disable_access_to_admin_access_ssh:gui_for_guest_v:wlan [FreshTomato Wiki]

Site Tools


disable_access_to_admin_access_ssh:gui_for_guest_v:wlan

Disable access to admin access (SSH/GUI) for guest V/WLAN

By default the administration ports of tomato e.g. ssh and http/s are reachable from all the VLAN/WLAN configured on the router.

The credentials must be known to access the router of course but if communication is unwanted as a starter you can filter out accesses using the following script in the Administration/Scripts/Firewall page:

iptables -t filter -I INPUT 1 -p tcp -m multiport -i br1 --dport 22,80,443 -j REJECT

Adjust the ports above (22,80,443) if you're using non standard ones, add additional lines changing br1 if you have multiple bridges/guest VLAN

NOTE: mind not locking yourself out, you would most likely not want to filter on br0

NOTE2: This will take effect as soon as the firewall script is called next. You can force this manually with either a service firewall restart or rebooting the device.

disable_access_to_admin_access_ssh/gui_for_guest_v/wlan.txt · Last modified: 2020/09/16 08:52 by rs232