Hi all,
I'm struggling to isolate clients from each other on a wired guest network.
Any help would be appreciated. So far I couldn't find any layer 3 based solution online; going down to layer 2 using ebtables
might be the ultimo ratio if not possible otherwise - but not the most appreciated way to go.
I'm running OpenWRT 23.05 on an AVM Fritz!Box 7530 with network segmentation. Internal switch configuration is DSA based.
3 VLANs are set up:
VLAN 5: trusted network (192.168.5.0/24)
VLAN 3: guest network (10.0.3.0/24)
VLAN 10: WAN (192.168.1.0/24) - connection between my OpenWRT router and the internet gateway
.
The following should be accomplished:
- Clients in VLAN 3 must not communicate with each other, but should be able to access the internet - isolation not working right now
- Clients in VLAN 3 must not be able to access the router (blocked with respective input rule) - is working
- Clients in VLAN 5 are suppposed to see devices in VLAN 3 and should be able to access the internet - is working
.
The router is having 4 physical LAN ports, whereas the ports are configured as follows:
- LAN1: Trunk port for all 3 VLANs - connected to a VLAN capable 16-port switch (switch is connected to internet gateway and is providing connection for clients for VLAN 3 and VLAN 5)
- LAN2: Local (untagged) port for VLAN 5
- LAN3: Local (untagged) port for VLAN 3
- LAN4: Trunk port for VLAN 3 and VLAN 5 - connected to a VLAN capable 8-port switch
.
The network is working in general; only the isolation of the clients from each other within the guest network (VLAN 3 - 10.0.3.0/24) is not working as expected.
.
/etc/config/network:
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdc7:fb8f:43ea::/48'
config interface 'lan'
option device 'br-lan.5'
option proto 'static'
option ipaddr '192.168.5.1'
option netmask '255.255.255.0'
option delegate '0'
config interface 'wan'
option proto 'static'
option device 'br-lan.10'
option ipaddr '192.168.1.222'
option netmask '255.255.255.0'
option gateway '192.168.1.1'
list dns '195.202.128.3'
list dns '195.202.138.3'
list dns '62.40.128.3'
config interface 'wan6'
option proto 'dhcpv6'
option device 'br-lan.10'
option reqaddress 'try'
option reqprefix 'auto'
option auto '0'
option disabled '1'
config interface 'lan_guest'
option proto 'static'
option device 'br-lan.3'
option ipaddr '10.0.3.1'
option netmask '255.255.255.0'
option delegate '0'
config device
option type 'bridge'
option name 'br-lan'
option igmp_snooping '1'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan1:t'
config bridge-vlan
option device 'br-lan'
option vlan '3'
list ports 'lan1:t'
list ports 'lan3'
list ports 'lan4:t'
config bridge-vlan
option device 'br-lan'
option vlan '5'
list ports 'lan1:t'
list ports 'lan2'
list ports 'lan4:t'
# MTU setting for WAN port - might be dismissed
config device
option name 'br-lan.10'
option type '8021q'
option ifname 'br-lan'
option vid '10'
option mtu '1496'
.
/etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
option masq '1'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
option input 'REJECT'
option forward 'REJECT'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow OCPP Traffic from EV charger'
option src 'wan'
list src_mac 'xx:xx:xx:xx:xx:xx'
list src_ip '192.168.1.123'
option src_port '8887'
option dest '*'
option dest_port '8887'
option target 'ACCEPT'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Allow-mDNS_LAN'
list proto 'udp'
option src 'lan'
option src_port '5353'
list dest_ip '224.0.0.251'
option dest_port '5353'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-mDNS_LAN_CoAP'
list proto 'udp'
option src 'lan'
option src_port '5683'
list dest_ip '224.0.1.187'
option dest_port '5683'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-IP-webcam-UDP'
list proto 'udp'
option src 'lan_guest'
list src_ip '10.0.3.229'
option dest 'wan'
option target 'ACCEPT'
config rule
option name 'Allow-MQTT-across-nets'
list proto 'tcp'
option src 'lan_guest'
option dest 'lan'
option target 'ACCEPT'
option family 'ipv4'
option dest_port '1882 1883 8883'
list dest_ip '192.168.5.124'
list dest_ip '192.168.5.100'
config rule
option name 'Block-Guest-from-Guest'
option src 'lan_guest'
option dest 'lan_guest'
option target 'DROP'
list dest_ip '10.0.3.0/24' # rule didn't work with/without specified IP range
list proto 'all'
list src_ip '10.0.3.0/24' # rule didn't work with/without specified IP range
config rule
option name 'Allow-Guest-DNS-Lookup'
option src 'lan_guest'
option dest_port '53'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config zone
option name 'lan_guest'
option network 'lan_guest'
option output 'ACCEPT'
option input 'REJECT'
option forward 'REJECT'
option log '1'
config forwarding
option src 'lan_guest'
option dest 'wan'
config rule
option name 'Allow-Guest-DHCP-Request'
list proto 'udp'
option src 'lan_guest'
option dest_port '67-68'
option target 'ACCEPT'
config rule
option name 'Allow-mDNS_guest'
list proto 'udp'
option src_port '5353'
list dest_ip '224.0.0.251'
option dest_port '5353'
option target 'ACCEPT'
option src 'lan_guest'
option family 'ipv4'
config rule
option name 'Allow-mDNS_guest_CoAP'
list proto 'udp'
option src 'lan_guest'
option src_port '5683'
option dest_port '5683'
option target 'ACCEPT'
list dest_ip '224.0.1.187'
option family 'ipv4'
config rule
option name 'Block-Guest-from-Gateway'
option src 'lan_guest'
option dest '*'
option target 'DROP'
option family 'ipv4'
list proto 'all'
list dest_ip '192.168.1.0/24'
config forwarding
option src 'lan'
option dest 'lan_guest'
config redirect
option name 'OCPP - forward port 8887'
option dest 'lan'
option target 'DNAT'
option src 'wan'
option src_dport '8887'
option dest_ip '192.168.5.100'
option dest_port '8887'
Thanks a million in advance,
Mat