Isolation of WiFi clients in a network with several APs and VLANs

m80 · June 19, 2023, 9:32pm

Hi,
I've been building a home network for over a year, everything has been going more or less smoothly so far. I went through laying ducts and cables, choosing a rack cabinet, configuring switches, router and APs. I don't know how, but somehow I managed to put it all together.

Schematic diagram of the network:

  LTE#1   LTE#2 (2x ZTE MC801A LTE in bridge mode) 
    |       |
    |       |
Switch #3: (Netgear GS308T /Openwrt/)
 |   
 |                  
 |    Router: (HP T430 /OpenWrt/ + UE300 USB dongle)
 |     |
 |     |    PC1   PC2
 |     |     |     |
 |     |     |     |
Switch #1: (TP-Link SX3008F)
    |             |
    |             |
   LAG1  (LACP)  LAG1
    |             |
    |             |
Switch #2: (TP-Link SX3008F)
  |     |     |     |  
  |     |     |     |  
 AP1   AP2   AP3   AP4 (All Dumb AP + FT: Redmi AX6000, Xiaomi AX3200 /Openwrt/) 
  |
  |
Print Server (Nexx WT3020 /Openwrt/)

Cables: SM fiber, SFP and SFP+ modules + several TP-Link MC220L media converters to connect everything together.

VLANs:
ID 2 = Management
ID 3 = Home
ID 5 = IoT
ID 7 = Guest
ID 51 = LTE ISP #1
ID 52 = LTE ISP #2
ID 53 = LTE ISP #3 (unused)
ID 54 = LTE ISP #4 (unused)

VLANs and Tagged and Untagged Ports:

Switch #1 Config:

Switch #2 Config:

The network has been working quite well for a month, but a few days ago I did a scan on the guest network out of curiosity and it turned out that guest network clients are not isolated

In the configuration of the router and APs, I used one bridge and vlan_filtering, I don't know if it was a mistake because now it's hard for me solve the insulation problem.

I have read many topics on how to solve this problem:

ebtables on router (ebtables is slow and outdated??? ebtables-nft is better???)
ebtables on each AP
kmod-br-netfilter + firewall rules
separate vlans for each AP
vlan_filtering (???)
port isolation on Switch #2
private vlans on Switch #2

I don't know which method would be the least invasive in my case, I prefer to configure Openwrt than a tp-link switches, but if there is no choice, I will do it too.Thank you in advance for your help.

Router /etc/config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd88:4a02:539a::/48'
	option packet_steering '1'

config device
	option name 'br0'
	option type 'bridge'
	option igmp_snooping '1'
    option vlan_filtering '1'
    list ports 'eth0'

config bridge-vlan
	option device 'br0'
	option vlan '2'
	option alias 'mgmt'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br0'
	option vlan '3'
	option alias 'home'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br0'
	option vlan '5'
	option alias 'iot'
	list ports 'eth0:t'

config bridge-vlan
	option device 'br0'
	option vlan '7'
	option alias 'guest'
	list ports 'eth0:t'

config interface 'mgmt'
	option device 'br0.mgmt'
	option proto 'static'
	option ipaddr '192.168.22.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'home'
	option device 'br0.home'
	option proto 'static'
	option ipaddr '192.168.33.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'iot'
	option device 'br0.iot'
	option proto 'static'
	option ipaddr '192.168.55.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'guest'
	option device 'br0.guest'
	option proto 'static'
	option ipaddr '192.168.77.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth1.51'
	option proto 'dhcp'
	option metric '10'
	option ipv6 '0'
	option peerdns '0'
	option dns '1.1.1.1 8.8.8.8 9.9.9.9 8.8.4.4'

config interface 'wanb'
	option device 'eth1.52'
	option proto 'dhcp'
	option metric '12'
	option ipv6 '0'
	option peerdns '0'
	option dns '1.1.1.1 8.8.8.8 9.9.9.9 8.8.4.4'

#config interface 'wanc'
#	option device 'eth1.53'
#	option proto 'dhcp'
#	option metric '14'
#	option ipv6 '0'
#	option peerdns '0'
#	option dns '1.1.1.1 8.8.8.8 9.9.9.9 8.8.4.4'

#config interface 'wand'
#	option device 'eth1.54'
#	option proto 'dhcp'
#	option metric '16'
#	option ipv6 '0'
#	option peerdns '0'
#	option dns '1.1.1.1 8.8.8.8 9.9.9.9 8.8.4.4'

Router /etc/config/firewall:

config defaults
	option syn_flood	1
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
#	option flow_offloading  1
#	option flow_offloading_hw 0
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'home'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wanb'
#	list   network		'wanc'
#	list   network		'wand'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT

# --- Management Zone ---

config zone
        option name 'mgmt'
        list network 'mgmt'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'

config forwarding
        option src 'mgmt'
        option dest 'wan'

config rule
        option src 'mgmt'
        option proto 'udp'
        option family 'ipv4'
        option src_port '67-68'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option src 'mgmt'
        option proto 'tcpudp'
        option family 'ipv4'
        option dest_port '53'
        option target 'ACCEPT'

# --- IoT Zone ---

config zone
        option name 'iot'
        list network 'iot'
        option input 'REJECT'
        option forward 'REJECT'
        option output 'ACCEPT'

config forwarding
        option src 'iot'
        option dest 'wan'

config rule
        option src 'iot'
        option proto 'udp'
        option family 'ipv4'
        option src_port '67-68'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option src 'iot'
        option proto 'tcpudp'
        option family 'ipv4'
        option dest_port '53'
        option target 'ACCEPT'

# --- GUEST Zone ---

config zone
        option name 'guest'
        list network 'guest'
        option input 'REJECT'
        option forward 'REJECT'
        option output 'ACCEPT'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option src 'guest'
        option proto 'udp'
        option family 'ipv4'
        option src_port '67-68'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option src 'guest'
        option proto 'tcpudp'
        option family 'ipv4'
        option dest_port '53'
        option target 'ACCEPT'

Router /etc/config/dhcp:

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'
	option confdir '/tmp/dnsmasq.d'
	option noresolv '1'
	option localuse '1'
	list server '127.0.0.1#5453'
	list server '0::1#5453'

config dhcp 'mgmt'
	option interface 'mgmt'
	option start '101'
	option limit '50'
	option leasetime '8h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'home'
	option interface 'home'
	option start '101'
	option limit '100'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'iot'
	option interface 'iot'
	option start '101'
	option limit '100'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'guest'
	option interface 'guest'
	option start '101'
	option limit '100'
	option leasetime '8h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config dhcp 'wanb'
	option interface 'wanb'
	option ignore '1'

#config dhcp 'wanc'
#	option interface 'wanc'
#	option ignore '1'

#config dhcp 'wand'
#	option interface 'wand'
#	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

Router iproute2:


BusyBox v1.36.1 (2023-06-16 07:48:53 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt SNAPSHOT, r23401-a860e439ed
 -----------------------------------------------------
root@router:~# ip -c -br l
lo               UNKNOWN        00:00:00:00:00:00 <LOOPBACK,UP,LOWER_UP>
eth0             UP             11:11:11:11:11:11 <BROADCAST,MULTICAST,UP,LOWER_UP>
eth1             UP             22:22:22:22:22:22 <BROADCAST,MULTICAST,UP,LOWER_UP>
br0              UP             33:33:33:33:33:33 <BROADCAST,MULTICAST,UP,LOWER_UP>
br0.2@br0        UP             33:33:33:33:33:33 <BROADCAST,MULTICAST,UP,LOWER_UP>
br0.3@br0        UP             33:33:33:33:33:33 <BROADCAST,MULTICAST,UP,LOWER_UP>
br0.5@br0        UP             33:33:33:33:33:33 <BROADCAST,MULTICAST,UP,LOWER_UP>
br0.7@br0        UP             33:33:33:33:33:33 <BROADCAST,MULTICAST,UP,LOWER_UP>
eth1.51@eth1     UP             44:44:44:44:44:44 <BROADCAST,MULTICAST,UP,LOWER_UP>
eth1.52@eth1     UP             44:44:44:44:44:44 <BROADCAST,MULTICAST,UP,LOWER_UP>
root@router:~# 
root@router:~# 
root@router:~# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             7fff.333333333333       no              eth0
root@router:~# 
root@router:~# 
root@router:~# bridge vlan show
port              vlan-id
eth0              2
                  3
                  5
                  7
br0               2
                  3
                  5
                  7
root@router:~#

AP /etc/config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd3d:6b1c:ba49::/48'
	option packet_steering '1'

#config device
#	option name 'wan'
#	option macaddr 'xx:xx:xx:xx:xx:xx'

config device
	option name 'br0'
	option type 'bridge'
	option igmp_snooping '1'
    option vlan_filtering '1'

config bridge-vlan
	option device 'br0'
    option vlan '2'
    option alias 'mgmt'
	list ports 'wan:t'
    list ports 'lan2:u*'

config bridge-vlan
    option device 'br0'
    option vlan '3'
    option alias 'home'
	list ports 'wan:t'
    list ports 'lan3:u*'

config bridge-vlan
	option device 'br0'
	option vlan '5'
	option alias 'iot'
	list ports 'wan:t'
    list ports 'lan4:u*'

config bridge-vlan
	option device 'br0'
	option vlan '7'
	option alias 'guest'
	list ports 'wan:t'

config interface 'mgmt'
	option device 'br0.mgmt'
	option proto 'static'
	option ipaddr '192.168.22.31'
	option netmask '255.255.255.0'
	option gateway '192.168.22.1'
	option dns '192.168.22.1'
    option ip6assign '60'

config interface 'home'
	option device 'br0.home'
	option proto 'none'

config interface 'iot'
    option device 'br0.iot'
    option proto 'none'

config interface 'guest'
    option device 'br0.guest'
    option proto 'none'

AP /etc/config/wireless:

config wifi-device 'radio2g'
	option disabled '0'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi'
	option channel '5'
	option band '2g'
	option htmode 'HE20'
	option country 'PL'
	option he_bss_color '1'

config wifi-iface 'radio2g_home'
	option disabled '1'
	option device 'radio2g'
	option network 'home'
	option mode 'ap'
	option ssid 'HOME'
	option encryption 'sae'
	option key 'home password'
	option isolate '0'
	option disassoc_low_ack '1'
	option ieee80211r '1'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option reassociation_deadline '20000'
	option ieee80211k '1'

config wifi-iface 'radio2g_iot'
	option disabled '1'
	option device 'radio2g'
	option network 'iot'
	option mode 'ap'
	option ssid 'IoT'
	option encryption 'psk2'
	option key 'iot password'
	option isolate '0'
	option hidden '1'
	option disassoc_low_ack '1'
	option wpa_disable_eapol_key_retries '1'
	option tdls_prohibit '1'
	option ieee80211w '1'
	option ieee80211w_max_timeout '500'
	option ieee80211w_retry_timeout '100'
	option ieee80211r '1'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option reassociation_deadline '20000'
	option ieee80211k '1'

config wifi-iface 'radio2g_guest'
	option disabled '0'
	option device 'radio2g'
	option network 'guest'
	option mode 'ap'
	option ssid 'GUEST'
	option encryption 'psk2'
	option key 'guest password'
	option isolate '1'
	option disassoc_low_ack '1'
	option ieee80211r '1'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option reassociation_deadline '20000'
	option bss_transition '1'
	option ieee80211k '1'

config wifi-device 'radio5g'
	option disabled '0'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi+1'
	option channel '36'
	option band '5g'
	option htmode 'HE40'
	option country 'PL'
	option he_bss_color '1'

config wifi-iface 'radio5g_guest'
	option disabled '0'
	option device 'radio5g'
	option network 'guest'
	option mode 'ap'
	option ssid 'GUEST'
	option encryption 'psk2'
	option key 'guest password'
	option isolate '1'
	option doth '1'
	option disassoc_low_ack '1'
	option ieee80211r '1'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option reassociation_deadline '20000'
	option bss_transition '1'
	option ieee80211k '1'

AP iproute2:


BusyBox v1.36.1 (2023-06-14 13:16:15 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt SNAPSHOT, r23401-a860e439ed
 -----------------------------------------------------
root@ap1:~# ip -c -br l
lo               UNKNOWN        00:00:00:00:00:00 <LOOPBACK,UP,LOWER_UP>
eth0             UP             11:11:11:11:11:11 <BROADCAST,MULTICAST,UP,LOWER_UP>
lan4@eth0        LOWERLAYERDOWN 11:11:11:11:11:11 <NO-CARRIER,BROADCAST,MULTICAST,UP>
lan3@eth0        UP             11:11:11:11:11:11 <BROADCAST,MULTICAST,UP,LOWER_UP>
lan2@eth0        UP             11:11:11:11:11:11 <BROADCAST,MULTICAST,UP,LOWER_UP>
wan@eth0         UP             11:11:11:11:11:11 <BROADCAST,MULTICAST,UP,LOWER_UP>
br0              UP             11:11:11:11:11:11 <BROADCAST,MULTICAST,UP,LOWER_UP>
br0.2@br0        UP             11:11:11:11:11:11 <BROADCAST,MULTICAST,UP,LOWER_UP>
br0.3@br0        UP             11:11:11:11:11:11 <BROADCAST,MULTICAST,UP,LOWER_UP>
br0.5@br0        UP             11:11:11:11:11:11 <BROADCAST,MULTICAST,UP,LOWER_UP>
br0.7@br0        UP             11:11:11:11:11:11 <BROADCAST,MULTICAST,UP,LOWER_UP>
phy0-ap0         UP             22:22:22:22:22:22 <BROADCAST,MULTICAST,UP,LOWER_UP>
phy1-ap0         UP             33:33:33:33:33:33 <BROADCAST,MULTICAST,UP,LOWER_UP>
root@ap1:~#
root@ap1:~#
root@ap1:~# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             7fff.111111111111       no              phy1-ap0
                                                        lan4
                                                        lan2
                                                        wan
                                                        lan3
                                                        phy0-ap0
root@ap1:~#
root@ap1:~#
root@ap1:~# bridge vlan show
port              vlan-id
lan4              5 PVID Egress Untagged
lan3              2
                  3
lan2              2 PVID Egress Untagged
wan               2
                  3
                  5
                  7
br0               2
                  3
                  5
                  7
phy0-ap0          7 PVID Egress Untagged
phy1-ap0          7 PVID Egress Untagged
root@ap1:~#

frank92735 · June 20, 2023, 4:17pm

While we wait for input on this issue I thought I would throw in my two cents. VLAN's have been identified as weaknesses anyways in terms of security/isolation even on pro grade equipment.

Personally I would put the guest network on a separate router. Considering a used router can be had for as little as $20-30 that may be a better route (haha sorry) or standalone solution in the interim? Anyhow that's what I do. Nice network BTW. That's not a home network. That's a work of art.

Issue 1: Correct me if I am wrong but smart switches don't have firewalls (like routers). Thus distribution with them should ideally begin with a router or at least end at a router. This does not seem to be the case in your diagram. We will let the experts review that issue.

Issue 2: I don't know if LAG's can pass VLAN tagged traffic. Temporarily test without the LAG configuration and see if that fixes the issue? VLAN's add additional bytes to the packet datagram which requires a larger MTU. This might be something to look at?

I am not network certified so that's about the best I can do. I know LAG has been a source of many headaches and many posts on here.

Personally I don't use LAG - I would perhaps look at using 2.5Gb/10Gb LAN or SFP.

I also do not trunk VLAN's to distribute networks. I use one port per VLAN on an edge router and then distribute to separate routers.

I find this easier to troubleshoot. Never any problems. If one network goes down it is isolated and easy to fix.

                                                                        ISP
                                                                          |
                                                     Edge router w/ 1 vlan per port
                                                                          |
                                                   --------------------------------------
                                                   |               |              |             |
                                           Guest           Iot            TV         Main
                                          router         router        router      router

psherman · June 20, 2023, 5:23pm

Really? Can you provide sources for this?

Properly managed in terms of the switches, APs, routers and firewalls, there should be no security issue. Using multiple routers does not meaningfully improve the security unless there is a specific CVE or other hack that is known to be able to cross VLAN boundaries. And, using multiple routers increases the complexity of network managment and reduces efficiency.

Also, using another router may protect in one direction (i.e. router 1's lan connected to the router 2's wan will protect the router 2's lan), but it doesn't work the other way around (the router 1's lan would be reachable by the from the hosts on router 2) unless you add fireawll rules on router 2 to prevent access. Which then becomes rather similar to a single router handling all the VLANs with a proper firewall.

frank92735 · June 20, 2023, 5:31pm

Black Hat Python, 2nd Edition

Python Programming for Hackers and Pentesters

By Justin Seitz and Tim Arnold

psherman · June 20, 2023, 5:32pm

I'm not really looking to buy a book for this... are there articles that talk about these same threat vectors? Specifically, I'd like to see the following:

Where are they finding the vulnerabilities -- in the routers, switches, APs, or other VLAN aware systems/infrastructure
Aside from NAT making direct access to devices behind a standard NAT'ing router more difficult, how does the firewall distribution of different routers make it better than a properly configured firewall in a single router?

frank92735 · June 20, 2023, 5:50pm

I don't know how to do this - I have not tested OpenWRT's trunked VLAN configurations - nor am I network certified etc.. I am speaking anecdotally while we let the more accomplished or accredited membership review his configuration.

Slightly OT but I know B.A.T.M.A.N. (meshed vlans) was audited as leaking connected clients for example and I believe was patched.

frank92735 · June 20, 2023, 6:16pm

I am more likely to upgrade a single router to latest firmware because I do not have a complex and more difficult to trouble shoot configuration. I did this recently when I bought an E8450 and installed 23.05.0-rc1 on it and deployed it as my new edge router. Now my entire network is hiding behind the latest security improvements on a more capable device.
If my edge router password got brute forced that is just one layer in the onion so to speak.
My configuration gives each network it's own router for improved performance rather than shoehorning 6 networks on to one port. This is relevant for less powerful devices and can isolate problems to their respective networks making it easier to trouble shoot.
I VPN each router so it's zero trust.
Having one router per network allows me to upgrade individual routers with no interruption to the other networks.
I feel more comfortable as a novice user with an easier to manage reliable topology. I am not cutting edge.
I can safely and comfortably experiment on other networks with this configuration without affecting other users. Not all my eggs are in one basket so to speak.
Newer faster connection standards make LAG less relevant. His house already probably has at least 8 runs in it which he could use to distribute individual networks without the 10% per connection penalty on LAG.

psherman · June 20, 2023, 6:29pm

So I can speak in general terms -- most enterprise systems utilize VLANs heavily. Cascading routers in NAT+fireall configurations is not scalable both from a management and an expense standpoint (and in the case of wifi, it is also a problem from a spectrum perspective if you have multiple APs required to run different SSIDs for each network).

A critical component is proper configuration of the firewalls, as well as switches and APs. For example, the router (and other infrastructure devices) should never be accessable from any untrusted network (and ideally only from a management network). On OpenWrt that is the input rule that governs the ability to connect to the device's services. In the case of a dumb AP, the device should only have an address on the trusted/management network, and the untrusted networks should be unmanaged (i.e. proto = none). Switches would be the same. Although some low end switches don't have proper implementations for the idea of a mangement network, and they can be reached by all networks... this would be a potential vector for VLAN hopping or other vulnerabilities.

There are many other ways to properly secure your network infrastructure including ssh keys instead of passwords among others.

m80 · June 20, 2023, 7:53pm

Guys, thanks for your response
The network is in an old big house, I used to have one router (R7800) but there was no coverage at the edges of the house, not to mention the yard...
Besides, I had a weak DSL 10Mbps Internet connection, so I decided to change it. Since the house doesn't have any wiring, last year I had to set up a mesh network (Batman Adv ver. V) using the APs I had. It worked quite well - 5GHz, 80Mhz, AC/AX backbone gave me 200-300Mbps throughput and for the 2.4GHz end user around 100Mbps throughout the house. Mesh with Fast Roaming worked fine when it comes to mail, IM etc.

However, due to the fact that the WiFi is half duplex, with a few users wanting to watch 720p YT, the performance of the network fell off the cliff ... so I decided to run a total of 150m of cable ducts on the walls and optical fiber in them ... I spent the whole winter on the ladder, cutting and gluing these damn cable ducts

As I wrote earlier, the network works fine, smoothly under load, apart from two small problems:

Guest Wifi clients are visible to each other.
Today I tried to change it: I set up port isolation on Switch #2 so that all traffic from APs flows to Switch #1 (via LAG1) where the router is connected, so APs are not wired directly to each other on Switch #2.

Switch2 - Port Isolation 21903×969 141 KB

Switch1 - Port Isolation 21917×971 150 KB

And on the router I used nft bridge rule to stop forwarding on br0:

nft add table bridge filter
nft add chain bridge filter forward '{type filter hook forward priority -2; policy drop;}'

I'm not sure if this rule does anything in my case - on standalone test router the rule isolated WiFi clients even with option isolate '0' in /etc/config/wireless, they couldn't ping each other. However, in Home and IoT VLANs, I'd like to be able to disable wifi client isolation, though. But.... now there's problem 2....

Now I can't ssh to most Access Points. Before changing the port isolation on Switch #2, I connected my laptop to one of the devices on the mgmt port of Switch #3 or AP1 and I was able to ssh to AP2, AP3 and AP4 (they are at the other end of the house). Now i can't even ping them from Switch #3 or AP1.

m80 · June 20, 2023, 8:38pm

It seems that LAG1 transmits VLANs correctly, each AP has 4 ports (WAN + 3x LAN). WAN is a trunk port, then for each AP there can be a different combination of access ports depending on the needs: LAN1 = Management Untagged, LAN2 = Home Untagged, LAN3 = IoT Untagged. This way, on each AP I have access to different networks throughout the house. I am getting IP addresses from the correct DHCP pools so I assume the aggregation is working fine.

Each AP has access to the Internet, so it knows the path to the Router.
Therefore it should be possible to connect from AP1 via Router to AP3/AP4/AP5 because they are in one vlan2 (management):

AP1 (vlan2) ----> Router (vlan2) ----> AP3/AP4/AP5 (vlan2)

I don't know why this isn't happening

frank92735 · June 20, 2023, 9:13pm

Looks like you are running 1.0 firmware for the TL-SX3008F. Latest is 1.6.

Lots of interesting reviews...

2.0 out of 5 stars DANGER: Broken firmware Reviewed in Canada on May 25, 2023 Size : 8 Port w/ 8 10GE SFP+Verified Purchase With the shipped firmware, VLAN support is very broken. The Canadian support site has old firmware listed and installing it will install an old version that doesn't support some SFP modules. Instead you must go to the US site and use that firmware instead and it will result in something that mostly works. Decent hardware that is hobbled by what is clearly a case of broken QA process if something so basic as VLAN support managed to ship non functional.

I'm sorry it might have to come to that.

m80 · June 20, 2023, 9:32pm

Firmware is 1.0.4, the latest available
1.6 is hardware revision.

frank92735 · June 21, 2023, 4:11pm

If you are referring to client isolation over wifi:

Turn off 2.4Ghz: I wonder if reverting from 5Ghz 802.11AX to AC or N would fix it?
Turn off 5Ghz: I wonder if running 2.4Ghz: 802.11AX or N fixes it?
I wonder if reverting the firmware to 21 stable on the AP's would fix it? (be careful here I am not sure reverting the firmware works and you could soft brick)
Are all the AP's doing it? The two routers listed use different chipsets.

I am not clear on whether wifi based client isolation works in dumb AP mode as I don't use that.

Presuming it doesn't or none of these suggestions work then it would be more likely to work by using the AP's in router mode (or getting other one's to do it) and plugging them in to the guest VLAN port.

I think you want a unified easy to manage solution so buying extra routers for the guest network (or using some old ones you have?) might not be the ideal solution.

Older 802.11AC devices running on stable would more likely have functioning wifi client isolation compared to the newer devices and chipsets as a rough guideline.

Hopefully someone can set me straight on this and help you.

HTH

m80 · June 22, 2023, 9:42am

Sorry I didn't write precisely enough, I was scanning the guest network with nmap:

nmap -sn 192.168.77.1/24

nmap found the router (192.168.77.1) - it's ok,
and the addresses of several wireless devices (android phones, tablets, laptops) - this is undesirable.