Disable cross interface response

Hi everyone!

I have a WRT3200ACM with 6 VLAN, and while everything works fine, I've recently noticed that each device on each VLAN can reach each other VLAN interface.
In other words, with a VLAN1 (subnet = 192.168.1.0/24 and OpenWRT IP = 192.168.1.254) and a VLAN2 (subnet = 192.168.2.0/24 and OpenWRT IP = 192.168.2.254), a device let's say with IP 192.168.1.10 can reach 192.168.2.254 (ping, DNS, HTTP...).

It's kind of problematic for me as one of my VLAN is for all admin stuff, including OpenWRT (ssh+https) and I don't want other people being able to reach it. Obviously, none of them is able to reach the entire subnet, just OpenWRT's IP address.

I would like to avoid creating specific FW rules for each VLAN (basically DNS+DHCP). I've tried to search any relevant option in the wiki and the forum, but nothing came up, so if someone has a magic parameter to avoid that, I would be grateful

Here's my current configuration (I can also provide my dhcp config but I don't think it's relevant):

/etc/config/firewall

config rule
	option name 'WAN -> DEVICE | Allow SSH'
	option src 'wan'
	option proto 'tcp'
	option dest_port '22'
	option target 'ACCEPT'
	option family 'ipv4'
	option enabled '0'

config rule
	option name 'WAN -> DEVICE | Allow Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'WAN -> DEVICE | Allow ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'WAN -> ANY ZONE | Allow ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'WAN -> DEVICE | Allow IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'WAN -> DEVICE | Allow MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'WAN -> MAIN | Allow IPSec-ESP'
	option src 'wan'
	option dest 'main'
	option proto 'esp'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'WAN -> MAIN | Allow ISAKMP'
	option src 'wan'
	option dest 'main'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'WAN -> DEVICE | Allow DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'WAN -> DEVICE | Allow DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option name 'WAN -> DEVICE | Allow WireGuard Main'
	option dest_port 'XXX'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option name 'WAN -> DEVICE | Allow WireGuard Hack'
	option dest_port 'XXX'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option name 'WAN -> DEVICE | Allow WireGuard Cell'
	option dest_port 'XXX'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option name 'WAN -> DEVICE | Allow WireGuard Admin'
	option dest_port 'XXX'

config rule
	option src 'cell'
	option dest 'main'
	option target 'ACCEPT'
	option name 'PHONE -> MOODE/KODI | Allow'
	list proto 'tcp'
	list proto 'udp'
	list dest_ip 'XX.XX.XX.XX'
	list dest_ip 'XX.XX.XX.XX'
	list dest_ip 'XX.XX.XX.XX'
	list dest_ip 'XX.XX.XX.XX'
	list src_ip 'XX.XX.XX.XX'

config rule
	option src 'cell'
	option dest 'main'
	option target 'ACCEPT'
	option name 'TAB -> MOODE/KODI | Allow'
	list proto 'tcp'
	list proto 'udp'
	list dest_ip 'XX.XX.XX.XX'
	list dest_ip 'XX.XX.XX.XX'
	list dest_ip 'XX.XX.XX.XX'
	list dest_ip 'XX.XX.XX.XX'
	list src_ip 'XX.XX.XX.XX'

config rule
	option name 'GUEST -> DEVICE | Allow DHCP Request'
	option src 'guest'
	option src_port '67-68'
	option dest_port '67-68'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'GUEST -> WAN | Allow DNS Queries'
	option src 'guest'
	option dest_port '53'
	option proto 'tcpudp'
	option target 'ACCEPT'

config rule
	option name 'GUEST -> WAN | Allow HTTP/HTTPS'
	option src 'guest'
	option proto 'tcp'
	option target 'ACCEPT'
	option dest 'wan'
	option dest_port '80 443'

config rule
	option name 'GUEST -> WAN | Deny'
	option src 'guest'
	option dest 'wan'
	option proto 'all'
	option target 'DROP'

config defaults
	option syn_flood_protect '1'
	option drop_invalid '1'
	option input 'DROP'
	option output 'DROP'
	option forward 'DROP'
	option synflood_protect '1'

config zone
	option name 'main'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option network 'main wg_main'
	option forward 'ACCEPT'

config zone
	option name 'cell'
	option output 'ACCEPT'
	option input 'ACCEPT'
	option forward 'ACCEPT'
	list network 'cell'
	list network 'wg_cell'

config zone
	option input 'ACCEPT'
	option name 'hack'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'hack wg0 wg_hack'

config zone
	option name 'admin'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'admin wg_admin'

config zone
	option name 'guest'
	option network 'guest'
	option output 'ACCEPT'
	option input 'DROP'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'DROP'
	option forward 'DROP'
	option network 'wan wan6'

config forwarding
	option src 'main'
	option dest 'wan'

config include
	option path '/etc/firewall.user'

config forwarding
	option dest 'wan'
	option src 'guest'

config forwarding
	option dest 'wan'
	option src 'cell'

config forwarding
	option dest 'wan'
	option src 'admin'

config forwarding
	option dest 'wan'
	option src 'hack'

config zone
	option name 'mirroring'
	option input 'DROP'
	option forward 'DROP'
	option network 'mirroring'
	option output 'ACCEPT'

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd72:14a8:6d9d::/48'

config interface 'main'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr 'XX.XX.XX.XX'
	option broadcast 'XX.XX.XX.XX'
	option delegate '0'
	option ifname 'eth0.1000'

config interface 'wg_main'
	option proto 'wireguard'
	option private_key 'xxxx'
	list addresses 'XX.XX.XX.XX/24'
	option delegate '0'
	option listen_port 'XXXX'

config wireguard_wg_main
	option public_key 'xxxx'
	option description 'one'
	option preshared_key 'xxxx'
	list allowed_ips 'XX.XX.XX.XX/24'
	option persistent_keepalive '25'

config interface 'wg_hack'
	option proto 'wireguard'
	option private_key 'xxxx'
	option delegate '0'
	list addresses 'XX.XX.XX.XX/24'
	option listen_port 'XXXX'

config wireguard_wg_hack
	option route_allowed_ips '1'
	option persistent_keepalive '25'
	option description 'two'
	option preshared_key 'xxxx'
	option public_key 'xxxx'
	list allowed_ips 'XX.XX.XX.XX/24'

config interface 'wg_cell'
	option proto 'wireguard'
	list addresses 'XX.XX.XX.XX/24'
	option private_key 'xxxx'
	option delegate '0'
	option listen_port 'XXXX'

config wireguard_wg_cell
	option public_key 'xxxx'
	option description 'three'
	option preshared_key 'xxxx'
	option route_allowed_ips '1'
	list allowed_ips 'XX.XX.XX.XX/24'
	option persistent_keepalive '25'

config interface 'wg_admin'
	option proto 'wireguard'
	option delegate '0'
	option listen_port 'XXXX'
	option private_key 'xxxx'
	list addresses 'XX.XX.XX.XX/24'

config wireguard_wg_admin
	option public_key 'xxxx'
	option description 'four'
	option persistent_keepalive '25'
	list allowed_ips 'XX.XX.XX.XX/24'
	option preshared_key 'xxxx'
 	option route_allowed_ips '1'

config interface 'cell'
	option proto 'static'
	option netmask '255.255.255.0'
	option delegate '0'
	option ipaddr 'XX.XX.XX.XX'
	option broadcast 'XX.XX.XX.XX'
	option type 'bridge'
	option ifname 'eth0.1300'

config interface 'hack'
	option proto 'static'
	option ifname 'eth0.1100'
	option ipaddr 'XX.XX.XX.XX'
	option netmask '255.255.255.0'
	option delegate '0'
	option broadcast 'XX.XX.XX.XX'
	option type 'bridge'

config interface 'admin'
	option ifname 'eth0.1200'
	option proto 'static'
	option netmask '255.255.255.0'
	option delegate '0'
	option ipaddr 'XX.XX.XX.XX'
	option broadcast 'XX.XX.XX.XX'

config interface 'guest'
	option proto 'static'
	option netmask '255.255.255.0'
	option broadcast 'XX.XX.XX.XX'
	option delegate '0'
	option ipaddr 'XX.XX.XX.XX'
	option type 'bridge'
	option ifname 'eth0.1400'

config interface 'mirroring'
	option ifname 'eth0.1500'
	option delegate '0'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr 'XX.XX.XX.XX'

config interface 'wan'
	option ifname 'eth1.2000'
	option proto 'dhcp'
	option delegate '0'
	list dns '127.0.0.1'
	option peerdns '0'

config interface 'wan6'
	option proto 'dhcpv6'
	option ifname 'eth1.2000'
	option reqaddress 'try'
	option reqprefix 'auto'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '1000'
	option ports '3t 4t 5t'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option vid '2000'
	option ports '4t 6t'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option vid '1100'
	option ports '2t 4t 5t'

config switch_vlan
	option device 'switch0'
	option vlan '6'
	option vid '1200'
	option ports '1 3t 4t 5t'

config switch_vlan
	option device 'switch0'
	option vlan '7'
	option vid '1500'
	option ports '0 5t'

config switch_vlan
	option device 'switch0'
	option vlan '8'
	option vid '1300'
	option ports '2t 4t 5t'

config switch_vlan
	option device 'switch0'
	option vlan '9'
	option ports '4t 5t'
	option vid '1400'

Thanks!

EDIT: BTW, isn't the purpose of the option forward 'false' option to avoid this in the default section? Or am I missing something? I also tried something like iptables -I FORWARD -i br-main -o br-hack -j DROP but it doesn't work either...

Change input to 'DROP' on all the networks that should not be able to access the router itself. this will also block DHCP and DNS, so you can create firewall traffic rules that accept port 53 (DNS), and ports 67-68 (DHCP). If you set the source to "any zone" and destination "this device", that will ensure that all networks have the ability to use DHCP and DNS.

That's what I wanted to avoid but your option seems good as I forgot the any zone option.

I don't mark your response as a solution yet if someone else as another "by-design" solution/explanation.

I would also like to know why he behaves like that. is it an expected behavior? Is it legit to reach any GW interface despite the FW restrictions?

Anyway, thanks for your prompt answer!

I'm not sure what you mean here?

• "Input" is basically packets that are destined for the router itself. Dropping on "input" for the zones that you don't want accessing the router is the "by design" method of doing this.
• Since your DHCP / DNS is running on the router, you need to allow this. You can specify by zone or allow all zones. Again, this is the "by design" method.
• If you look at the guest network guide, it is exactly as I have outlined.

I totally agree with your solution, but what I'm trying to understand is why I can reach another VLAN interface. I mean, the FW should drop that with forward to drop between zones right?

EDIT: maybe I should have avoided the "by-design" term, as I probably miss something obvious. maybe I should go back to my college classes

Can you give an example of what you mean by reaching another VLAN interface? If you're referring to accessing the router's address on another VLAN, it is actually the equivalent of an alternate address on the router (local).

So for example:

• VLAN 1: 192.168.1.0/24, router at 192.168.1.1
• VLAN 2: 192.168.2.0/24, router at 192.168.2.1
• firewall does not allow forwarding from VLAN 2 to VLAN 1.

A computer on VLAN 2 (say 192.168.2.53) will be unable to connect to a host on VLAN 1 because the forwarding is not allowed. However, that same VLAN 2 host can reach the router at 192.168.2.1 or at 192.168.1.1 because both of those addresses are actually local to the router. They fall under the regime of the "Input" rather than the regime of "output" or "forward."

Does that help? If not, please provide examples of what you are confused about

This is exactly what I tried to explain! maybe it's the 1am that mess up my mind...

And that's exactly the explanation I was looking for! Perfect.

Thanks a look a lot for your time and your explanation!

And now, time to sleep ^^

Glad I could help fix the issue and explain the principles at work. It can be confusing and difficult to communicate some of these concepts.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.