Firewall / Subnetting setup, Class B network

Ahoy friends.

I got the following setup

I got a Fritz! 7490 Router, acting as modem and router for dialing in.
The OpenWRT Router is connected to a trunk port.
Vlan 1 is the VLAN of the 7490 router.

To the OpenWRT device (Raspberry Pi 4) there is a trunk port connected to the router deploying all vlans
VLAN 1 Untrusted OK
VLAN 2 Lab
VLAN 3 Trusted Devices
VLAN 110 Management, Zabbix
VLAN 300 VoIP
VLAN 200 Virtual Machines, Server
VLAN 220 Storage Server
VLAN 320 Guest
VLAN 340 CCTV

And at the bottom there are my Firewall rules.
I want the network acting like this:

VLAN 1: It's the native VLAN on all switchports, random pc's should be connected to it, and they should use the 7490 Router, not the OpenWRT one.
The OpenWRT Router is also connected to it as an exposed host, in order to manage the rest.

VLAN 2 (Lab):
It's my LAB setup, it should only have access to the internet, but not to the other VLANs at all.
Clients in this VLAN should be able to contact each other.

VLAN 3 (Trusted):

Trusted devices should be access to the internet, but should also be able to access the Storage Server in VLAN 220. Clients should see each other

VLAN 110 (Management):

No access to the internet, or other VLANs. Only way to access should be a VPN connection to the router, or using an access port VLAN 110 on the switch. Clients don't need to see each other, but that's not necessary. It should be isolated.

VLAN 300 (VoIP):
VoIP devices should only route traffic to the Fritz! 7490 Router. (Network 192.168.2.0), in order to let the Fritz! 7490 do the work with the SIP stuff.

No access by other VLANs or to other VLANs

VLAN 200 (Virtual Machines):

Should have access to the internet, and to the Storage Server in VLAN 220.
Will be used to be accessed through the internet using port forwarding.

VLAN 220 (Storage Server)

VLAN for only one device. It should have internet access only, and it can be accessed through the Internet using port forwarding, and VLAN 200 (Virtual Machines), VLAN 3 (Trusted).

VLAN 320 (Guest)

Should only have access to the internet, and nothing else.

VLAN 340 (CCTV)

Should only have access to the Storage Server VLAN (VLAN 220), nothing else.

I'm quite struggeling in order to get it working, i hope someone could help a bit :slight_smile:
I'd also like to limit the access to the web gui and ssh of the OpenWRT device to VLAN 110.
How do i have to mess with the firewall rules in order to get it working?

I'd like to let the Fritz! 7490 deal with the VLAN 1 and their unimportant untrusted devices only.

Is there also a way to assign a hostname to servers, and virtual machines, in order to be accessed by the allowed zones/vlans?

Do i have to create static routes, or how can i get this work?

Some more question:
Let's think, i'd like to add some more VLAN to my OpenWRT APs, can i "copy" these firewall rules, and use exact the same rules, when messing with the same VLAN on the AP?

Thanks in advance!

1 Like

This post fits into the TL;DR category... really long, too much going on.

I'll give you some quick thoughts...

starting with your subject... Class B networks don't really make sense anymore. Classful networks (i.e. Class A-Class E) has been superseded by CIDR notation.

Next -- how many hosts will be on any given network? I see you have some /19 networks defined which allows up to 8190 hosts on the network. This is a very large broadcast domain and is not generally recommended unless there is a good reason to have a network this size. Beyond that, for small networks (<250 hosts) it is both unnecessary as well as more complex from a human-readability standpoint. The conventional /24 network is particularly useful for a lot of reasons -- a manageable broadcast domain with a sufficient number of hosts for many networks, and (to me this is key) it is visually/cognitively simple to understand the mapping of host addresses with the VLANs -- just look at the 3rd octet. And, where possible, the VLAN ID is often the same value as the 3rd octet as a matter of convenience (no requirement) -- for example, 172.16.23.0/24 could be VLAN 23 and it would be really easy to decipher later).

Moving on...
You're probably having trouble because you're making too many networks -- possibly in general, but even if you want/need so many VLANs, you're overcomplicating the initial setup process.

  • Start over -- reset your router to defaults.
  • Add one VLAN (so you have a total of 2 networks), verify that both networks function (client devices get an address, can access the internet, etc).
  • Learn the firewall by using just two networks. Add firewall rules to allow and/or limit the communication between the two networks and/or from the new network to the internet. This can be very broad or extremely granular. Play around with this until you understand how it works.

--- pro-tip on the firewall - by default, OpenWrt does not allow inter-VLAN routing. You must establish forward rules as needed. However, all hosts on the same network will always be able to see each other (with the notable exception of wireless clients to each other when the network has isolation enabled). This is because the traffic is switched, not routed, so it never goes through the routing/firewall engines.

Once you have your 2 networks configured and working as you want, add another network and then configure the firewall appropriately -- testing now between all three networks.

Take your pick of cliche statements... I'll use 'the journey of 1000 miles starts with the first step' which is a good reminder in these scenarios to start with the very basics and work your way up.

4 Likes

Alright, thanks for your advice!
I'll start with 2 networks first, and try out.
Currently i got 11 computers in my home network, and my servers provide each 185 virtual machines, i got 2 of them, so the Fritz! 7490 wasn't able to manage it.
Also i got 11 cams, 12 phones, and i got for almost everything wireless connected devices, like the light switches.
Currently i tried to take the network layout from the company im working at, with a little changes.

Based on what you've said, a few /24 networks should be a good fit.

As you go through this, think critically about what you are really aiming to do here... just because your company has a complex network doesn't mean you need to or should implement the same. OTOH, if you are doing this to learn or if you have security and functional requirements that actually drive a complex network design, go for it. That includes the 2 servers with 185 VMs -- are all these VMs necessary? if so, carry on. If not, simplify. To be clear, I'm not judging you or your network, nor am I questioning your needs -- just asking you to do that so that you don't overcomplicate your environment.

4 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.