How to set up a kind of reverse access point (allowing access from the outside only)

[mjmeans]

Okay, so I'd like the LAN side to be handled by eth0 and the WAN side to be handled by wlan. So the LAN hosts all the untrusted devices and on are put into a network sandbox.

I have a secondary building that I don't want to run outdoor certified ethernet cable to. So, the connection from the main network to the building is via WiFi. The devices inside the building are all untrusted, meaning they are allowed to talk to each other but are not allowed to connect to the internet, by default. But some will be accessible from the WAN side through the RaspAP. Management of which devices can do what through the AP must be accomplished solely from the WAN side.

Can RaspAP be set up like this:

• The eth0 interface manages the 'untrusted network' (the LAN side of the router).

• Devices on the untrusted network will have their IP addresses managed through the DHCP service provided by RaspAP.

• Devices on the untrusted network will not be able to open connections to any devices through the RaspAP.

• Devices on the untrusted network will NOT be able to access the RaspAP SHH terminal or web-based management, even if they have the passwords.

• Devices on the untrusted network will perceive the RaspAP to be like any ordinary router, except without an internet connection.

• The wlan interface is on 'trusted network' (the WAN side of the router).

• It will get its IP address from the trusted networks DHCP server just like a normal router would get its IP address from an ISP.

• Devices on the trusted network will be able to access the RaspAP SHH terminal or web-based management.

• Devices on the trusted network will be able to open connections to devices in the untrusted network through a routing table that exposes addresses and ports on the untrusted network. Like you would do when opening a server port for an internal device on a normal router.

So, the untrusted network is air gapped to the trusted network which can implement its own firewall. And no device connected to the untrusted network has any hope of 'escaping' to the internet through the RaspAP.

Of course, this all requires the host network WiFi be highly secure so that untrusted network devices that happen to have undisclosed or hidden WiFi chipsets and malware (possibly built into their firmware) can't escape through various spoofing techniques to bypass the RaspAP sandbox they were placed in.

[billz]

You can set up RaspAP to achieve the configuration you described, where eth0 manages the untrusted LAN and the wlan interface connects to the trusted WAN. Broadly speaking, you'll want to do the following:

1. Configure the eth0 interface with a static IP address (eg. 192.168.50.1/24) and connect your untrusted devices to it.
2. Set up wlan0 as the trusted network: make sure wlan0 gets its IP address from the trusted network's DHCP server.
3. Firewall rules: RaspAP's optional firewall can be used as a base for this, although your implementation requires some custom rules not included in the default package. For example, at a minimum you'll probably want to prevent clients on the untrusted network from accessing RaspAP's management interface:

sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -j DROP
sudo iptables -A INPUT -i eth0 -p tcp --dport 80 -j DROP
sudo iptables -A INPUT -i eth0 -p tcp --dport 443 -j DROP

(Optional) add forwarding rules to allow the trusted network to access untrusted devices:

sudo iptables -A FORWARD -i wlan0 -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o wlan0 -m state --state ESTABLISHED,RELATED -j ACCEPT

RaspAP installs Debian's iptables-persistent package so these rules will be autosaved.

4. Connect devices to the eth0 interface and verify that they receive IP addresses from RaspAP's DHCP service. Check that devices on the untrusted network cannot access the internet or RaspAP's UI. Verify that devices on the trusted network can manage RaspAP and access devices on the untrusted network.

The above should be considered a rough outline only. Adjust as necessary.