Hi everyone!
I have a WRT3200ACM with 6 VLAN, and while everything works fine, I've recently noticed that each device on each VLAN can reach each other VLAN interface.
In other words, with a VLAN1 (subnet = 192.168.1.0/24 and OpenWRT IP = 192.168.1.254) and a VLAN2 (subnet = 192.168.2.0/24 and OpenWRT IP = 192.168.2.254), a device let's say with IP 192.168.1.10 can reach 192.168.2.254 (ping, DNS, HTTP...).
It's kind of problematic for me as one of my VLAN is for all admin stuff, including OpenWRT (ssh+https) and I don't want other people being able to reach it. Obviously, none of them is able to reach the entire subnet, just OpenWRT's IP address.
I would like to avoid creating specific FW rules for each VLAN (basically DNS+DHCP). I've tried to search any relevant option in the wiki and the forum, but nothing came up, so if someone has a magic parameter to avoid that, I would be grateful
Here's my current configuration (I can also provide my dhcp config but I don't think it's relevant):
/etc/config/firewall
config rule
option name 'WAN -> DEVICE | Allow SSH'
option src 'wan'
option proto 'tcp'
option dest_port '22'
option target 'ACCEPT'
option family 'ipv4'
option enabled '0'
config rule
option name 'WAN -> DEVICE | Allow Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'WAN -> DEVICE | Allow ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'WAN -> ANY ZONE | Allow ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'WAN -> DEVICE | Allow IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'WAN -> DEVICE | Allow MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'WAN -> MAIN | Allow IPSec-ESP'
option src 'wan'
option dest 'main'
option proto 'esp'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'WAN -> MAIN | Allow ISAKMP'
option src 'wan'
option dest 'main'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'WAN -> DEVICE | Allow DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'WAN -> DEVICE | Allow DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option name 'WAN -> DEVICE | Allow WireGuard Main'
option dest_port 'XXX'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option name 'WAN -> DEVICE | Allow WireGuard Hack'
option dest_port 'XXX'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option name 'WAN -> DEVICE | Allow WireGuard Cell'
option dest_port 'XXX'
config rule
option target 'ACCEPT'
option src 'wan'
option proto 'udp'
option name 'WAN -> DEVICE | Allow WireGuard Admin'
option dest_port 'XXX'
config rule
option src 'cell'
option dest 'main'
option target 'ACCEPT'
option name 'PHONE -> MOODE/KODI | Allow'
list proto 'tcp'
list proto 'udp'
list dest_ip 'XX.XX.XX.XX'
list dest_ip 'XX.XX.XX.XX'
list dest_ip 'XX.XX.XX.XX'
list dest_ip 'XX.XX.XX.XX'
list src_ip 'XX.XX.XX.XX'
config rule
option src 'cell'
option dest 'main'
option target 'ACCEPT'
option name 'TAB -> MOODE/KODI | Allow'
list proto 'tcp'
list proto 'udp'
list dest_ip 'XX.XX.XX.XX'
list dest_ip 'XX.XX.XX.XX'
list dest_ip 'XX.XX.XX.XX'
list dest_ip 'XX.XX.XX.XX'
list src_ip 'XX.XX.XX.XX'
config rule
option name 'GUEST -> DEVICE | Allow DHCP Request'
option src 'guest'
option src_port '67-68'
option dest_port '67-68'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'GUEST -> WAN | Allow DNS Queries'
option src 'guest'
option dest_port '53'
option proto 'tcpudp'
option target 'ACCEPT'
config rule
option name 'GUEST -> WAN | Allow HTTP/HTTPS'
option src 'guest'
option proto 'tcp'
option target 'ACCEPT'
option dest 'wan'
option dest_port '80 443'
config rule
option name 'GUEST -> WAN | Deny'
option src 'guest'
option dest 'wan'
option proto 'all'
option target 'DROP'
config defaults
option syn_flood_protect '1'
option drop_invalid '1'
option input 'DROP'
option output 'DROP'
option forward 'DROP'
option synflood_protect '1'
config zone
option name 'main'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'main wg_main'
option forward 'ACCEPT'
config zone
option name 'cell'
option output 'ACCEPT'
option input 'ACCEPT'
option forward 'ACCEPT'
list network 'cell'
list network 'wg_cell'
config zone
option input 'ACCEPT'
option name 'hack'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'hack wg0 wg_hack'
config zone
option name 'admin'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'admin wg_admin'
config zone
option name 'guest'
option network 'guest'
option output 'ACCEPT'
option input 'DROP'
option forward 'ACCEPT'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'DROP'
option forward 'DROP'
option network 'wan wan6'
config forwarding
option src 'main'
option dest 'wan'
config include
option path '/etc/firewall.user'
config forwarding
option dest 'wan'
option src 'guest'
config forwarding
option dest 'wan'
option src 'cell'
config forwarding
option dest 'wan'
option src 'admin'
config forwarding
option dest 'wan'
option src 'hack'
config zone
option name 'mirroring'
option input 'DROP'
option forward 'DROP'
option network 'mirroring'
option output 'ACCEPT'
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd72:14a8:6d9d::/48'
config interface 'main'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr 'XX.XX.XX.XX'
option broadcast 'XX.XX.XX.XX'
option delegate '0'
option ifname 'eth0.1000'
config interface 'wg_main'
option proto 'wireguard'
option private_key 'xxxx'
list addresses 'XX.XX.XX.XX/24'
option delegate '0'
option listen_port 'XXXX'
config wireguard_wg_main
option public_key 'xxxx'
option description 'one'
option preshared_key 'xxxx'
list allowed_ips 'XX.XX.XX.XX/24'
option persistent_keepalive '25'
config interface 'wg_hack'
option proto 'wireguard'
option private_key 'xxxx'
option delegate '0'
list addresses 'XX.XX.XX.XX/24'
option listen_port 'XXXX'
config wireguard_wg_hack
option route_allowed_ips '1'
option persistent_keepalive '25'
option description 'two'
option preshared_key 'xxxx'
option public_key 'xxxx'
list allowed_ips 'XX.XX.XX.XX/24'
config interface 'wg_cell'
option proto 'wireguard'
list addresses 'XX.XX.XX.XX/24'
option private_key 'xxxx'
option delegate '0'
option listen_port 'XXXX'
config wireguard_wg_cell
option public_key 'xxxx'
option description 'three'
option preshared_key 'xxxx'
option route_allowed_ips '1'
list allowed_ips 'XX.XX.XX.XX/24'
option persistent_keepalive '25'
config interface 'wg_admin'
option proto 'wireguard'
option delegate '0'
option listen_port 'XXXX'
option private_key 'xxxx'
list addresses 'XX.XX.XX.XX/24'
config wireguard_wg_admin
option public_key 'xxxx'
option description 'four'
option persistent_keepalive '25'
list allowed_ips 'XX.XX.XX.XX/24'
option preshared_key 'xxxx'
option route_allowed_ips '1'
config interface 'cell'
option proto 'static'
option netmask '255.255.255.0'
option delegate '0'
option ipaddr 'XX.XX.XX.XX'
option broadcast 'XX.XX.XX.XX'
option type 'bridge'
option ifname 'eth0.1300'
config interface 'hack'
option proto 'static'
option ifname 'eth0.1100'
option ipaddr 'XX.XX.XX.XX'
option netmask '255.255.255.0'
option delegate '0'
option broadcast 'XX.XX.XX.XX'
option type 'bridge'
config interface 'admin'
option ifname 'eth0.1200'
option proto 'static'
option netmask '255.255.255.0'
option delegate '0'
option ipaddr 'XX.XX.XX.XX'
option broadcast 'XX.XX.XX.XX'
config interface 'guest'
option proto 'static'
option netmask '255.255.255.0'
option broadcast 'XX.XX.XX.XX'
option delegate '0'
option ipaddr 'XX.XX.XX.XX'
option type 'bridge'
option ifname 'eth0.1400'
config interface 'mirroring'
option ifname 'eth0.1500'
option delegate '0'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr 'XX.XX.XX.XX'
config interface 'wan'
option ifname 'eth1.2000'
option proto 'dhcp'
option delegate '0'
list dns '127.0.0.1'
option peerdns '0'
config interface 'wan6'
option proto 'dhcpv6'
option ifname 'eth1.2000'
option reqaddress 'try'
option reqprefix 'auto'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '3'
option vid '1000'
option ports '3t 4t 5t'
config switch_vlan
option device 'switch0'
option vlan '4'
option vid '2000'
option ports '4t 6t'
config switch_vlan
option device 'switch0'
option vlan '5'
option vid '1100'
option ports '2t 4t 5t'
config switch_vlan
option device 'switch0'
option vlan '6'
option vid '1200'
option ports '1 3t 4t 5t'
config switch_vlan
option device 'switch0'
option vlan '7'
option vid '1500'
option ports '0 5t'
config switch_vlan
option device 'switch0'
option vlan '8'
option vid '1300'
option ports '2t 4t 5t'
config switch_vlan
option device 'switch0'
option vlan '9'
option ports '4t 5t'
option vid '1400'
Thanks!
EDIT: BTW, isn't the purpose of the option forward 'false'
option to avoid this in the default section? Or am I missing something? I also tried something like iptables -I FORWARD -i br-main -o br-hack -j DROP
but it doesn't work either...