router).
With those settings, a device can connect to the wireless, can get an IP address from the DHCP server, but can't access anything. I tried pinging the router and several devices on the LAN and got no responses. Obviously, I'm missing something here.
The Security Log showed the following:
fw/policy/0/chain/fw_ath0_out/rule/0: ICMP type 0 code 0 192.168.50.1->192.168.50.21 on ath0
The .1 address is the router and the .21 address is the wireless client. It appears to me that the rule that I set up is blocking the reply packets from getting back to the client.
Is it possible with this router to do the limiting that I want? If so, how would it be done?
I have considered DD-WRT, but that is not an option. I need to duplicate this scenario at a client's site and that change won't be allowed.