Freebox VLAN Configuration security

Hello,

I have a question regarding setup of VLAN for FreeBox Mini 4K from Free internet provider in FR.

I have this setup :

Internet --< FreeBox InternetModem >-----< OpenWRT >---< switch >--------< FreeBoxMini >
................................................ Internet Side | Home LAN Side |___ other lan devices

This setup allows the whole Home LAN access to the internet (or not according to openWRT rules).

In order to receive TV on the TVSet via the FreeBoxMini device I need VLAN 100.
To achieve this I did this setup in OpenWRT:

image915×398 18 KB

And it works

Question is : Is this safe with the firewall side of things (ie respecting the rules I set in OpenWRT firewall), or is this just a fully opened tunnel between the internet side and the LAN side, thus simply bypassing the interest of having / using a Firewall.

Thank you.

Traffic between two ports on the switch (CPU, LAN4, and WAN in your case) does not go through the CPU, and cannot be filtered by the firewall.

You need to put LAN4 in a separate VLAN, configure an interface for it, then use the firewall to forward or block traffic between the interfaces.

Ok,

So while what I did works, it is wrong. Since I can only have 1 instance of VLAN100 in the switch. I need some litterature to understand how to get VLAN 100 from WAN Side to Lan Side without loosing the Tag.

Would you have a pointer to a document explaining the logic of VLAN management, and how to properly filter VLANs?

Thank you,

Wait! You need to tag both WAN and LAN4, on the same VLAN, but keep them isolated... I didn't realize that. I do not know how to do that.

Your switch mt7530 seems to be supported by the Linux DSA driver. Which I think gives you one eth interface for each port which you then can configure VLAN on separately. That in turn may allow you to configure a transparent firewall. But I don't know if that driver can be used in OpenWrt.