Firewalling/Filtering traffic between devices on the same network

My current network setup looks like this:

What I want to do

  • Block access to the home server from some wireless and some devices (but not all!)
  • I want to achieve this using the OpenWrt firewall (as opposed to host level firewall on the home server itself)

To complicate things further though, all the wireless devices connect to a TP Link Deco mesh wifi product running in AP mode and I have no control over this black-box device so I can't set up any VLANs on the Deco itself :frowning_face:

Research so far

  • I know that it's normal behaviour for two wired devices to communicate directly without going via the firewall and the only way around this is by setting up VLANs

With that in mind, is it possible to do some magic on the OpenWrt side so that I can create different wifi VLANs for the various devices connected to the Deco AP?

How to set up a totally locked-down network - #16 by vgaetera

1 Like

If you split the ethernet port 3 from the openwrt router (through onboard switch configuration) so it is no more part of the LAN bridge, you can put the wifi AP mesh and the wifi devices in a different subnet. So for example now they are in 192.168.1.X and after that they go in 192.168.2.X.
Then you can use firewall to filter traffic between the two subnets, as normal.
They will still access internet as normal, but depending on the rules you set in firewall they may or may not be able to see devices in the other subnet

The guides provided above should give enough information to do this.


Not sure the OpenWrt guest wifi approach would work as I'm keen to avoid having any wifi on OpenWrt and I'd prefer to have the wifi exclusively serviced by the Deco APs. That said, I'll take a look at the splitting VLANs article you linked to :+1:

Gotcha. And would I be right in thinking that doing this will move all the wireless devices into a separate subnet?

Then, I can then setup firewall rules that allow some wireless devices in that new subnet to talk to the home server and prevent other wireless devices in that new subnet from doing so?

Edit: Re-read your answer and you've addressed my question perfectly. Cheers!

He probably meant that you should be following the same steps written for a Guest Wifi configuration in this guide
but instead of creating a "guest wifi" you create a "guest ethernet port" dedicated for the Deco AP by splitting the port from the LAN bridge.
So instead of adding the "guest wifi" to the "guest network interface" you add the "guest ethernet port".

1 Like

I successfully managed to create a VLAN to house all my wireless devices and that works perfectly. A bit scary at the start because I managed to break everything for 10 minutes, but all easily fixable in the end :grinning_face_with_smiling_eyes:

Better still, I was able to create my firewall rules that prevent certain wireless devices from talking to the home server - result!!! :+1:

This leads me to my next question... On my router, I have 4 LAN ports on the back. Does than mean I am limited to only 4 VLANs?

I know this is very hypothetical but let's say I wanted to create a VLANs for

  • trusted wireless devices
  • guest wireless devices
  • IOT wireless devices
  • untrusted wired devices
  • trusted wired devices

(This is very over the top, but this is for example's sake, so don't take this to heart too much!)

In other words, is splitting a VLAN constrained by the number of physical LAN ports I have?

The simpler use of VLANS is splitting the ports, and of course this means you can only have 4 separate ports. In this case you are using VLANs only inside your own router, between the onboard managed switch and the CPU.

But if the devices on both ends of the port support VLAN, you can run multiple VLAN on a single port. This is what VLANs were made for.

That port(s) with multiple VLANs assigned is called "trunk".

For example, if you buy a "managed switch" with 5 ports (or another router supported by OpenWrt with an onboard VLAN-aware switch) , you can set 4 ports to become a different VLAN each, and one port to be the "trunk", then set one port on your router to be a "trunk" to receive the cable from the "trunk" port of the other device and now you can have 4 different subnets carried by a single wire as different VLANs. Obviously this is just a partitioning, it does not increase bandwith, that is still a Gbit port.

See this tutorial for example (it shows the config files you would see from console, but you can do the same configuration from Luci)

Most PCs and servers should also be able to use VLANs natively, so for example if you want to have 10 different subnets on your home server but you don't want to add 10 network cards (and 1 Gbit is enough bandwith) you can again set its own interface to be a trunk and create 10 different VLANs, then turn the port on the router in a trunk port so it can accept the 10 VLANs and do the routing to somewhere else.

The main limitation is that all network equipment you want to connect a "trunk" port to must be able to understand VLANs or they will see it as garbage and may remove the VLAN tagging from the traffic.
So for example if you try to do a trunk to the Deco APs without touching their config they might very well remove the VLANs so devices downstream like laptops that can use VLANs won't see them, and the Deco APs will get very confused by receiving traffic from multiple different subnets.

Do note that depending on what hardware you have, it might be limited to 16 VLANs max, or it might have another upper limit.

1 Like

So let's say LAN port 3 of my OpenWrt router (as per example from opening post) is "trunked" so that the port has multiple VLANs...

How would I control which devices are allocated to which Wifi VLAN? For example, how do I prevent my trusted laptop being placed into the IoT Wifi VLAN when it should be in the trusted wifi VLAN?

Is that managed using DHCP reservations?

My next question is whether my OpenWrt router (a wrt3200acm device) supports this trunking feature? I had a look at the table of hardware but didn't notice anything

For wifi you will need to generate a separate wifi for your trusted laptops and another for the untrusted IoT devices, and configure the access point to assign each wifi to a different VLAN ID. Most wifi access points in OpenWrt can create multiple wifi networks using the same radio, so you do not need to buy multiple APs.

See for example these blog posts for assigning a wifi network to a VLAN

Afaik this can't be done with the current AP Deco devices, even if you have access to the configuration panels they can only set a single VLAN for all traffic they receive
This is 99% likely a software limitation. The device hardware can very likely do much more than that but it is a businness access point feature, so they limit this down to 1.

If an OpenWrt or managed switch (or businness) device supports VLANs it can do trunking, it's an integral part of VLAN support. Only consumer routers or wifi AP with stock firmware may have arbitrary limitations, like the Deco above

In your device, you are already doing a "trunk" between the ethernet ports and the CPU virtual port, at least for the LAN and the subnet you created for the ethernet port 3.

I think you should have something like
VLAN ID of the LAN untagged on the three remaining LAN ports and then tagged to the CPU eth0 port.
VLAN ID of the port 3 you have split off is untagged on port three and tagged on the CPU eth0 port.

So that the device CPU receives tagged packets of two subnets on the same virtual port, and can do the routing, DHCP and all other jobs.

That's just what a trunk is. A port where you put "tagged" for multiple VLAN IDs, and the device on the other end of the cable must also have the port "tagged" with the same VLAN IDs so it can receive the traffic and split it correctly to other ports.

1 Like

Thanks for that explainer, appreciated as ever!

The Decos are great hardware, but as you point out, the software limitations are hugely disappointing. I hope that one day, we start to see Deco type products supported by OpenWrt.

Anyways, seeing as the Decos are a complete blackbox, what I think I'll do then is as follows:

  • Keep the "trusted wireless devices" connected to the Decos (via the new VLAN I created yesterday) as they 'deserve' the better wifi :smile:
  • Create a new VLAN and then a new SSID on OpenWrt for all the crappy IoT/guest devices onto that.

The drawback is that the untrusted guest/IoT devices end up with "lower strength wifi" than the trusted devices, but that's a minor issue, and a small price worth paying to ensure total segmentation.

I'll have a read through of the blog posts you posted and see where I get to. Once again, thank you for your help so far!

If by "deco type products" you mean mesh wifi APs, OpenWrt has supported mesh wifi for a while. With OpenWrt most APs are mesh wifi APs too.

Just like with VLANs, most modern wifi router hardware does support mesh but it is again not used or disabled to create special (and more expensive) product lines of mesh-enabled access points.

As long as the devices have good wifi drivers in OpenWrt (= it is using an Atheros/Qualcomm or Mediatek chipset) you can set up a mesh between devices, also through Luci web interface

1 Like


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.