Isolated WLAN/VLAN Firewall help

GwaiTsi · April 26, 2020, 8:02am

hey guys, happy to have moved over from dd-wrt and it is a vast improvement on stability/reliability - thanks for the great work.

i created
LAN (wan lan1) - vlan1 - gateway/dns/dhcp pfsense
LAN27 (lan2 3 4) - vlan27 - gateway/dns/dhcp pfsense
WLAN0 (wifi) - vlan41 - gateway/dns/dhcp pfsense
WLAN (wifi guest) - vlan51 - gateway/dns/dhcp pfsense

all is working as required to this point
i am a little unsure on the firewall rules to create.

I want to have isolation between all the networks, so that only routing occurs via pfsense back e.g.
41.x -> pfsense -> 27.x

current firewall rules are (legacy default install)
lan -> wan Accept Accept Accept
wan -> reject Reject Accept Reject

Interfaces all say firewall unspecified.
I am using the devices as a managed wireless access point / switch.
It should do routing per say.

juppin · April 26, 2020, 9:17am

You can disable the firewall on your dump OpenWrt device completely.

Simply delete the config /etc/config/firewall and disable the firewall with /etc/init.d/firewall disable.

This will result in no active firewall and also no forwarding/routing between your different interfaces.

I assume you have already your pfsense as gateway in all your vlans, right?

mikma · April 26, 2020, 9:45am

It doesn't work for me anyway. The default policies are ACCEPT which allows all traffic.

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Disabling forwarding in /etc/sysctl.conf does the trick for me. (I have tested with IPv4 traffic only.) Reload sysctl after changing /etc/sysctl.conf (/etc/init.d/sysctl reload).

# grep forward /etc/sysctl.conf 
net.ipv4.ip_forward=0
net.ipv6.conf.default.forwarding=0
net.ipv6.conf.all.forwarding=0

trendy · April 26, 2020, 12:09pm

You don't need to go that far.
The dumbAP should have only one IP for management and the rest of the interfaces must be unmanaged.
The firewall blocks or allows traffic, doesn't have to do with routing. Disabling firewall will accept everything from everywhere, so this is expected behaviour.
So you can either disable the firewall or assign the interface with the management IP in the lan zone and let the others without zone.

GwaiTsi · April 26, 2020, 3:39pm

with luci, you have to define the lan for each to have the dhcp/dns option. i need to do dhcp/dns relay to obtain and lookup via pfsense

trendy · April 26, 2020, 7:12pm

I am not sure what do you mean by that, but you don't need to define any ip address on an interface if the bridge is correct. The dhcp/dns requests will traverse back to the pfsense and will handle them.

juppin · April 26, 2020, 7:28pm

This is only needed if you wanna send dhcp requests from one subnet to another and you want to have the subnets distinct till your pfsense router.
So why you believe you need a dhcp relay?