I'm going through the network documentation to setup my (first) network with OpenWrt and I would like to confirm my setup.
The idea is to have a different VLAN per LAN port and (if possible on my router, I need to check) create 4 SSIDs with its own VLANs. If I understood the documentation, once I have this setup, I can then configure the firewall to dictate what VLANs can communicate with each other and the direction (i.e. personal PC -> homelab server).
The LAN configuration I wrote is the following:
####### LAN Config #######
config device
option name 'lan1'
option macaddr '***************'
option type '8021q'
option ifname 'lan1'
option vid '10'
config device
option name 'lan2'
option macaddr '***************'
option type '8021q'
option ifname 'lan2'
option vid '20'
config device
option name 'lan3'
option macaddr '***************'
option type '8021q'
option ifname 'lan3'
option vid '30'
####### LAN Interfaces #######
config interface 'vlan10'
option device 'lan1.10'
option proto 'static'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
config interface 'vlan20'
option device 'lan2.20'
option proto 'static'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
config interface 'vlan30'
option device 'lan3.30'
option proto 'static'
option ipaddr '192.168.30.1'
option netmask '255.255.255.0'
I'm not sure how the WLAN configuration should look like, I guess something similar but I did not start with the Wi-Fi documentation (I would appreciate a basic example for a Wi-Fi VLAN!).
Let's start with the device and version of OpenWrt that you are using, as well as a port-by-port description of what you want for the port-VLAN membership and if those networks will be used on wifi as well.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
Accessing from a different network is different than a specific subnet needing to be available via wifi for wireless devices to join. The details here affect the preferred setup process.
For example, let's consider 4 networks and how they might be used (a made up, but plausible scenario):
trusted lan - wired ethernet + wifi
network management and servers -- wired ethernet only
IoT - wifi + ethernet
Guest - wifi only
If we have downstream managed switches and/or VLAN aware APs, we may have some or all of the networks available on a trunk (that is a port/cable that carries multiple networks).
So, we need to know how your networks will be physically assigned/used (port-by-port). Isolation/allowances/prohibitions will be handled by the firewall, but here's we're talking about the physical accessability of each network.
understood, but don't apply the config you provided initially... that won't work.
Ok, I explained myself wrong before, for this first iteration I will have only 1 router (no additional hardware like switches for instance). A simple diagram of the network would look like this:
And for now anyway, add network vlan2 to the lan firewall zone. It will look like this:
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'vlan2'
Finally, the default wireless configuration will connect the wifi SSIDs to the lan network. You'll want to change that to vlan2 since that is the one you said (along with port lan3) that will be used for wifi access.
Reboot your router and you can connect devices to lan1/lan2, and lan3/wifi and you should see that they join the desired network.
Thank you for the detailed steps, I will start configuring the router following them.
In the meantime I have a couple of doubts:
Why is the forwarding accepted for the firewall zone? I understand we are creating a zone to allow traffic between these two networks so they are "on the same network" meaning hosts on each network can see the other network's hosts. But these hosts are either source or destination for packets so, why is forwarding accepted? I'm for sure missing something here.
Unrelated but I'm a little bit worried jumping from a vendor router firmware to OpenWrt security wise, not because it is not secure but for the human factor. Is there a way to ensure to some degree my setup is secure? I know there is nothing 100% secure but I want to do what is on my hands. For now I took care of:
Configuring SSH (no password login, only keys)
Strong password
https only
Wireward for remote connection
Elastic + suricata ready to work as IDS (maybe IPS at some point)
The zone forward control is what affects intra-zone forwarding. That is, for 2 or more networks that are in the same zone, it accepts (or drops/rejects) traffic traversing between these networks.
Forward has no impact on L2 networks because those are switched (not routed/L3), which means that the traffic between any two hosts on the same subnet will not reach the firewall. But it does control the traffic between networks -- in this case, we're talking about the traffic within the same firewall zone.
You'll also see that there is forwarding from lan > wan -- this allows the traffic to flow in that direction -- and the return traffic is automatically accepted. However, there is no wan > lan forwarding by default because you don't want unsolicited traffic from the internet reaching your lan.
Understandable...
Yes, we can review it here. And don't mess with the defaults, especially if you don't have a good understanding yet of what they're there for and/or why you might want to change them.
These are already good steps.
This is extremely processor intensive which means it may seriously slow down your internet speeds. And it is not typically necessary for most users. But yes, this would certainly be a step up.
No, the defaults actually apply to networks that are not assigned to a firewall zone. Normally, all networks will be assigned to a firewall zone, so this rule doesn't affect those. But in situations where there is a network that isn't in a zone, the defaults do take effect.
correct.
There are other defaults you shouldn't touch, either. For example, don't mess with the wan firewall zone unless you know what your changes will do and why you're making them.
No. DSA generally uses a single bridge, whereas you've defined multiple bridges there.
Assuming that the proposal you provided works at all (it might not function properly), the communication between networks is governed by the firewall.
The first line is a mistake, the 2 goes inside the quote mark. In the device setting it does not matter what the bridge is named-- to connect it to a network use the dot notation br-lan.2 (This is the only place that dot notation is used in a DSA configuration). Similarly use br-lan.1 for the other lan.
If you place the two networks in the same firewall zone, and forward is ACCEPT on that zone, they can forward to each other. If they are in different zones you need to also write config forward block(s) to allow forwarding between the zones (in one or both directions). Or you can write IP and / or port specific allow forwards. Forwarding between zones is always blocked unless there is a rule allowing it.
The forward option in the section at the top of /etc/config/firewall does not control forwarding between zones. That section defines a de-facto default zone for interfaces that have not been included in any other zone. (Don't use this feature, make sure all your interfaces are explicitly in exactly one zone)
Ok, I see, I think you gave me the tools I need to start working on my network. I will keep going through the documentation and most likely you will see another post from me asking for help...
Thank you for your patience! I know there are a lot of concepts I need to learn before moving forward
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name vlan2
list network 'vlan2'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config forwarding
option src vlan2
option dest lan
will only allow vlan2 to communicate with lan (and block the other direction)
That is correct. Each forwarding stanza setups a one-way (plus the established/related return traffic) forwarding allowance between any two zones. You can do this one way, the other, or bi-directionally, depending on your goals.
Beyond this, you can always make much more granular rules, if needed.
I have a doubt regarding the vlan1 configuration you gave me:
config bridge-vlan
option device 'br-lan'
option vlan '1'
list ports 'lan1:u'
list ports 'lan2:u*'
Here, is there any reason to not have this vlan as PVID for port lan1? After reading DSA and PVID usage examples explanation about this option (*), I understand I would not take any advantage of it as port lan1 only works on 1 vlan and would not receive any traffic from any other vlan.
I decided to give it a go with OpenWrt as the main router and run some tests to verify the ports and the configuration. I have some questions:
Using GRC ShieldsUP! it says I fail the ports test because all of them are closed (so they respond). I don't think it is a real problem, I guess it is just because the firewall rejects instead of drops. However, it says the port 25 is stealth, is there any reason for that?
Why the firewall by default is configured to respond pings from WAN?
I copy here the final configuration (network & firewall) to confirm my setup is secure:
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'REDACTED'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config device
option name 'lan1'
option macaddr 'REDACTED'
config device
option name 'lan2'
option macaddr 'REDACTED'
config device
option name 'lan3'
option macaddr 'REDACTED'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan1:u*'
config bridge-vlan
option device 'br-lan'
option vlan '30'
list ports 'lan2:u*'
list ports 'lan3:u*'
config interface 'lan'
option device 'br-lan.10'
option proto 'static'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'vlan30'
option device 'br-lan.30'
option proto 'static'
option ipaddr '192.168.30.1'
option netmask '255.255.255.0'
config device
option name 'wan.20'
option type '8021q'
option ifname 'wan'
option vid '20'
config interface 'wan'
option device 'wan.20'
option proto 'pppoe'
option username 'REDACTED'
option password 'REDACTED'
option ipv6 'auto'
/etc/config/firewall
config defaults
option syn_flood 1
option input REJECT
option output ACCEPT
option forward REJECT
# Uncomment this line to disable ipv6 rules
# option disable_ipv6 1
config zone
option name lan
list network 'lan'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config zone
option name vlan30
list network 'vlan30'
option input ACCEPT
option output ACCEPT
option forward ACCEPT
config forwarding
option src lan
option dest vlan30
config zone
option name wan
list network 'wan'
list network 'wan6'
option input REJECT
option output ACCEPT
option forward REJECT
option masq 1
option mtu_fix 1
config forwarding
option src lan
option dest wan
config forwarding
option src vlan30
option dest wan
# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
option name Allow-DHCP-Renew
option src wan
option proto udp
option dest_port 68
option target ACCEPT
option family ipv4
# Allow IPv4 ping
config rule
option name Allow-Ping
option src wan
option proto icmp
option icmp_type echo-request
option family ipv4
option target ACCEPT
config rule
option name Allow-IGMP
option src wan
option proto igmp
option family ipv4
option target ACCEPT
# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
option name Allow-DHCPv6
option src wan
option proto udp
option dest_port 546
option family ipv6
option target ACCEPT
config rule
option name Allow-MLD
option src wan
option proto icmp
option src_ip fe80::/10
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family ipv6
option target ACCEPT
# Allow essential incoming IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Input
option src wan
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
list icmp_type router-solicitation
list icmp_type neighbour-solicitation
list icmp_type router-advertisement
list icmp_type neighbour-advertisement
option limit 1000/sec
option family ipv6
option target ACCEPT
# Allow essential forwarded IPv6 ICMP traffic
config rule
option name Allow-ICMPv6-Forward
option src wan
option dest *
option proto icmp
list icmp_type echo-request
list icmp_type echo-reply
list icmp_type destination-unreachable
list icmp_type packet-too-big
list icmp_type time-exceeded
list icmp_type bad-header
list icmp_type unknown-header-type
option limit 1000/sec
option family ipv6
option target ACCEPT
config rule
option name Allow-IPSec-ESP
option src wan
option dest lan
option proto esp
option target ACCEPT
config rule
option name Allow-ISAKMP
option src wan
option dest lan
option dest_port 500
option proto udp
option target ACCEPT
### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
# option src lan
# option src_ip 192.168.45.2
# option dest wan
# option proto tcp
# option target REJECT
# block a specific mac on wan
#config rule
# option dest wan
# option src_mac 00:11:22:33:44:66
# option target REJECT
# block incoming ICMP traffic on a zone
#config rule
# option src lan
# option proto ICMP
# option target DROP
# port redirect port coming in on wan to lan
#config redirect
# option src wan
# option src_dport 80
# option dest lan
# option dest_ip 192.168.16.235
# option dest_port 80
# option proto tcp
# port redirect of remapped ssh port (22001) on wan
#config redirect
# option src wan
# option src_dport 22001
# option dest lan
# option dest_port 22
# option proto tcp
### FULL CONFIG SECTIONS
#config rule
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 80
# option dest wan
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
# option target REJECT
#config redirect
# option src lan
# option src_ip 192.168.45.2
# option src_mac 00:11:22:33:44:55
# option src_port 1024
# option src_dport 80
# option dest_ip 194.25.2.129
# option dest_port 120
# option proto tcp
The GRC guy has a different opinion of reject vs drop than other experts. If you prefer you can set the default wan action to DROP and disable the allow ping rule. Allowing pings is generally considered harmless and useful for testing; for example you might ask your ISP to check your line from their side and that would include them pinging your router. If you offer any service to the public you should allow pings also.
Most ISPs block port 25 specifically at their level so that customers can't run an SMTP server. Port 25 requests are likely not even reaching your router; you can check this with tcpdump. This is a good thing as SMTP is obsolete. It has no security and was widely abused to send spam emails. Having port 25 open will get you blacklisted on the Internet.
Lan VLANs with untrusted devices like guests and IoTs shold have default input of REJECT to prevent them from attempting to hack your router via http or ssh etc.
