Audit my settings/moved WAN port to managed switch

msilletti · May 30, 2026, 9:37am

I moved my WAN port from eth0 on the physical mini PC router-firewall to my managed switch putting it on its own VLAN. I think everything is right but can others with more knowledge review my settings to make sure?

old: eth0 was on the WAN interface and it was direct connected to the cable modem/other ports were in br-lan

new: WAN interface is now on its own VLAN and modem is connected to a managed swtich/all ports on the mini PC are in br-lan

network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fd1a:184b:b879::/48'
option packet_steering '2'
option steering_flows '256'

config device
option type 'veth'
option name 'veth0'
option ipv6 '0'

config device
option type 'veth'
option name 'veth1'
option ipv6 '0'

config device
option type 'bridge'
option name 'lxcbr0'
option ipv6 '0'
option bridge_empty '1'
list ports 'vethxObYB1'

config device
option name 'br-lan'
option type 'bridge'
option ipv6 '0'
list ports 'eth0'
list ports 'eth1'
list ports 'eth2'
list ports 'eth3'
list ports 'veth0'
list ports 'veth1'

config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'eth0:t'
list ports 'eth1:t'
list ports 'eth2:u*'
list ports 'eth3:u*'
list ports 'veth0:u*'
list ports 'veth1:u*'

config bridge-vlan
option device 'br-lan'
option vlan '11'
list ports 'eth0:t'
list ports 'eth1:t'

config bridge-vlan
option device 'br-lan'
option vlan '12'
list ports 'eth0:t'
list ports 'eth1:t'

config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'eth0:t'
list ports 'eth1:t'

config bridge-vlan
option device 'br-lan'
option vlan '30'
list ports 'eth0:t'
list ports 'eth1:t'

config bridge-vlan
option device 'br-lan'
option vlan '50'
list ports 'eth0:t'
list ports 'eth1:t'

config bridge-vlan
option device 'br-lan'
option vlan '999'
list ports 'eth0:t'

config interface 'lan'
option device 'br-lan.10'
option proto 'static'
option ipaddr '10.0.2.1'
option netmask '255.255.255.0'
option delegate '0'

config interface 'lxc'
option device 'lxcbr0'
option proto 'static'
option ipaddr '10.0.3.1'
option netmask '255.255.255.0'
option delegate '0'

config interface 'guest'
option device 'br-lan.20'
option proto 'static'
option ipaddr '10.0.4.1'
option netmask '255.255.255.0'
option delegate '0'

config interface 'kids'
option device 'br-lan.30'
option proto 'static'
option ipaddr '10.0.5.1'
option netmask '255.255.255.0'
option delegate '0'

config interface 'iot'
option device 'br-lan.50'
option proto 'static'
option ipaddr '10.0.6.1'
option netmask '255.255.255.0'
option delegate '0'
option multipath 'off'

config interface 'wan'
option device 'br-lan.999'
option proto 'static'
option ipaddr 'x'
option netmask 'x'
option gateway 'x'
option delegate '0'
list dns '1.1.1.1'
list dns '9.9.9.9'

config interface 'vpn'
option device 'br-lan.11'
option proto 'static'
option ipaddr '10.10.4.1'
option netmask '255.255.255.0'
option delegate '0'

config interface 'vpn2'
option device 'br-lan.12'
option proto 'static'
option ipaddr '10.10.3.1'
option netmask '255.255.255.0'
option delegate '0'
option auto '0'

config interface 'wg0'
option proto 'wireguard'
.....

config interface 'wg1'
option proto 'wireguard'
.....

config interface 'wg2'
option proto 'wireguard'
.....

firewall

config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'lan'

config zone
option name 'lxc'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'lxc'

config zone
option name 'wg0'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
list network 'wg0'

config zone
option name 'guest'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'guest'

config zone
option name 'kids'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'kids'

config zone
option name 'iot'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'iot'

config zone
option name 'wan'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wg1'
list network 'wg2'

config zone
option name 'vpn'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option mtu_fix '1'
list network 'vpn'
list network 'vpn2'

config forwarding
option src 'vpn'
option dest 'wan'

config forwarding
option src 'lan'
option dest 'wan'

config forwarding
option src 'lan'
option dest 'guest'

config forwarding
option src 'lan'
option dest 'kids'

config forwarding
option src 'lan'
option dest 'iot'

config forwarding
option src 'lan'
option dest 'lxc'

config forwarding
option src 'lxc'
option dest 'wan'

config forwarding
option src 'wg0'
option dest 'iot'

config forwarding
option src 'wg0'
option dest 'wan'

config forwarding
option src 'guest'
option dest 'wan'

config forwarding
option src 'kids'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule 'wg'
option name 'allow-wireguard'
option proto 'udp'
option target 'ACCEPT'
option src 'wan'
option dest_port '51800'
option family 'ipv4'

config rule
option src 'wg0'
option target 'ACCEPT'
option name 'wg dhcp and dns'
list proto 'tcp'
list proto 'udp'
option dest_port '53 67 68'

config rule
option src 'guest'
option target 'ACCEPT'
option name 'guest dhcp dns'
list proto 'tcp'
list proto 'udp'
option dest_port '53 67 68'

config rule
option src 'kids'
option target 'ACCEPT'
option name 'kids dhcp dns'
list proto 'tcp'
list proto 'udp'
option dest_port '53 67 68'
option family 'ipv4'

config rule
option src 'vpn'
option target 'ACCEPT'
option name 'vpn dhcp dns'
list proto 'tcp'
list proto 'udp'
option dest_port '53 67 68'

config rule
option src 'iot'
option target 'ACCEPT'
list proto 'tcp'
list proto 'udp'
option dest_port '53 67 68'
option name 'iot dhcp dns'
option family 'ipv4'

config rule
list proto 'udp'
option src 'guest'
option dest 'lxc'
option dest_port '53'
option target 'ACCEPT'
option name 'pihole guest to lxc'

config rule
list proto 'udp'
option src 'wg0'
option dest 'lxc'
option dest_port '53'
option target 'ACCEPT'
option name 'pihole guest to wg'

darksky · May 30, 2026, 11:14am

Unless you have ultimate trust in your containers, why allow them access to the router?

config zone
option name 'lxc'
option input 'ACCEPT' <--- change it to REJECT and add a traffic rule if you are using pihole in the container for udp/53 to input
option output 'ACCEPT'
option forward 'REJECT'
list network 'lxc'

Beyond security, why limit your steering_flows to 256? Watch cat /proc/sys/net/netfilter/nf_conntrack_count at peak times of device usage to see how many you have and adjust

psherman · May 30, 2026, 4:29pm

What managed switch are you using? What is the brand+model?

msilletti · May 30, 2026, 5:23pm

This is a netgear gs316ep

psherman · May 30, 2026, 5:40pm

I think (but I'm not certain) that this is a poor choice of switch models for your use case. Specifically, some entry level switches do not let you set the management VLAN. This can have two serious consequences:

It can actually grab the IP from the upstream/ISP if set to DHCP. This can cause the wan connection to fail since the ISP typically issues just one DHCP address and it can be claimed by the switch instead of the router. (in your config, you seem to have the wan set to a static address, so this may not be an issue for your specific setup)
If the switch doesn't specifically allow the user to set the management VLAN, it can actually be accessed by any/all VLANs on the network, provided that they physically pass through the switch. This happens before the traffic hits the firewall, and can thus become a security issue that is impossible to mitigate. In the case of an upstream wan connection running through such a switch, it could technically expose the switch to the untrusted/upstream network.

If the switch allows you to explicitly set the management VLAN, then the above is moot. However, I took a quick look at the user guide and I did not see anything referencing such a setting. You may want to further investigate and consider a different switch if the setting is not available.

msilletti · May 30, 2026, 8:23pm

It has a management VLAN. Forces one of the ports to be bound to it so I think it's solid. I also blocked all WAN access to the switch's IP address.

psherman · May 30, 2026, 8:35pm

Great. No worries about the switch based on your description. This should all be fine!