i have my home lan on vlan10, id like to put all the roku devices and iot devices on vlan20, however alot of these apps require you to be on the same network, i wonder if a pair of firewall rules would allow my phone on vlan10 wifi to talk to the devices on vlan20 wifi, but the devices on vlan20 have no access to vlan10
x86 i350-t4(openwrt 23.05) - gs308t(stock) - wax214v2(stock)
here is a copy of my current firewall set,
this allows the lan access to everything.
this allows iso and iot network to access the wan but not to eachother or the lan
this allows ipv6 to all devices
dns hijacking in place on all networks
in theory do i have it right? i should be able to access any device from any vlan while connected to vlan 10
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option drop_invalid '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'vlan10'
config zone
option name 'iso'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'vlan30'
config zone
option name 'iot'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'vlan20'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'iso'
option dest 'wan'
config forwarding
option src 'iot'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'iso'
config forwarding
option src 'lan'
option dest 'iot'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input-iso'
option src 'iso'
option proto 'icmp'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
list icmp_type 'bad-header'
list icmp_type 'destination-unreachable'
list icmp_type 'echo-reply'
list icmp_type 'echo-request'
list icmp_type 'neighbour-advertisement'
list icmp_type 'neighbour-solicitation'
list icmp_type 'packet-too-big'
list icmp_type 'router-advertisement'
list icmp_type 'router-solicitation'
list icmp_type 'time-exceeded'
list icmp_type 'unknown-header-type'
config rule
option name 'Allow-ICMPv6-Input-iot'
option src 'iot'
option proto 'icmp'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
list icmp_type 'bad-header'
list icmp_type 'destination-unreachable'
list icmp_type 'echo-reply'
list icmp_type 'echo-request'
list icmp_type 'neighbour-advertisement'
list icmp_type 'neighbour-solicitation'
list icmp_type 'packet-too-big'
list icmp_type 'router-advertisement'
list icmp_type 'router-solicitation'
list icmp_type 'time-exceeded'
list icmp_type 'unknown-header-type'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Allow-DHCP-DNS-iso'
option src 'iso'
option dest_port '53 67'
option target 'ACCEPT'
config rule
option name 'Allow-DHCP-DNS-iot'
option src 'iot'
option dest_port '53 67'
option target 'ACCEPT'
config redirect
option target 'DNAT'
option name 'Intercept-DNS-lan'
option src 'lan'
option src_dport '53'
config redirect
option target 'DNAT'
option name 'Intercept-DNS-iso'
option src 'iso'
option src_dport '53'
config redirect
option target 'DNAT'
option name 'Intercept-DNS-iot'
option src 'iot'
option src_dport '53'
Discovery protocols (which are mostly mDNS now) don't go through layer 3 routes. Look into things like mDNS forwarding.
Of course once the IP of the device has been discovered, a layer 3 path needs to exist.
off to google i go. lol
im finding stuff about avahi? not sure this covers my use case
i want all of my roku devices, alexa, cameras etc on vlan20 but able to be controlled from vlan 10 devices
example i open the roku app and connect to my bedroom roku, the app wont connect if im not in the same wifi network, i believe i need vlan 10 to see vlan 20 multicast packets and respond to them?