Firewall setup to isolate vlan servers from the rest of the network

SnakZ · February 5, 2023, 2:58am

Alright been messing around with this for a bit (and receiving a lot of help on my way). I want to make sure I'm doing everything right before trying to go live and having it backfire on me due to a firewall.

I have 2 vlans now,
port 1 link to vlan 20
port 2 link to vlan 20
port 3 vlan 30 server network that goes to a "dumb" router
port 4 vlan 20 home network that goes to a "dumb" router

I like to isolate vlan 30 from the rest of the network but allow it to have internet access but no access to the rest of the network.

Would be nice if there is a way to allow access to vlan 30 from within vlan 20. I dont know if this is to risky or can't be done. If not then I can always just FTP/ssh into them another way.

Also port forwarding within Open-WRT, it doesn't look the same as other routers in term of opening port 80, 443 plus any others. Is there a special way of doing it ?

cat /etc/config/firewall

config defaults
       option syn_flood        1
       option input            ACCEPT
       option output           ACCEPT
       option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

##########2/3/23 removed due to their already being one.
#config zone
#       option name             lan
#       list   network          'lan'
#       option input            ACCEPT
#       option output           ACCEPT
#       option forward          ACCEPT

config zone
       option name             wan
       list   network          'wan'
       list   network          'wan6'
       option input            REJECT
       option output           ACCEPT
       option forward          REJECT
       option masq             1
       option mtu_fix          1

config forwarding
       option src              lan
       option dest             wan

###################2/4/23 internet access for vlan30
config forwarding
       option src 'Servers'
       option dest 'wan'




# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
       option name             Allow-DHCP-Renew
       option src              wan
       option proto            udp
       option dest_port        68
       option target           ACCEPT
       option family           ipv4

# Allow IPv4 ping
config rule
       option name             Allow-Ping
       option src              wan
       option proto            icmp
       option icmp_type        echo-request
       option family           ipv4
       option target           ACCEPT

config rule
       option name             Allow-IGMP
       option src              wan
       option proto            igmp
       option family           ipv4
       option target           ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
       option name             Allow-DHCPv6
       option src              wan
       option proto            udp
       option dest_port        546
       option family           ipv6
       option target           ACCEPT

config rule
       option name             Allow-MLD
       option src              wan
       option proto            icmp
       option src_ip           fe80::/10
       list icmp_type          '130/0'
       list icmp_type          '131/0'
       list icmp_type          '132/0'
       list icmp_type          '143/0'
       option family           ipv6
       option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
       option name             Allow-ICMPv6-Input
       option src              wan
       option proto    icmp
       list icmp_type          echo-request
       list icmp_type          echo-reply
       list icmp_type          destination-unreachable
       list icmp_type          packet-too-big
       list icmp_type          time-exceeded
       list icmp_type          bad-header
       list icmp_type          unknown-header-type
       list icmp_type          router-solicitation
       list icmp_type          neighbour-solicitation
       list icmp_type          router-advertisement
       list icmp_type          neighbour-advertisement
       option limit            1000/sec
       option family           ipv6
       option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
       option name             Allow-ICMPv6-Forward
       option src              wan
       option dest             *
       option proto            icmp
       list icmp_type          echo-request
       list icmp_type          echo-reply
       list icmp_type          destination-unreachable
       list icmp_type          packet-too-big
       list icmp_type          time-exceeded
       list icmp_type          bad-header
       list icmp_type          unknown-header-type
       option limit            1000/sec
       option family           ipv6
       option target           ACCEPT

config rule
       option name             Allow-IPSec-ESP
       option src              wan
       option dest             lan
       option proto            esp
       option target           ACCEPT

config rule
       option name             Allow-ISAKMP
       option src              wan
       option dest             lan
       option dest_port        500
       option proto            udp
       option target           ACCEPT


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option dest             wan
#       option proto    tcp
#       option target   REJECT

# block a specific mac on wan
#config rule
#       option dest             wan
#       option src_mac  00:11:22:33:44:66
#       option target   REJECT

# block incoming ICMP traffic on a zone
#config rule
#       option src              lan
#       option proto    ICMP
#       option target   DROP

# port redirect port coming in on wan to lan
#config redirect
#       option src                      wan
#       option src_dport        80
#       option dest                     lan
#       option dest_ip          192.168.16.235
#       option dest_port        80
#       option proto            tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#       option src              wan
#       option src_dport        22001
#       option dest             lan
#       option dest_port        22
#       option proto            tcp

### FULL CONFIG SECTIONS
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port 80
#       option dest             wan
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp
#       option target   REJECT

#config redirect
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port         1024
#       option src_dport        80
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp




###########2/3/23 Vlan 20 along with rest of lan ports not reassign to vlans
config zone
       option name 'lan'
       list network 'lan'
       list network 'vlan20'
       option input 'ACCEPT'
       option output 'ACCEPT'
       option forward 'ACCEPT'

###########2/4/23 Vlan 30 servers
config zone
       option name 'Servers'
       list network 'vlan30'
       option input 'ACCEPT'
       option output 'ACCEPT'
       option forward 'ACCEPT'

Thank you for any help you can give with this.

psherman · February 5, 2023, 3:04am

Just add this -- this will allow VLAN 20 > VLAN 30 access, but not the other way around.
VLAN 30 already should have internet access, but it should be unable to reach VLAN 20.

config forwarding
       option src 'lan'
       option dest 'Servers'

psherman · February 5, 2023, 3:12am

Port forwarding is pretty straight forward in OpenWrt, both in the config files and the LuCI web interface.... where is your confusion?

SnakZ · February 5, 2023, 3:18am

I was looking for it in the wrong place. I was thinking it was within the routing, I found it later on in the firewall menu. lol

psherman · February 5, 2023, 3:20am

Yup... firewall

Let me know if you have the desired inter-VLAN routing behavior when you've added that last rule.

Also, what VLAN is your IoT stuff on? Typically that is the stuff you want isolated from your main trusted LAN.

SnakZ · February 5, 2023, 11:18am

Unless I have a way to broadcast more than two signals, then I can't do it off the main router (Open-WRT). As I sometimes need the 2.4 and 5Ghz wi-fi signals for my own needs(old laptops).

So most likely will end up using one of the last 2 ports for that purpose. Using another router and having that on its own vlan, where all it does is broadcast the signals.

After typing all of that out, I just realize my router before I install Open-WRT was able to have more then just the 2 SSIDs (guest network). But within Open-WRT I haven't seen anything that looks like its able to do it again.

As for my vlan30, what do I need to change to stop it from being able to access the Open-WRT URL the 192.168.1.1? Is that the "Forward" within the firewall settings ? Servers->wan