Isolation between subnets

argent · February 9, 2024, 3:55pm

Hello,
I've set up five different subnets on my router.
192.168.1.1/24 DHCP on physical LAN ports 1,2 - routed to WAN
192.168.2.1/24 DHCP on physical LAN port 4 - routed to WAN
192.168.3.1/24 DHCP on physical LAN port 3 - routed to VPN via APR
10.2.0.2/32 VPN routed to WAN
192.168.0.X/24 - WAN DHCP on physical port WAN

The problem is, any of those subnets can be accessed from the others.
For exampe, I've set up SSH on 192.168.1.1 but I can connect to it from 192.168.2.X.
Or I can ping 192.168.3.1 from 192.168.1.X.

How can I isolate all internal traffic such that subnets 1.1 and 1.2 can access only WAN, 1.3 - only the VPN, and I can ssh the router only on the 1.1 subnet?

prdufresne · February 9, 2024, 5:17pm

I don't know that we have enough information to answer the question, but I'm going to make some assumptions:

I'm assuming each of those subnets is associated with a VLAN that is mapped to the LAN ports you've specified.
I assume you have an interface on the router for each of the VLANs.

Those should be pretty safe assumptions given what you've described. Based on those, my best guess is that you've put all of your LAN interfaces in the LAN firewall zone. By default, the router will allow traffic between interfaces in the same zone. What you should do is create a separate zone for each interface and then use the firewall rules to control which zones can communicate with others.

argent · February 9, 2024, 6:08pm

Thank you for the answer.

There are different zones for every subnet, but no VLANs.

Will per-port VLANs be enough? How to set them up?

psherman · February 9, 2024, 6:08pm

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

argent · February 9, 2024, 6:13pm

OK, that's the config:

root@OpenWrt:~# ubus call system board
{
	"kernel": "5.10.161",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "TP-Link Archer C6U v1",
	"board_name": "tplink,archer-c6u-v1",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.3",
		"revision": "r20028-43d71ad93e",
		"target": "ramips/mt7621",
		"description": "OpenWrt 22.03.3 r20028-43d71ad93e"
	}
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'eth0'
	option ipv6 '0'
	option sendredirects '0'

config device
	option name 'wan'
	option ipv6 '0'

config device
	option name 'lan3'
	option ipv6 '0'

config interface 'wan'
	option proto 'dhcp'
	option hostname '*'
	option device 'wan'
	option metric '1024'
	option peerdns '0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	list dns '1.1.1.1'

config device
	option type 'bridge'
	option name 'br-lan-nat'
	list ports 'lan1'
	list ports 'lan2'
	option ipv6 '0'
	option bridge_empty '1'

config interface 'lan_nat'
	option proto 'static'
	option device 'br-lan-nat'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'lan_srv'
	option proto 'static'
	option device 'lan4'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option delegate '0'

config interface 'vpn'
	option proto 'wireguard'
	option delegate '0'
	option metric '4096'
	option private_key 'redacted'
	list addresses '10.2.0.2/32'
	list dns '10.2.0.1'

config wireguard_vpn 'wgserver'
	option endpoint_host 'redacted'
	option endpoint_port '51820'
	option persistent_keepalive '25'
	list allowed_ips '0.0.0.0/0'
	option route_allowed_ips '1'
	option public_key 'redacted'

config device
	option name 'vpn'
	option ipv6 '0'

config interface 'lan_vpn'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option delegate '0'
	option netmask '255.255.255.0'
	option device 'lan3'
	option defaultroute '0'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'lan_nat'
	option interface 'lan_nat'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'lan_srv'
	option interface 'lan_srv'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'lan_vpn'
	option interface 'lan_vpn'
	option start '100'
	option limit '150'
	option leasetime '12h'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan_nat'
	option forward 'REJECT'
	option mtu_fix '1'
	option family 'ipv4'
	list network 'lan_nat'
	option input 'ACCEPT'
	option output 'REJECT'

config zone
	option name 'lan_srv'
	option forward 'REJECT'
	list network 'lan_srv'
	option input 'ACCEPT'
	option output 'REJECT'

config zone
	option name 'lan_vpn'
	option forward 'REJECT'
	list network 'lan_vpn'
	option input 'ACCEPT'
	option output 'REJECT'

config zone
	option name 'wg'
	option forward 'REJECT'
	list network 'vpn'
	option input 'ACCEPT'
	option output 'REJECT'

config zone
	option name 'wan'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option family 'ipv4'
	list network 'wan'
	option input 'REJECT'
	option output 'ACCEPT'

config rule
	option name 'test'
	list proto 'all'
	option src '*'
	list src_ip '192.168.0.0/16'
	option dest '*'
	list dest_ip '192.168.0.0/16'
	option target 'REJECT'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'DROP'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	option limit '1000/sec'
	option family 'ipv6'
	list icmp_type 'bad-header'
	list icmp_type 'destination-unreachable'
	list icmp_type 'echo-reply'
	list icmp_type 'echo-request'
	list icmp_type 'neighbour-advertisement'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'packet-too-big'
	list icmp_type 'router-advertisement'
	list icmp_type 'router-solicitation'
	list icmp_type 'time-exceeded'
	list icmp_type 'unknown-header-type'
	option target 'DROP'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	option limit '1000/sec'
	option family 'ipv6'
	list icmp_type 'bad-header'
	list icmp_type 'destination-unreachable'
	list icmp_type 'echo-reply'
	list icmp_type 'echo-request'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'unknown-header-type'
	option target 'DROP'

config rule
	list proto 'tcp'
	option dest_port '80'
	option src 'wan'
	option target 'REJECT'
	option name 'reject-uhttpd-80'

config rule
	list proto 'tcp'
	option name 'reject-uhttpd-80'
	option dest_port '80'
	option target 'REJECT'
	option src 'lan_srv'

config forwarding
	option src 'lan_nat'
	option dest 'wan'

config forwarding
	option src 'lan_srv'
	option dest 'wan'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config forwarding
	option src 'lan_vpn'
	option dest 'wg'

config forwarding
	option src 'wg'
	option dest 'wan'

config redirect 'dns_int'
	option name 'Intercept-DNS'
	option src 'lan_vpn'
	option src_dport '53'
	option proto 'tcp udp'
	option target 'DNAT'
	option dest_port '53'
	option dest_ip 'redacted'

psherman · February 9, 2024, 6:57pm

Based on your configs (at least my quick read through), I would expect that each of the subnets should be isolated from the others. Is that not the case?

eduperez · February 9, 2024, 7:23pm

Post the contents of "/etc/config/dropbear", please.

argent · February 9, 2024, 8:10pm

They aren't, unfortunately. I can ping one subnet from the other, etc.

argent · February 9, 2024, 8:11pm

Here it is:

cat /etc/config/dropbear 

config dropbear
	option Port 'redacted'
	option PasswordAuth 'off'
	option RootPasswordAuth 'off'
	option Interface 'lan_nat'

Still, I'm able to log in from another subnet if I use the 192.168.1.1 IP.

psherman · February 9, 2024, 8:38pm

This is a special case... this is not inter-vlan routing. It is one of the addresses that the router has, and it will respond because you have each of the zone INPUT rules set to ACCEPT.

Try connecting from a host on one network to a host on any other network and vice versa, as long as the host is not the router itself (i.e. literally the router, or an address that the router actually holds on each network).

argent · February 9, 2024, 10:03pm

I see. Can I block access to the router itself from all but one subnet?
If I set the INPUT and/or OUTPUT zone policy to REJECT, it effectively rejects the whole traffic.

psherman · February 9, 2024, 10:10pm

Input = REJECT will prevent access to the router itself. You'll likely need to create rules to allow DHCP and usually also DNS.

The firewall configuration section of the guest wifi tutorial demonstrates how to do this.

The output rule should be accept in the vast majority of cases -- without it you won't be able to route because traffic destined for other zones (including the internet) will not be allowed out of the firewall if you set it to reject or drop.

argent · February 9, 2024, 11:51pm

It works! Thank you.

system · February 19, 2024, 11:52pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.