This is my first attempt at a VLAN setup, so apologies if I misinterpreted something.
My main questions were if the VLANs are set up correctly and if the nmap behavior posted near the bottom is expected.
What I've attempted to do on my XR500 running 25.12 is to take the guest wifi instructions and use VLANs instead to implement two isolated wifi SSIDs.
My goals for this setup were to have an isolated wifi SSID for my server that can only access the internet, and then an isolated guest wifi SSID that can only access the internet and the server zone's firewall zone. I also made two isolated and separate guest LANs on lan3 and lan4.
Here are the configs:
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
list ipaddr '127.0.0.1/8'
config globals 'globals'
option dhcp_default_duid '000468aerwrweref3a3ce60' # redacted full duid
option ula_prefix 'fd92:27f4:ceab::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan.99'
option proto 'static'
list ipaddr '192.168.1.1/24'
option ip6assign '60'
option multipath 'off'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config bridge-vlan
option device 'br-lan'
option vlan '7'
config bridge-vlan
option device 'br-lan'
option vlan '8'
config bridge-vlan
option device 'br-lan'
option vlan '9'
list ports 'lan3:u*'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan4:u*'
config bridge-vlan
option device 'br-lan'
option vlan '99'
list ports 'lan1:u*'
list ports 'lan2:u*'
config interface 'GUEST'
option proto 'static'
option device 'br-lan.7'
option ipaddr '192.168.8.1'
option netmask '255.255.255.0'
option multipath 'off'
config interface 'SERVINTRFCE'
option proto 'static'
option device 'br-lan.8'
option ipaddr '192.168.7.1'
option netmask '255.255.255.0'
option multipath 'off'
config interface 'GUESTLAN1'
option proto 'static'
option device 'br-lan.9'
option ipaddr '192.168.3.1'
option netmask '255.255.255.0'
option multipath 'off'
config interface 'GUESTLAN2'
option proto 'static'
option device 'br-lan.10'
option ipaddr '192.168.4.1'
option netmask '255.255.255.0'
option multipath 'off'
/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'soc/1b500000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
option band '5g'
option channel '161'
option htmode 'VHT80'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'ssid1'
option encryption 'psk2'
option key 'ssidpassword1'
option ieee80211w '2'
option ocv '1'
option wpa_disable_eapol_key_retries '1'
config wifi-device 'radio1'
option type 'mac80211'
option path 'soc/1b700000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0'
option band '2g'
option channel '6'
option htmode 'HT20'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'ssid2'
option encryption 'psk2'
option key 'ssidpassword2'
option ieee80211w '2'
option ocv '1'
option wpa_disable_eapol_key_retries '1'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'ssid3'
option encryption 'psk2'
option isolate '1'
option key 'ssidpassword3'
option ieee80211w '2'
option ocv '1'
option wpa_disable_eapol_key_retries '1'
option network 'SERVINTRFCE'
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid 'ssid4'
option encryption 'psk2'
option isolate '1'
option key 'ssidpassword4'
option ieee80211w '2'
option ocv '1'
option wpa_disable_eapol_key_retries '1'
option network 'GUEST'
/etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'GuestZone'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'GUEST'
config forwarding
option src 'GuestZone'
option dest 'wan'
config rule
option src 'GuestZone'
option name 'GuestZoneDCHP'
list proto 'udp'
option dest_port '67 68'
option target 'ACCEPT'
config rule
option src 'GuestZone'
option name 'GuestZoneDNS'
option dest_port '53'
option target 'ACCEPT'
config rule
option src 'GuestZone'
option dest 'wan'
option name 'BlockGuestToModem'
list proto 'all'
list dest_ip '192.168.100.1'
option target 'REJECT'
config zone
option name 'ServZone'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'SERVINTRFCE'
config forwarding
option src 'ServZone'
option dest 'wan'
config rule
option src 'ServZone'
option name 'ServZoneDHCP'
list proto 'udp'
option dest_port '67 68'
option target 'ACCEPT'
config rule
option src 'ServZone'
option name 'ServZoneDNS'
option dest_port '53'
option target 'ACCEPT'
config rule
option src 'ServZone'
option dest 'wan'
option name 'BlockServerToModem'
list proto 'all'
list dest_ip '192.168.100.1'
option target 'REJECT'
config forwarding
option src 'lan'
option dest 'GuestZone'
config forwarding
option src 'lan'
option dest 'ServZone'
config forwarding
option src 'GuestZone'
option dest 'ServZone'
config zone
option name 'GuestLan1Zone'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'GUESTLAN1'
config forwarding
option src 'GuestLan1Zone'
option dest 'wan'
config rule
option src 'GuestLan1Zone'
option name 'GuestLan1ZoneDCHP'
list proto 'udp'
option dest_port '67 68'
option target 'ACCEPT'
config rule
option src 'GuestLan1Zone'
option name 'GuestLan1ZoneDNS'
option dest_port '53'
option target 'ACCEPT'
config rule
option src 'GuestLan1Zone'
option dest 'wan'
option name 'BlockGuestLan1ToModem'
list proto 'all'
list dest_ip '192.168.100.1'
option target 'REJECT'
config zone
option name 'GuestLan2Zone'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'GUESTLAN2'
config forwarding
option src 'GuestLan2Zone'
option dest 'wan'
config rule
option src 'GuestLan2Zone'
option name 'GuestLan2ZoneDHCP'
list proto 'udp'
option dest_port '67 68'
option target 'ACCEPT'
config rule
option src 'GuestLan2Zone'
option name 'GuestLan2ZoneDNS'
option dest_port '53'
option target 'ACCEPT'
config rule
option src 'GuestLan2Zone'
option dest 'wan'
option name 'BlockGuestLan2ToModem'
list proto 'all'
list dest_ip '192.168.100.1'
option target 'REJECT'
config forwarding
option src 'GuestLan2Zone'
option dest 'ServZone'
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
option ra_preference 'medium'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/odhcpd.leases'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
option piodir '/tmp/odhcpd-piodir'
option hostsdir '/tmp/hosts'
config dhcp 'GUEST'
option interface 'GUEST'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
config dhcp 'SERVINTRFCE'
option interface 'SERVINTRFCE'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
config dhcp 'GUESTLAN1'
option interface 'GUESTLAN1'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
config dhcp 'GUESTLAN2'
option interface 'GUESTLAN2'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
bridge vlan output
port vlan-id
lan4 10 PVID Egress Untagged
lan3 9 PVID Egress Untagged
lan2 99 PVID Egress Untagged
lan1 99 PVID Egress Untagged
br-lan 7
8
9
10
99
phy0-ap0 99 PVID Egress Untagged
phy0-ap1 8 PVID Egress Untagged
phy1-ap0 99 PVID Egress Untagged
phy1-ap1 7 PVID Egress Untagged
For the nmap tests, I tested pathways that should be blocked by the firewall. For example, from GuestZone (192.168.8.0/24) to lan (192.168.1.0/24). The behavior I expected for each test was that nmap could not see any lan open ports or accessible IPs from the guest wifi.
This one is the most interesting because it seems that nmap can see the IPs of all devices, which I didn’t expect:
sudo nmap -sn -v 192.168.1.0/24
It shows them like this:
Nmap scan report for OpenWRT.lan (192.168.1.1
Host is up (0.00063s latency).
...
Nmap scan report for server.lan (192.168.1.241)
Host is up (0.0022s latency).
The rest of these commands showed the expected results, ie that all ports were closed and inaccessible:
sudo nmap -sS -T3 -vv --top-ports 2000 --reason -sV --max-retries 3 192.168.1.241
sudo nmap -sT -T3 -vv --top-ports 2000 --reason -sV --max-retries 3 192.168.1.241
sudo nmap -sU -T3 -vv --top-ports 1000 --reason -sV --max-retries 3 192.168.1.241
sudo nmap -sV -sC 192.168.1.241
Is the result of the first nmap command expected? I looked into it a little bit and it seems like you can tell a specific interface to use Cloudflare’s DNS, which should fix it. But would that just be a bandaid fix?