Do I Need VLAN for My Use Case?

Hello everyone, I have a Netgear WAX202 with OpenWRT 23.05.5. I would like to segregate my network into 3 zones:

Main - personal devices, access to WAN, cannot talk to each other
IoT - appliances and sensors, access to WAN, can talk to each other
Guest - visitor devices, access to WAN, cannot talk to each other

Main - 1x PC connected to lan2, multiple phones connected to AP1
IoT - 1x TV connected to lan3, multiple devices connected to AP2
Guest - multiple devices connected to AP3

Perhaps this diagram could better describe my network.

Network816×562 46.8 KB

Could I achieve this using firewall zones and rules? I have read that VLANs are level 2 while firewall rules are level 3. From my understanding this means firewall cannot prevent communication within the same LAN zone? (Let's say, phones connected to AP1 talking to each other.)

Currently I separated lan2 and lan3 by creating 2 interfaces, and 3 SSIDs with their own interfaces. lan2, lan3 and the 3 SSIDs have their own firewall zones, so 5 total.

My question is, is separating lan2 and lan3 into 2 interfaces and firewall zones an effective way to segregate the 2 devices, or it has to be done with VLANs? For Wi-Fi, I enabled 'client isolation' option, is this enough to prevent clients from talking to each other?

I have limited knowledge so please bear with me, thanks in advance!

Yes you need one vlan per function, like clients, iot, server, etc.
Yes you need to create new firewall zones for each one. Yes you need to configure the firewall if traffic is able to cross zones.
And you may need in addition concrete firewall rules.

Client isolation is just a wireless feature. Ethernet clients are not effected.

In addition to what has been said already, a technicality that may be useful...

VLANs technically apply only to ethernet. The term is often loosely applied whenever someone is working with multiple subnets as the two often, but not always, go hand-in-hand.

In the drawing, you show AP1 - AP3 and your WAX 202. If the APs in the drawing represent physical devices, you'll need to use VLANs (over ethernet) to carry multiple networks over a single cable to each of the remote APs. Critically, those APs must be VLAN aware and capable of multiple SSIDs (if they're using OpenWrt, this capability is almost always available except maybe for some really old hardware).

If the APs in the drawing are really just illustrating multiple SSIDs from the WAX 202, you don't technically need VLANs unless you'll also be using multiple networks via ethernet.

Thank you for the reply. I have created firewall zones for each one, inter-zone traffic should be dealt with since I can't ping devices on another zone. Do I need VLAN on top of the separate interfaces? For example the PC on lan2 is the only device linked to the interface and the firewall zone.

For the wireless part, if I want to stop clients within the same SSID from talking to each other, is client isolation enough? (I have searched for VLAN for Wi-Fi but it seems not straight forward - one approach uses MAC address which is not reliable, other approaches involve using WPA and radius.)

Thank you for the reply.

Does this mean separating lan2 and lan3 and giving them their own interfaces and firewall zones is kind of a 'VLAN'?

Sorry if my wording and diagram are not clear, AP1 - AP3 is actually 3 SSIDs from the WAX 202.
For the wired devices, is it the right approach to separate each device by making each device the sole member of an interface and firewall zone? Or should I use VLAN?

See my above comment... VLANs (as a proper technical construct) apply to ethernet. But to expand, you may or may not need them, depending on the port-by-port network assignments.

Can you describe the specific goals for your physical network connectivity...

For example:

• trusted network (vlan 1): ethernet ports 1-2, 4 + wifi
• guest (vlan 2): wifi only
• IoT (vlan 3): wifi + ethernet port 4
• server (vlan 4): ethernet port 3 only

My goals for my network connectivity:

Main network: ethernet port 1 + 2 + Wi-Fi
IoT: ethernet port 3 + Wi-Fi
Guest: Wi-Fi only

(At this moment ethernet port 1 is unoccupied, but I plan to connect another PC to it.)

Ok.... a few more followup things to ask.

• Were the APs shown in the diagram supposed to represent external hardware, or just the SSIDs that you want to broadcast from your WAX 202?
• If they are external hardware, how do those connect to the main router and what hardware (brand + model) are we talking about and what firmware do they run?

They are just the SSIDs I want to broadcast from my WAX 202.

ok... so I think that your device is DSA, which means you should setup bridge-vlans for the main and iot networks. The guest network can be on its own bridge since it doesn't need ethernet.

Do you need help doing this? If so, let's see your current configs:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Yes, I believe my device is DSA. Here are my configs:

ubus call system board

        "kernel": "5.15.167",
        "hostname": "host",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "Netgear WAX202",
        "board_name": "netgear,wax202",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.5",
                "revision": "r24106-10cc5fcd00",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05.5 r24106-10cc5fcd00"


cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'redacted'

config device
        option name 'lan1'
        option macaddr 'redacted'

config device
        option name 'lan2'
        option macaddr 'redacted'

config device
        option name 'lan3'
        option macaddr 'redacted'

config device
        option name 'wan'
        option macaddr 'redacted'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'
        option hostname '*'
        option peerdns '0'
        list dns '1.1.1.2'
        list dns '1.0.0.2'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'
        list dns '2606:4700:4700::1112'
        list dns '2606:4700:4700::1002'

config interface 'IoT'
        option proto 'static'
        option ipaddr '192.168.2.22'
        option netmask '255.255.255.0'
        option device 'br-lan-iot'
        option type 'bridge'

config interface 'Main'
        option proto 'static'
        option device 'br-lan'
        option ipaddr '192.168.1.69'
        option netmask '255.255.255.0'

config device
        option type 'bridge'
        option name 'br-lan'
        list ports 'lan1'
        list ports 'lan2'

config interface 'Guest'
        option proto 'static'
        option ipaddr '192.168.3.33'
        option netmask '255.255.255.0'

config device
        option type 'bridge'
        option name 'br-lan-iot'
        list ports 'lan3'

cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option channel 'auto'
        option band '2g'
        option htmode 'HE40'
        option cell_density '0'
        option country 'redacted'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'IoT'
        option encryption 'sae'
        option key 'redacted'
        option isolate '1'
        option network 'IoT'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
        option channel 'auto'
        option band '5g'
        option htmode 'HE80'
        option cell_density '0'
        option country 'redacted'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'Main'
        option encryption 'sae'
        option key 'redacted'
        option isolate '1'
        option network 'Main'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'Guest'
        option encryption 'sae'
        option key 'redacted'
        option network 'Guest'

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option ednspacket_max '1232'
        option confdir '/tmp/dnsmasq.d'
        list server '127.0.0.1#5054'
        list server '/mask.icloud.com/'
        list server '/mask-h2.icloud.com/'
        list server '/use-application-dns.net/'
        list server '127.0.0.1#5053'
        option doh_backup_noresolv '-1'
        option noresolv '1'
        list doh_backup_server '127.0.0.1#5054'
        list doh_backup_server '/mask.icloud.com/'
        list doh_backup_server '/mask-h2.icloud.com/'
        list doh_backup_server '/use-application-dns.net/'
        list doh_backup_server '127.0.0.1#5053'
        list doh_server '127.0.0.1#5053'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'IoT'
        option interface 'IoT'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'Main'
        option interface 'Main'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'Guest'
        option interface 'Guest'
        option start '100'
        option limit '150'
        option leasetime '12h'

cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'Main'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'Main'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'Main'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name '(Dis)Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option family 'ipv4'
        option target 'DROP'
        list icmp_type 'echo-request'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'Main'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'Main'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'IoT'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'IoT'

config zone
        option name 'Guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'Guest'

config forwarding
        option src 'Guest'
        option dest 'wan'

config rule
        option name 'Main - DHCP'
        list proto 'udp'
        option src 'Main'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option name 'IoT - DHCP'
        list proto 'udp'
        option src 'IoT'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option name 'Guest - DHCP'
        option src 'Guest'
        option dest_port '67'
        option target 'ACCEPT'
        list proto 'udp'

config forwarding
        option src 'IoT'
        option dest 'wan'

config rule
        option name 'Main - DNS'
        option src 'Main'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'IoT - DNS'
        option src 'IoT'
        option dest_port '53'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'

config rule
        option name 'Guest  - DNS'
        option src 'Guest'
        option dest_port '53'
        option target 'ACCEPT'

config redirect 'adblock_Guest53'
        option name 'Adblock DNS (Guest, 53)'
        option src 'Guest'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'
        option family 'any'

config redirect 'adblock_IoT53'
        option name 'Adblock DNS (IoT, 53)'
        option src 'IoT'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'
        option family 'any'

config redirect 'adblock_Main53'
        option name 'Adblock DNS (Main, 53)'
        option src 'Main'
        option proto 'tcp udp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'
        option family 'any'

Edit: I have changed a few settings after the original post, so it might not match my description in post #1.

The config as shown probably doesn't work properly. Let's fix it.

First put lan3 back into br-lan like this:

config device
        option type 'bridge'
        option name 'br-lan'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

Now create two bridge-VLANs in the network config file:

config bridge-vlan
        option device 'br-lan'
        option vlan  '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan  '2'
        list ports 'lan3:u*'

Edit the main network interface to use br-lan.1:

config interface 'Main'
        option proto 'static'
        option device 'br-lan.1'
        option ipaddr '192.168.1.69'
        option netmask '255.255.255.0'

And edit the IoT network to use br-lan.2. Also remove the bridge line entirely:

config interface 'IoT'
        option proto 'static'
        option ipaddr '192.168.2.22'
        option netmask '255.255.255.0'
        option device 'br-lan.2'

Delete this:

And add an empty bridge for the guest network:

config device
        option type 'bridge'
        option name 'br-guest'
        option bridge_empty '1'

Now, edit the guest network to use this device:

config interface 'Guest'
        option device 'br-guest'
        option proto 'static'
        option ipaddr '192.168.3.33'
        option netmask '255.255.255.0'

From the firewall file, this can be deleted (unnecessary):

And this, too:

Restart and test again.

Side note: it is common, but absolutely not required, to make the router's address on each network the .1 or .254 host address (when using a /24). If you want to do otherwise, that is fine, but having the address one end or the other of the range is often easiest to remember.

I have changed the config and restarted the router, everything seems to be working well.

I read somewhere that VLAN ID 1 and 2 are commonly used as the default in some devices, does this pose a risk (or not, because everything is untagged)?

Currently, devices in the main network can talk to each other (for example, device connected to main Wi-Fi can ping PC connected to main ethernet (lan2), PC on lan1 can ping PC on lan2), how could I prevent that?

My original thought was, setting an 'unconventional' address could increase security. But now that I think about it again, it should not matter, since the client knows the gateway address, and access to router should be blocked in an untrusted network anyways.