Good evening!
I flashed 19.07 to my router and would like to isolate a group of LAN ports + restrict router access to a different LAN port. So LAN ports 1 - 3 could be within one network where all devices should have internet access and may communicate with each other. LAN Port 4 should be the only one who can access the router configuration via Dropbear or LuCI and should not be able to access the internet.
I configured two VLANs to manage this, but when connected to LAN ports 1 - 3 I can still access Dropbear (at 192.168.2.1) and LuCI (at 192.168.1.1 and 192.168.2.1) and also PING the Interface for port 4 at 192.168.2.1.
It may not be important, but LuCI shows no WAN column in my VLAN table. The user guide shows a dedicated WAN column, but I only have a CPU (eth0) column and 4 columns for the LAN ports. I started with factory settings and removed IPv6 stuff + default Firewall Traffic Rules since we don't need ESP, ISAKMP, etc. I wonder why LAN port 4 seems to be assigned to internal port 2 in VLAN 2, but the whole configuration logic may still confuse me.
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config interface 'wan'
option ifname 'eth1'
option proto 'dhcp'
config device 'wan_eth1_dev'
option name 'eth1'
option macaddr 'xx:xx:xx:xx:xx:xx'
config interface 'lan'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option delegate '0'
config device 'lan_eth0_1_dev'
option name 'eth0.1'
option macaddr 'xx:xx:xx:xx:xx:xx'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '0t 1 3 4'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t 2'
option vid '2'
config interface 'SERVICE'
option ifname 'eth0.2'
option proto 'static'
option netmask '255.255.255.0'
option delegate '0'
option ipaddr '192.168.2.1'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option network 'lan'
option forward 'REJECT'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config include
option path '/etc/firewall.user'
config zone
option network 'SERVICE'
option input 'ACCEPT'
option forward 'REJECT'
option name 'service'
option output 'ACCEPT'
root@OpenWrt:~# cat /etc/config/dropbear
config dropbear
option PasswordAuth 'on'
option Port '22'
option Interface 'SERVICE'
If you need additional information I try to add it ASAP.
Thanks in advance,
John