DMZ with only two ETH ports + managed switch

Hi guys,

I run OpenWRT on mini-PC with only two eth ports (+WiFi). It is very quick and dependable...but only has two ports + WiFi :frowning: WiFi is used for Guest Network so it is separated from ordinary network (I have AP's for internal network).

Now, I have a device that only has Ethernet port, but for security reasons I would like to isolate it from the rest of the network just like my guest WiFi is (client isolation).

Device has always the same IP and MAC, and is to be plugged into managed switch (Netgear GS728TP), port 16. I assume I need to tag this port in the switch, and then somehow configure my router to isolate all traffic with that particular tagging? Is there any tutorial on this?

In worst case scenario, I could use some sort of WiFi-to-ETH bridge so I can re-use my Guest WiFi. But that is a cludge.

Thanks!

P.S.
sometimes, I miss my old Archer C7 which had built-in switch, this would be trivial then.

You can declare VLAN tagging with “standard Linux notation” such as eth0.100 and bridge over that interface. Coupled with switch configuration and firewall rules / listener config, the isolated VLANs can be trunked to a VLAN-aware switch or device.

See, for example

Ask for more details as you need.

1 Like

First set up your managed switch. As a general security and performance good practice, make sure its firmware is up to date. Then create an additional VLANs in it. Generally you leave the default VLAN 1 in place as part of the LAN since this is how to log into the switch. VLAN 2 could be the new one. Stay connected to one of the untagged VLAN 1 ports to configure.

By convention, the highest numbered port in the switch is usually used as the "uplink" to the router. Set this port as tagged in all of the VLANs. Set one or more of the ports as untagged in one of the new VLAN, this will be the unprivileged guest network.

Then go to your router and change the LAN physical setting from eth1 (for example) to eth1.1, and add eth1.2 to the guest network bridge. This makes all the packets leaving eth1 tagged with their VLAN. Move the ethernet cable to the uplink port you configured on the switch. You should now still have lan available on the ports that are untagged for VLAN1, and guest on the ports you set as untagged in VLAN2.

1 Like

@mk24 is spot on with a great approach.

One "gotcha" is that OpenWrt often uses VLAN 1 and VLAN 2 internally, so I avoid those as my own choices to save a few puzzles.

Setting up a dedicated "management VLAN" (and IP address) is something that I find useful before messing around with OpenWrt configuration, especially IP addresses and switch config.

3 Likes

On an X86 with bare CPU ports there should be no pre-defined VLANs.

Yes this is a good idea. Open a new WiFi AP for administration purposes. Create an "admin" network with a static IP and a DHCP server. You do not need to include this network in any firewall since it will only be used in an emergency to log into the router OS.

2 Likes

I'm a doosh with consistency, and despite knowing all the particulars... I just stuff up lots....

Another option to consider is "out of band management" .... which means for instance getting a ttl-usb adaptor.... ( $10 ) or usb-ethernet or even running luci mac / ip filtered on guest.....

If you already have a keyboard / monitor then that counts. :wink:

Some of the cheaper managed switches can be "particular" when it comes to vernacular / vlan number.... ( even type ) ... etc. and most don't have a console.... so really get that bit down pat... like Jeff says...

I'd rather go to the dentist than have to manually reset a switch and go through often laborious interfaces to apply what is essentially... some really basic stuff.... waste of 1-2 hours....

Little round colored stickers are your friend too.... whack them on the switch so you know which ports are trunks / XYZvlan .... switch ip .... etc.

1 Like

Oh my, this is gonna take some time. Last time I tried fiddling with my switch it stopped switching and I had to reset to default :grimacing: I really appreciate that you are trying to help me!

Done! It is on 6.0.1.24 now, latest.

OK. Now I have created two additional VLANS. Switch already had VLAN1 "",VLAN2 "voice" ,VLAN3 "audio video". I now added VLAN4 "DMZ" and VLAN5 "PoE". VLAN4 will be used for my DMZ stuff on port 1,2 (VLAN5 will act like stand-alone PoE injector for some additional stuff on port 3,4 but that I will do later):

Port 7 is my uplink to router. I will keep it that way for now for practical reasons. I hope I am doing this right. I went to VLAN membership, found my VLAN4 and flipped port 7 (router uplink) to "T" and ports 1,2 (my DMZ ports) to "U":

Everything still works, how am I doing so far? :slight_smile:

This is scary part. LAN port in my router is not "eth1" but "br-lan" (which I connect to to router through). I also have VPN interface (tun0) and Guest WiFi (wlan). Guest WiFi is in Firewall zone "guest", which I configured according to tutorials. Guest WiFi has it's own DHCP range (192.168.3.x) and cannot talk to LAN (192.168.0.x). I would love to set up something similar for DMZ: own isolated zone with own DHCP range (for example 192.168.4.x) where stuff can talk to Internet but not to each other or LAN. Should I still try to rename/change LAN interface "br-lan" to "br-lan1.1"?

No!

Create a new "interface" called DMZ and put it in its own firewall zone called DMZ. Set the physical port for DMZ to eth1.4

Thanks for helping me! :slight_smile:
This is what I have to chose from when I try to create new interface "DMZ":

Which Ethernet Adapter should I tie it to?

scroll down in that menu and in the other box put eth0.4 since eth0 is your LAN side adapter and 4 is the new vlan ID

1 Like

Done! Now I have "interface" DMZ tied to eth0.4:

I gave it IP 192.168.4.200 and configured a DHCP for 192.168.4.x range. (plan is to have DMZ on 192.168.4.x network as x.x.3.x is used by Guest WiFi and x.x.0.x is used by LAN).

What should be my next step? I assume I need to create it's own Firewall zone now?

P.S. OpenWRT is indeed fantastic. Stuff like this would be really hard pro/consumer router Firmware

yep, that'd be what I'd do. you can go into the DMZ interface and select its firewall settings, and then select to create a new one, name it DMZ.... by default make the DMZ forwarding turned off, input turned off, and allow forwarding specifically to WAN. that should do it. I'd recommend to statically allocate all your DMZ devices and don't even run DHCP on that network (click the check box "Ignore interface"). Also you can have devices on that network use a static DNS like 1.1.1.1 and 8.8.8.8, this way you don't even need to open up input for DHCP and DNS requests.

Also, by convention you put the router at .1 so 192.168.4.1 rather than 4.200 it's not required, but it might save confusion later.

1 Like

Some of devices I would be connecting (IoT stuff) are not really static configurable so DHCP is a must. I put the router at 4.200 and DHCP range between 4.100 and 4.150.

Forward: reject or drop?
Input: reject or drop?
Output: Accept?

So, this isn't too compatible with what I think of as a DMZ... for me a DMZ is a place you put devices that will be providing services to the internet and need port forwarding (or for ipv6 just need to be reachable from the internet via forwarding), and because of that you want them isolated from interior LAN devices because they are essentially "part of the internet".

So what exactly are you planning to do with this zone? giving some more info could help with how it should be set up, and whether it might be best to split it in two or whatever.

again, the router is usually .1 not something like .200, it's not required, but if you don't do it that way you may find it confusing later when someone else tries to help you or you read articles telling you to put .1 as your gateway etc.

Ah, sorry. Perhaps I used wrong name.

I just want "wired Guest WiFi". Where cabled devices can get IP's 192.168.4.x range and be NAT:ed to Internet without being able to communicate with 192.168.0.x (or each other, if possible). That's it.

And those cabled connections will be connected to router LAN port tagged as VLAN4...

Is there a reason this should be separate from the wireless guest wifi?

If not, then you should probably delete the DMZ interface, and the DMZ firewall zone, and just go into your existing guest interface and change its physical settings to a bridge over your SSID and eth0.4

No, not really. Guest WiFi does exactly what I want....except it is, you know, wireless. And I need to connect wired stuff :smiley:

1 Like

Ok, then definitely do as I suggested above in my edit... delete DMZ interface and zone, and just change the physical settings of existing guest to a bridge over the wlan and the eth0.4 interface.

1 Like

Yes if you just want wired users with the same access as the guests, add an Ethernet interface to the guest bridge.

If you were to make a new network, call it something like 'iot'. It's going to be basically a clone of the guest network, only for a different kind of untrusted users. As @dlakelan said, "DMZ" has a generally accepted meaning that is not a group of untrusted users.

Use only lowercase for network names. LuCI converts and shows them to the user in uppercase, which is confusing. If you enter new names in uppercase or mixed it is likely to break.

So instead of having guest zone tied to "wlan" only I will add "eth0.4" and then bridge it to "wlan"? I assume it means that both wlan (WiFi) and eth0.4 (ethernet traffic on eth0 tagged as VLAN4) will behave just like Guest WiFi did? That is elegant...I must say :ok_hand:

One last question: in my Guest WiFi I enabled "client isolation" so 192.168.3.152 cannot talk to 192.168.3.155. They can only talk to Internet.

Is this possible to achieve even for wired clients?

Many thanks! This is pure gold. I am learning a lot.