Hello,
I have an Asus WL500G with Firmware 19.5.0 (Original Asus).
My need is to restrict access to a web server on my lan. I would like to choose which public ip address can access the server.
My idea was to use the wan to lan filter. I read the documentation and search in this forum. I try different configuration with no success. Can someone have an example of a config running with Asus firmware which answer my needs?
Regards.

This has nothing to do with ASUS or Oleg firmware, it's the same on both.

First you have to set up a "Virtual Server" in NAT -> Virtual Server.

Port Range | Local IP | Local Port | Protocol | Protocol No. | Description
80 | <IP of Webserver| <leave empty> | TCP | <leave empty> | Webserver
443 | <IP of Webserver| <leave empty> | TCP | <leave empty> | Webserver

The entry with Port 443 is only necessary if you plan to use https .

Then you have to "Enable WAN to LAN Filter", set "packages not specified" will be "DROP", and then you will need several rules.

Source IP | Port Range | Destination IP | Port Range | Protocol
<external IP that may access the webserver> | <leave empty> | <IP of webserver> | 80 | TCP

If the webserver PC shall still be able to communicate with the internet without any further restrictions you need those rules additionally:
<leave empty> | <leave empty> | <IP of webserver> | 1:79 | TCP
<leave empty> | <leave empty> | <IP of webserver> | 81:65535 | TCP
<leave empty> | <leave empty> | <IP of webserver> | <leave empty> | UDP

And so that every other PC (that is not the webserver) is not totally blocked from internet access you need those 2 entrys for every PC for example

<leave empty> | <leave empty> | <IP of other PC> | <leave empty> | TCP
<leave empty> | <leave empty> | <IP of other PC> | <leave empty> | UDP

This doesn't mean all the internet does have straight access to this PC, but the PC may receive data from the net (data that it asked for).


This is only one example, that many people would make more restrictive, but I don't know your whole LAN setup and this is a basic config that should do what you wanted without causing trouble on any other machine.

Thank you for your quick and detailed response.
I tried the config you propose and I still have the same problem :
I have always access to the server from an another web access.
Source IP Port Range Destination IP Port Range Protocol
<leave empty> | <leave empty> | <IP of webserver> | 1:79 | TCP
<leave empty> | <leave empty> | <IP of webserver> | 81:65535 | TCP
<leave empty> | <leave empty> | <IP of webserver> | <leave empty> | UDP
<external IP(Not mine)> | <leave empty> | <IP of webserver> | 80 | TCP
With this config, I continue to have access in http(80). I looked in the log. The ping is rejected (ICMP) but not port 80.
Thank you for your help.

Ok few questions to be really sure all ist set ..

"Internet Firewall" -> "Basic Config": "Enable Firewall" is set to "yes"? (I'm not even sure that's needed but just in case :) )

"Internet Firewall" -> "WAN & LAN Filter" [Wan to Lan Filter Section]: "Enable Wan to Lan Filter" is "yes"?

"Internet Firewall" -> "WAN & LAN Filter" [Wan to Lan Filter Section]: "Packets(WAN to LAN) not specified will be: " is set to DROP?

You could also post a screenshot of the WAN to LAN Filter settings. I'm pretty sure this should work as i described it. You could also additionally try to set the "mirror rules" of the ones i posted in the Lan to Wan filter.

Like

Source IP Port Range Destination IP Port Range Protocol
<IP of webserver> | 1:79 | <leave empty> | <leave empty> | TCP
<IP of webserver> | 81:65535 | <leave empty> | <leave empty> | TCP
<IP of webserver> | <leave empty> | <leave empty> | <leave empty> | UDP
<IP of webserver> | 80 | <external IP(Not mine)> | <leave empty> | TCP

"Internet Firewall" -> "Basic Config": "Enable Firewall" is set to "yes"? (I'm not even sure that's needed but just in case )
"Enable Firewall" is set to "yes".

"Internet Firewall" -> "WAN & LAN Filter" [Wan to Lan Filter Section]: "Enable Wan to Lan Filter" is "yes"?
"Enable Wan to Lan Filter" is "yes"

"Internet Firewall" -> "WAN & LAN Filter" [Wan to Lan Filter Section]: "Packets(WAN to LAN) not specified will be: " is set to DROP?
(WAN to LAN) not specified will be: " is set to DROP.

Your config looks good ... 1 more question (sounds dumb but you never know ... ) did you reboot after setting the rules? :)

I'll try to set up something here with my router (later that day or tomorrow) to check if I missed something).

Yes, I reboot after setting the rules.
I move to Oleg firmware (very good work) and I have the same result. I used the web interface to setup the rules. I can try with post-firewall script but before I would know if someone has succeed in configuration of wan to lan filter through the web interface?

As I move to Oleg firmware, I can run iptables to have more information. You will find attached the result. My question is still the same : Is it possible to give access to http to one public address? I tried with wan to lan filter without success.
Any help?
Regards.