In addition to the default WAN/LAN setup, I have configured one of the physical ethernet ports on my router to be on a separate VLAN, with a second wifi AP on this VLAN. So I have my normal home LAN (with the default name lan
) with my PCs and homeserver on it, and a second VLAN (named dirty_lan
) for the household's dodgy android devices.
I wish to make one exception to the separation of these VLANs for an HTTP server on lan
. I've tried to set up a port-forwarding firewall rule, but I can't make a connection from dirty_lan
to the host on lan
with my setup.
config defaults
option syn_flood 1
option input ACCEPT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name wan
list network 'wan'
# Commented out because our ISP does not support IPv6.
#list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option src_ip fc00::/6
option dest_ip fc00::/6
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
# include a file with users custom iptables rules
config include
option path /etc/firewall.user
# Locked-down VLAN
config zone
option name dirty_lan
list network 'dirty_lan'
option input REJECT
option output ACCEPT
option forward REJECT
# Allow Dirty LAN -> Internet
config forwarding
option src dirty_lan
option dest wan
# We allow *some* traffic from the Dirty LAN to the LAN.
config forwarding
option src dirty_lan
option dest lan
# Prevent DNS lookups on dirty_lan bypassing us (on the standard port).
config rule
option name 'Deny Dirty LAN->WAN DNS'
option src dirty_lan
option dest wan
option dest_port 53
option proto tcpudp
option target REJECT
# Allow DNS dirty_lan -> Router
# Client DNS queries ordinate from dynamic UDP ports (>1023)
config rule
option name 'Allow DNS Queries'
option src dirty_lan
option dest_port 53
option proto tcpudp
option target ACCEPT
# Allow DHCP Dirty LAN -> Router
# DHCP communication uses UDP ports 67-68
config rule
option name 'Allow DHCP request'
option src dirty_lan
option src_port 67-68
option dest_port 67-68
option proto udp
option target ACCEPT
# Forward webfs port from dirty_lan to loungetv
config redirect
option name 'Dirty LAN webfs -> LAN'
option src dirty_lan
option src_dport 8000
option dest lan
option dest_ip 192.168.1.153
option dest_port 8000
option proto tcp
option target DNAT
# Isolate dirty_lan from LAN
config rule
option name 'Deny Dirty LAN -> LAN'
option src dirty_lan
option dest lan
option proto all
option target DROP
I have tried some tweaks that have made no difference:
- Changing
option forward REJECT
toACCEPT
on thedirty_lan
zone - Moving the
config redirect
block to after the'Deny Dirty LAN -> LAN'
rule.
What am I doing wrong here? Is forwarding the wrong way to do this, and I need to configure routing between the VLANs and use config rule
instead of redirect
s?