2 VLANs same firewall zone, what happens?

Installing and Using OpenWrt
1

Just to clarify, if I have 2 VLANs filtered on the br-lan bridge, what happens if they’re both in the same firewall zone? Is there still segregation?

2

No, all interfaces within the same zone are treated the same/ can talk to each other.

3

Though if the forward option on the zone is not ACCEPT then two interfaces will be blocked from each other, but this has some unexpected consequences such as wireguard clients though on the same interface also can't reach each other.

For fine control you really need the interfaces in separate zones.

1 Like
4

I would say that the value or liability of having two or more networks in the same firewall zone entirely depends on the goals of your networks.

Specifically, consider the following:

  • You can control the (broad) ability for the networks to talk to each other via the zone forward rule. If set to ACCEPT they have essentially unfiltered access to each other. But if set to REJECT or DROP, they can't talk to each other.
  • All other firewall forward statements and rules that use the zone as either a source or destination will (generally) apply to all networks in the zone.
  • You can add granular rules to allow/prohibit individual hosts, netblocks, and/or ports/protocols in ways that are different from the overall zone setup and rulesets.

So, the way I would approach the question is to ask the following:

  1. Are the goals of each of the networks similar enough such that the same set of rules (in general) should be applied to them. You still may add some additional rules to apply to individual networks.
  2. Would it be easier/faster to use the same or different zones to define the policies on each network. In some case a single zone can actually make your firewall file a bit more comprehensible in the sense of fewer zones and rulesets to read/track, but this efficiency can be undermined if this leads to a large number of granular of rules to treat them differently. Sometimes the reverse is true in that it's easier to follow when the networks are in different zones. (FWIW, the "efficiency" here is not typically significant at a machine level, just a human readability angle).

At L2, yes, there is still segregation. It will still maintain separation of the two (or more) subnets which can be beneficial in terms of reducing the traffic caused by broadcast/multicast traffic (at least assuming you don't re-enable those things with mdns repeater/reflectors across the VLANs and/or other similar methods).

5

Thanks for that very helpful reply :+1:

On my network, I have IoT and CCTV VLANs which are both similar in terms of firewall
I also have Audio and Video VLAN’s, which again are similar in terms of firewall

My thinking had been to have an AV firewall zone for Audio and Video and an IoT firewall zone for IoT and CCTV. Some traffic from CCTV should make it to IoT and there should likely be some bi-directional traffic from Audio and Video. I’m also using a routing table for the Video VLAN to a VPN

If there is still segregation at L2 (presumably because of the VLAN tagging), then L3 won’t work anyway will it (between the VLANs I mean, despite them being in the same zone), as L3 is higher up the stack?

I suppose I can play around with this and see what happens. I wanted to get the update to 25.12 first, which I’ve now done. (seems like my NanoPi R5S has iffy eMMC though :face_without_mouth: )

6

L3 is routing. The flows are kept separate at L2 (switching) and will only route between the subnets if:

  • inter-vlan/inter-subnet routing is allowed for the networks in question.
  • A host on one network wants to connect to a host on another network.

Absent scanning and the like (and fwiw, scanning would also be subject to the firewall allowances/prohibitions), the two (or more) networks will not be aware of each other. That is to say that your CCTV devices won't know that there's another network with IoT stuff unless it either tris to scan for other subnets that it can reach and/or if you manually provide the other network or host addresses (for example, you might have an NVR send a command to an iot device based on some criteria, you'd provide the address of the iot device to the NVR so that it can send that message).

7

OK, so the VLAN tagging isn't actually preventing communication in this scenario?

8

The VLANs (separate subnets) are one layer to prevent connections between hosts. They can not connect to each other at l2. However, they might be able to connect using l3 (routing), depending on the config of the firewall.

1 Like
9

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.