Firewall Zone Isolation on Mesh Gateway

Installing and Using OpenWrt
1

Hi,

I am about to configure a small mesh network using OpenWrt, 802.11s and BATMAN.adv.

The gateway (the node with the internet connection) is configured to offer dedicated subnets which are in individual VLANs and are available via individual SSIDs. So basically it's a subnet -> VLAN -> SSID mapping.

Each subnet has its own firewall zone. I am not able to e.g. reach the gateway of the neighbour subnet. Since the default behaviour of OpenWrt firewall zones is to restrict access amongst each other this is pretty much what I expected (and intended).

However, being in one of the VLANs I still can reach 192.168.1.1 in the "lan" zone. It's not only ICMP but also TCP (ssh). This is strange since I am not aware of a rule which allows my VLANs to talk to the "lan" net.

Here are some config snippets:
/etc/config/network

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr 'ac:84:c6:e8:29:be'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config interface 'mesh'
	option proto 'batadv_hardif'
	option master 'bat0'
	option mtu '2304'
	option throughput_override '0'

config interface 'bat0'
	option proto 'batadv'
	option routing_algo 'BATMAN_IV'
	option aggregated_ogms '1'
	option ap_isolation '0'
	option bonding '0'
	option bridge_loop_avoidance '1'
	option distributed_arp_table '1'
	option fragmentation '1'
	option gw_mode 'off'
	option hop_penalty '30'
	option isolation_mark '0x00000000/0x00000000'
	option log_level '0'
	option multicast_mode '1'
	option multicast_fanout '16'
	option network_coding '0'
	option orig_interval '1000'

...

config interface 'lan_bat0_103'
	option type 'bridge'
	option ifname 'bat0.103'
	option proto 'static'
	option ipaddr '192.168.103.1'
	option netmask '255.255.255.0'
	option dns '8.8.8.8'


config interface 'lan_bat0_104'
	option type 'bridge'
	option ifname 'bat0.104'
	option proto 'static'
	option ipaddr '192.168.104.1'
	option netmask '255.255.255.0'
	option dns '8.8.8.8'

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'
...
config zone
	option name 'lan_bat0_103'
	option network 'lan_bat0_103'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option src 'lan_bat0_103'
	option dest 'wan'

config zone
	option name 'lan_bat0_104'
	option network 'lan_bat0_104'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option src 'lan_bat0_104'
	option dest 'wan'

/etc/config/wireless

...
config wifi-iface 'gengar5Ghz'
	option ssid 'our-house-gengar'
	option device 'radio0'
	option mode 'ap'
	option key '<some key>'
	option network 'lan_bat0_103'
	option encryption 'psk2'

config wifi-iface 'gengar2_4Ghz'
	option ssid 'our-house-gengar'
	option device 'radio1'
	option mode 'ap'
	option key '<some key>'
	option network 'lan_bat0_103'
	option encryption 'psk2'

config wifi-iface 'lucario5Ghz'
	option ssid 'our-house-lucario'
	option device 'radio0'
	option mode 'ap'
	option key '<some key>'
	option network 'lan_bat0_104'
	option encryption 'psk2'

config wifi-iface 'lucario2_4Ghz'
	option ssid 'our-house-lucario'
	option device 'radio1'
	option mode 'ap'
	option key '<some key>'
	option network 'lan_bat0_104'
	option encryption 'psk2'

Practical example:
When I am connected to 'our-house-lucario' I get assigned a DHCP address in the 192.168.104.1/24 subnet from the gateway (DHCP config left out here) and I can access the internet.

I can't ping 192.168.103.1 (gateway of neighbour network 'our-house-gengar'). As these 2 subnets are in different firewall zones this is intended and fine.

However, from my client PC still being connected to 'our-house-lucario' I can access (ping + ssh) 192.168.1.1. This is strange. I did not expect to be able to talk to the 'lan' network.

I already tried to change the firewall zone config of lan to REJECT input, output and forwarding - without any change. I can still ping 192.168.1.1

Any idea?