How to set up firewall rules/zones correctly for VLANs?

Hi,
I have set up 5 VLANs

1 - Management
5 - Home
10 - IOT
15 - Kids
20 - Guests

Target scenario:

  • In the Management I have my router, my switch and the two APs
  • Home should house all devices except IOT, so laptops, iPads, phones etc. They should see the Kids VLAN as well as the internet.
  • IOT should house all IOT devices. They should not be able to see anything in the other VLANs (exception see my questions) and should not be able to connect to the internet.
  • Guests should only have access to the internet and NOTHING locally
  • Kids should see the Home VLAN, but have a more tightened parental control setup for the internet.

Current status:
I set up all VLANs and they work fine with some limitations :frowning: I can log in via cable and wifi and get the correct IP etc. I also set up a firewall zone for each of them (see screenshot). I also assigned each VLAN to its firewall zone. I thought this link is necessary, although it seems when an interface is linked to its respective zone, internet access works and it stops working, when I do not link the interface to a zone. For IOT, I adjusted them based on what @psherman recommended above.

I still have some problems / issues:

  1. For the IOT vlan/wifi I selected drop, accept, drop and the internet does still work. It only stops working, when I unlink the interface from the firewall zone. Same is true for guests, but as the only difference is reject vs drop I assume it is caused by the same mistake.

  2. Although I created separate firewall zones, I can still log into the router from all VLANs. My understanding was/is that VLANs are separated from another. What am I missing?

  3. How can I make sure that I can only access the router or switch, when I am connected to the management VLAN/wifi?


Hi @thimplicity - Let me try to answer these the best I can. If I miss anything (or if anything is unclear), just ask me again.

Yes, this is what you want to do.

This is is expected behavior. There is a lot of nuance under the hood, but fundamentally, the firewall governs the flow of traffic... OpenWrt uses what is called a Zone Based Firewall (ZBF). If a network is not assigned to a zone, it generally won't have the ability to exchange traffic with other zones (including the internet).

Take a look at the Zone Forwarding section of the lower image and you will see that all of the networks can forward to the WAN -- this means that they are able to connect to the internet. If you remove the zone forwarding from the respective zone definitions (such as VLAN_IOT), internet access will be blocked.

Regarding drop vs reject - these are very similar in that they both do not allow traffic. However, reject is active vs the passive nature of drop. Imagine that you get a phone call from someone you don't want to talk to (telemarketer, someone you've had a falling out with, etc.) -- you can just not answer (drop) or you can answer and say "I don't want to talk to you, don't call me!" (reject).

The router is actually a member of all of the VLANs. The Input rule in the Zone configuration deals with traffic that is coming in from a given network that is destined for the router itself. Any zone that has accept will of course allow connections to the router from that zone. In your picture, I'd expect the LAN VLAN_HOME, and VLAN_KIDS networks to be able to login to the router. I would expect that the IOT and guests network would not. Please verify my conjecture -- if this is not true, something else is happening and we'll need to troubleshoot.

Router --> make sure that the input rule is set to drop or reject from all zones that are not authorized to administer the router.
Switch and other infrastructure --> Make sure that those pieces of equipment are connected to the management VLAN. Then, make sure that the management VLAN is not present on any of the forwarding allowances for any of the zone that should be prohibited from reaching your management network and infrastructure

3 Likes

input = what should happen with packets with router as destination
output= what should happen with packets with router as source
forward= what should happen with packets traveling between interfaces within the same zone
"Zone=> forwardings" (first column) says what packets from a specific zone can be forwarded to another zone.

So if you want to stop internet access remove "wan" from zone forwardings
if you want to stop access to router from a zone then set input to reject (or drop).
output you likely want to set to "accept"
forward depends on the zone. I guess for lan is should be accept, for others it depends.

2 Likes

@psherman & @Ramon - Thank you so much for your help, this is great!

I think I got a or some steps closer to what I want to do:

  • All the VLANs and Wi-Fis operate as they should.
  • The ones that should have internet access do so and IOT does not.
  • None except VLAN 1 and VLAN 5 can access the router. Will limit this to VLAN 1 in the future.
  • I have moved my QNAP to VLAN 5 with 192.168.5.95 and I can access it from VLAN 5 - makes sense

Of course some other problems popped up:

  1. I use Apple Homekit and run Homebridge on the QNAP in the so-called container station based on a docker image. I can adjust the network settings for the respective container. If I use and IP within VLAN 5, VLAN 5 can (obviously) access the homebridge, but if I move it to VLAN 10, I cannot access it from VLAN 5 OR VLAN 10, which is somehow weird to me. I added the QNAP port to VLAN 5 as an untagged port. Am I missing another rule I need to set or is it the port-tagging? Current rules are below:

  1. I added an accessory (I had to turn on the internet for the IOT Wi-Fi) to homekit and I was able to turn the internet off after adding it. But if I change back to the home wi-fi, the accessory is not responding anymore, although the home vlan should be able to reach the IOT vlan, correct?

Does it make sense to do it like that or should I rather keep the homebridge in VLAN 5 and somehow grant the IOT VLAN access to only this container?

Thanks a lot again!

So HomeKit, HomeBridge, and other similar technologies are a bit of a tricky bunch when dealing with VLANs because they use mdns/bonjour or other zero-conf/autodiscovery type mechanisms that really want to work on a flat network. Many of these assume/rely on a broadcast type discovery which will be limited to a single VLAN by default (VLANs are really about limiting the broadcast domains to keep networks running efficiently; a secondary use of them is security related segmentation, but that wasn't the primary intent of the 802.1q standard). I can't help you directly with those because I don't cross VLANs with my devices of this type, but here's some general stuff...

  • install the mdns repeater/reflector packages and configure them to allow the appropriate interVLAN connections.
  • you can create rules to allow specific traffic from one network to another. You can do this by port numbers if you know the relevant ports. You can also allow traffic to or from specific IP addresses so that you don't open the whole network.

And of course, take a look at other threads that deal with VLANs and Homebridge/homekit, chromecast, airplay, and Sonos. Those should give you some good ideas about what needs to be done to get these technologies to cross VLAN boundaries.

1 Like

I installed the avahi reflector and will test a bit more. Two three questions:

  1. Do you have an idea on the homebridge VLAN issue? I do not think it is Homekit-related, but rather network related.
  2. Is my assignment in the firewall correct, that the home vlan can access the IOT vlan, but not the other way around?
  3. Is there a way to limit WAN access for one VLAN to specific domains?

Sorry, I can't really be very useful on this one (I'm not using HB yet, although I'm sure I will eventually; no experience or detailed knowledge about the network functionality of HB). You might start a new thread specifically for HB across VLANs.

Yup. Home and LAN can reach your IOT network, the others cannot. IOT cannot initiate any connections to any other zones (including the internet), but can respond to connections initiated from Home or LAN.

There are various methods. It will, in part, depend on how savvy the users of that network are (Kids?) and/or how much effort they will go through to attempt to circumvent your restrictions. It's been a little while since I've experimented with the OpenWrt firewall and domain based allow/deny lists, but I think there is an ability to do that and apply it to a specific VLAN. I think that a DNS based approach is usually pretty good -- PiHole is a great one for this, but I think Adblock will work, too. There are ways to circumvent these methods (including DoH which is becoming more common), so you may be dealing with a cat-and-mouse situation here. I'd recommend opening a thread for this topic, too (do some searching first) to see what others recommend and what they have found to be the most robust and/or easy to administer.

1 Like

Is it because I added the QNAP as untagged into VLAN5 and therefore VLAN10 cannot see/access it? Would I need to add it to multiple VLANs? I think that's not possible for untagged though. If I add it as tagged to multiple, QNP would need to understand the difference I guess

Tagged vs untagged is not important except in that both ends need to expect the same thing. Most end devices expect untagged networks. If your QNAP is VLAN aware, you can probably setup a trunk with one untagged network and one tagged (or both tagged). At that point, the QNAP will have 2 IP addresses and be available on both networks. However, you might need to do some configuration to ensure that the QNAP and the applications running on it are able to participate on both networks (sometimes the listening address/network can be limited to one network or the other by default, which may or may not be desirable; other times the applications will listen on all networks, which can also be good or bad, depending on the desired behavior).

At a base level, you can add a rule to allow VLAN10 access to the QNAP...
Firewall > Traffic Rules > Add > Specify the source zone (that contains VLAN 10), the dest zone (containing VLAN5) and the destination IP (i.e. the QNAP's IP address).

That specifically allows the traffic from VLAN10 to reach the QNAP. However, this may only work for direct IP based connections and may not work for mdns/zero-conf/broadcast methods.

1 Like

It seems like I got everything working and relatively locked down as well. Thank you guys so much for your help! Enjoy the weekend

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.