Isolate ports and restrict access

Good evening!
I flashed 19.07 to my router and would like to isolate a group of LAN ports + restrict router access to a different LAN port. So LAN ports 1 - 3 could be within one network where all devices should have internet access and may communicate with each other. LAN Port 4 should be the only one who can access the router configuration via Dropbear or LuCI and should not be able to access the internet.
I configured two VLANs to manage this, but when connected to LAN ports 1 - 3 I can still access Dropbear (at 192.168.2.1) and LuCI (at 192.168.1.1 and 192.168.2.1) and also PING the Interface for port 4 at 192.168.2.1.
It may not be important, but LuCI shows no WAN column in my VLAN table. The user guide shows a dedicated WAN column, but I only have a CPU (eth0) column and 4 columns for the LAN ports. I started with factory settings and removed IPv6 stuff + default Firewall Traffic Rules since we don't need ESP, ISAKMP, etc. I wonder why LAN port 4 seems to be assigned to internal port 2 in VLAN 2, but the whole configuration logic may still confuse me.

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'

config device 'wan_eth1_dev'
	option name 'eth1'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'lan'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option delegate '0'

config device 'lan_eth0_1_dev'
	option name 'eth0.1'
	option macaddr 'xx:xx:xx:xx:xx:xx'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 1 3 4'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '0t 2'
	option vid '2'

config interface 'SERVICE'
	option ifname 'eth0.2'
	option proto 'static'
	option netmask '255.255.255.0'
	option delegate '0'
	option ipaddr '192.168.2.1'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option network 'lan'
	option forward 'REJECT'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config include
	option path '/etc/firewall.user'

config zone
	option network 'SERVICE'
	option input 'ACCEPT'
	option forward 'REJECT'
	option name 'service'
	option output 'ACCEPT'

root@OpenWrt:~# cat /etc/config/dropbear

config dropbear
	option PasswordAuth 'on'
	option Port '22'
	option Interface 'SERVICE'

If you need additional information I try to add it ASAP.

Thanks in advance,
John

In lan zone you have INPUT ACCEPT so it will accept all requests to the router.
You can either make it DROP/REJECT, but then you'll need to add rules for DHCP and DNS (if you use the router as DNS). Or you can add a couple of rules to DROP/REJECT the 22 and 80,443.

Likewise service zone has ACCEPT for the INPUT, so it will accept anything.

2 Likes

Hi trendy,
thank you for your help. To be honest, I don't understand why this is necessary with separate VLANs, because I thought that the different Interfaces with different subnets ensure some kind of separation as long as I don't define routes. So I wonder why a connection between VLANs with different subnets would not affect the FORWARD option? But maybe I did not get the picture, so I will look at the rules for DHCP and DNS to get this working.
Greetings
John

When the OpenWrt router and an external device communicate it's controlled with the INPUT and OUTPUT options, not with the FORWARDING option.

1 Like

If you don't create vlans, then all lan ports will belong to the same vlan, so you won't have any separation.

The routes will be there, because they are directly connected. So you'll need to make the separation with firewall.

Forward controls the intra-zone traffic, that is among interfaces belonging to the same zone. You don't have such, so it doesn't matter what you configure.

OpenWrt firewall is zone based. You assign interfaces to zones and then control the traffic going into, out of, or traversing zones.
https://openwrt.org/docs/guide-user/firewall/firewall_configuration#zones

1 Like