Best practices for running OpenWrt as a simple VLAN switch

Installing and Using OpenWrt Network and Wireless Configuration
1

I am running the latest stable OpenWrt (with DSA) on my switch, but I found no information about what the firewall settings should look like, when having multiple VLANs on DSA and running only a switch.

Lets take this example with three vlans and two tagged trunk ports:

+---------+-------+------+------+------+------+
| VLAN ID | Local | lan1 | lan2 | lan3 | lan4 |
+---------+-------+------+------+------+------+
|    10   |   X   |   t  |   t  |  u|* |   -  |
+---------+-------+------+------+------+------+
|    20   |   X   |   t  |   t  |   -  |  u|* |
+---------+-------+------+------+------+------+
|    30   |   X   |   t  |   t  |   -  |   -  |
+---------+-------+------+------+------+------+

All three VLANs should be kept completely seperate from each other without any layer 3 routing.

Lets say VLAN 10 is used to access LUCI or SSH. The the default LAN interface can be used with the LAN zone, where Input and Output is accepted.

First question:

Should I create interfaces and firewall zones for the other two VLANs? The options would be:

  • Don't create any interfaces for the VLANs and disable the local flag
  • Don't create any interfaces for the VLANs and enable the local flag
  • Create seperate interfaces for VLANs, but leave the firewall zone unspecified
  • Create seperate interfaces for VLANs, with one firewall zone
  • Create seperate interfaces for VLANs, with seperate firewall zones

How should Input, Output and Forward be set in "Firewall -> Zone Settings -> General Settings"? And how should they be set for specific zones, if they are created?

The default firewall rules "Allow-IPSec-ESP" and "Allow-ISAKMP" can be safely deleted for a switch, right?

Second question:

There seem to be a lot of sources on the internet (like wikipedia: https://en.wikipedia.org/wiki/VLAN_hopping#Double_tagging) saying it is best practice to make an unused VLAN native/untagged for all trunk ports. So should I change my setup to this, where VLAN 90 is not used anywhere else?

+---------+-------+------+------+------+------+
| VLAN ID | Local | lan1 | lan2 | lan3 | lan4 |
+---------+-------+------+------+------+------+
|    10   |   X   |   t  |   t  |  u|* |   -  |
+---------+-------+------+------+------+------+
|    20   |   X   |   t  |   t  |   -  |  u|* |
+---------+-------+------+------+------+------+
|    30   |   X   |   t  |   t  |   -  |   -  |
+---------+-------+------+------+------+------+
|    90   |       |  t|* |  t|* |   -  |   -  |
+---------+-------+------+------+------+------+

Or does OpenWrt automatically disregard all untagged traffic, if no PVID is defined for that port and there is no difference between the two setups?

Also do the practices outlined here, https://en.wikipedia.org/wiki/VLAN_hopping#Switch_spoofing (disabling trunk negotiation), apply to OpenWrt, or are the default settings already secure?

Third question:

Are there any other settings recommended for an OpenWrt VLAN switch setup?

2

The firewall is not involved except for the ability to connect to the OpenWrt device itself for administration. Typically, you'll have one network that is used for management. For that network, OpenWrt will have an address (static or DHCP) on that interface. That interface must be associated with a firewall zone (or rules) to accept input for administrative purposes. The other networks will have proto none (unmanged), and there will be no firewall association.

Since the networks are all being managed at L2 (switching), the firewall never gets involved aside from above.

1 Like
3

Sorry... didn't answer all your questions...

Interfaces, yes -- use proto none (unmanaged). No firewall associations.

You can. It's not strictly necessary. But won't hurt.
But if you do it, it will be lan1:u* (not t*).

I'm not exactly sure what happens with untagged traffic ingress, but it will not interfere with or mix with the tagged networks.

I think you've got it. But once you've done your initial setup, post your config here and we'll review.

1 Like
4

Just to spell it out more explicitly, the "no firewall zones needed" only applies to the proto=none case, as only in this case the corresponding interfaces are not connected to anything, just passed through blindly (which is everything needed for a VLAN aware switch or an AP with multiple vAP interfaces).

1 Like
5

Thanks a lot for the detailed answers! Just to be clear, here is the implemented config of the example above.

config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'REDACTED'

config device 'switch'
	option name 'switch'
	option type 'bridge'
	option macaddr 'REDACTED'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan 'lan_vlan'
	option device 'switch'
	option vlan '10'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan3:u*'

config interface 'lan'
	option proto 'dhcp'
	option device 'switch.10'

config bridge-vlan
	option device 'switch'
	option vlan '20'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan4:u*'

config bridge-vlan
	option device 'switch'
	option vlan '30'
	list ports 'lan1:t'
	list ports 'lan2:t'

config bridge-vlan
	option device 'switch'
	option vlan '90'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	option local '0'

config interface 'iot'
	option proto 'none'
	option device 'switch.20'

config interface 'guest'
	option proto 'none'
	option device 'switch.30'

config/firewall:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

It would probably be good to explicitly mention this in the wiki. Probably in https://openwrt.org/docs/guide-user/network/dsa/dsa-mini-tutorial because the whole VLAN wiki section seems to have outdated articles. I could write an edit tomorrow.

6

Looks good!

7

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.