Do Interfaces Physically Set to VLAN with Firewall Need Another Firewall Zone?

I've defined interfaces on my main gateway router with the interface in their physical settings set to VLANs defined on the main gateway router switch (e.g., the guest interface is set to eth0.20 for VLAN ID 20). These interfaces have their own static IP subnet and DHCP servers. They are also assigned to firewall zones forwarded to the wan, with rules set to allow DNS and DHCP. Basically they are for "Guest" networks for guests, IOT devices and other. The ports my two wired access points are hardwired to on the main gateway router have these VLANs tagged.

The access point switches are set up with the same VLAN ID's, tagged for the port plugged to the main gateway router, but untagged to the port a devices intended for a particular VLAN ID is plugged into. The physical settings of interfaces on the access point are set to the same VLAN's (e.g., the guest interface on the access points is set eth0.20), with DHCP client protocol, but no firewall zone is assigned.

This is my first foray into VLANs, tagging, etc., and yet, I think everything works as I think I intended - how's that for certitude? I have 2.4G and 5G guest wifi on both access points, and all four guest wifi are on the same subnet, served by the same DHCP server on the main gateway router. My Ooma VOIP box is working fine plugged into an access point port assigned to a VLAN ID/Interface reserved for IOT devices, etc..

But the interfaces set to VLAN's are "gray" in luci on the access points instead of colored with a firewall zone and when I hover my mouse over it, says no firewall zone is assigned. Problem? Is the firewall set up for the VLAN on the main gateway router protecting the interface, or do I need another firewall on the access point essentially doing the same thing as that on the main gateway router?

Without rules to prevent forwarding between VLANs, a router touching two will happily forward between them. You probably want to block “input” from them as well.

Makes sense. Thank you for the clarification. Looks like I have a few more rules to cut and paste into my access point set ups.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.