Allowing select traffic across VLANs

aidalgol · January 11, 2020, 4:19am

In addition to the default WAN/LAN setup, I have configured one of the physical ethernet ports on my router to be on a separate VLAN, with a second wifi AP on this VLAN. So I have my normal home LAN (with the default name lan) with my PCs and homeserver on it, and a second VLAN (named dirty_lan) for the household's dodgy android devices.

I wish to make one exception to the separation of these VLANs for an HTTP server on lan. I've tried to set up a port-forwarding firewall rule, but I can't make a connection from dirty_lan to the host on lan with my setup.

config defaults
  option syn_flood  1
  option input    ACCEPT
  option output   ACCEPT
  option forward    REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1

config zone
  option name   lan
  list   network    'lan'
  option input    ACCEPT
  option output   ACCEPT
  option forward    ACCEPT

config zone
  option name   wan
  list   network    'wan'
  # Commented out because our ISP does not support IPv6.
  #list   network   'wan6'
  option input    REJECT
  option output   ACCEPT
  option forward    REJECT
  option masq   1
  option mtu_fix    1

config forwarding
  option src    lan
  option dest   wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
  option name   Allow-DHCP-Renew
  option src    wan
  option proto    udp
  option dest_port  68
  option target   ACCEPT
  option family   ipv4

# Allow IPv4 ping
config rule
  option name   Allow-Ping
  option src    wan
  option proto    icmp
  option icmp_type  echo-request
  option family   ipv4
  option target   ACCEPT

config rule
  option name   Allow-IGMP
  option src    wan
  option proto    igmp
  option family   ipv4
  option target   ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
  option name   Allow-DHCPv6
  option src    wan
  option proto    udp
  option src_ip   fc00::/6
  option dest_ip    fc00::/6
  option dest_port  546
  option family   ipv6
  option target   ACCEPT

config rule
  option name   Allow-MLD
  option src    wan
  option proto    icmp
  option src_ip   fe80::/10
  list icmp_type    '130/0'
  list icmp_type    '131/0'
  list icmp_type    '132/0'
  list icmp_type    '143/0'
  option family   ipv6
  option target   ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
  option name   Allow-ICMPv6-Input
  option src    wan
  option proto  icmp
  list icmp_type    echo-request
  list icmp_type    echo-reply
  list icmp_type    destination-unreachable
  list icmp_type    packet-too-big
  list icmp_type    time-exceeded
  list icmp_type    bad-header
  list icmp_type    unknown-header-type
  list icmp_type    router-solicitation
  list icmp_type    neighbour-solicitation
  list icmp_type    router-advertisement
  list icmp_type    neighbour-advertisement
  option limit    1000/sec
  option family   ipv6
  option target   ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
  option name   Allow-ICMPv6-Forward
  option src    wan
  option dest   *
  option proto    icmp
  list icmp_type    echo-request
  list icmp_type    echo-reply
  list icmp_type    destination-unreachable
  list icmp_type    packet-too-big
  list icmp_type    time-exceeded
  list icmp_type    bad-header
  list icmp_type    unknown-header-type
  option limit    1000/sec
  option family   ipv6
  option target   ACCEPT

config rule
  option name   Allow-IPSec-ESP
  option src    wan
  option dest   lan
  option proto    esp
  option target   ACCEPT

config rule
  option name   Allow-ISAKMP
  option src    wan
  option dest   lan
  option dest_port  500
  option proto    udp
  option target   ACCEPT

# include a file with users custom iptables rules
config include
  option path /etc/firewall.user

# Locked-down VLAN
config zone
  option name dirty_lan
  list   network  'dirty_lan'
  option input    REJECT
  option output   ACCEPT
  option forward  REJECT
  
# Allow Dirty LAN -> Internet
config forwarding
  option src  dirty_lan
  option dest wan

# We allow *some* traffic from the Dirty LAN to the LAN.
config forwarding
  option src  dirty_lan
  option dest lan

# Prevent DNS lookups on dirty_lan bypassing us (on the standard port).
config rule
  option name   'Deny Dirty LAN->WAN DNS'
  option src    dirty_lan
  option dest   wan
  option dest_port  53
  option proto    tcpudp
  option target   REJECT

# Allow DNS dirty_lan -> Router
# Client DNS queries ordinate from dynamic UDP ports (>1023) 
config rule
  option name     'Allow DNS Queries'
  option src    dirty_lan
  option dest_port  53
  option proto    tcpudp
  option target   ACCEPT
  
# Allow DHCP Dirty LAN -> Router
# DHCP communication uses UDP ports 67-68
config rule
  option name   'Allow DHCP request'
  option src    dirty_lan
  option src_port   67-68
  option dest_port  67-68
  option proto    udp
  option target     ACCEPT

# Forward webfs port from dirty_lan to loungetv
config redirect
  option name   'Dirty LAN webfs -> LAN'
  option src    dirty_lan
  option src_dport  8000
  option dest   lan
  option dest_ip    192.168.1.153
  option dest_port  8000
  option proto    tcp
  option target   DNAT

# Isolate dirty_lan from LAN
config rule
  option name   'Deny Dirty LAN -> LAN'
  option src    dirty_lan
  option dest   lan
  option proto    all
  option target   DROP

I have tried some tweaks that have made no difference:

Changing option forward REJECT to ACCEPT on the dirty_lan zone
Moving the config redirect block to after the 'Deny Dirty LAN -> LAN' rule.

What am I doing wrong here? Is forwarding the wrong way to do this, and I need to configure routing between the VLANs and use config rule instead of redirects?

aidalgol · January 11, 2020, 4:21am

Welp, thanks for being my rubber duck, OpenWrt forum. I tried this after posting this and it was the correct answer. At least this is now in the archives for any future person who gets stuck on the same problem.

trendy · January 11, 2020, 7:37pm

# We allow *some* traffic from the Dirty LAN to the LAN.
config forwarding
  option src  dirty_lan
  option dest lan

This allows all traffic from dirty_lan to lan.

Redirect doesn't work in your case because you don't have enabled NAT on the dirty_lan interface.
You could have added the dirty_lan interface under wan zone and it would work.

aidalgol · January 12, 2020, 12:54am

Ah, good to know. I removed that anyway after my last post.

Is there any advantage to this option over having them in separate zones and routing?

trendy · January 12, 2020, 1:25am

NAT is extra load for the router. Better avoid it.
I just wanted to explain you why it did not work.

system · January 22, 2020, 1:25am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.