Management VLAN firewall zone not working

Hi

I have three VLAN's setup on each of my two OpenWrt routers and two smart switches I own, and It works perfectly.

VLANs

  • VLAN 5 (Private_LAN)
  • VLAN 10 (Guest_LAN)
  • VLAN 20 (WAN)

However, after messing around with the LAN settings on a second AP I lost connection to it. I then realised there is one flaw to my setup and that was not utilising a management/admin VLAN as back-bone to each device in the event that one of the LAN's I'm connected to is unable to connect. I've now gone about creating an admin VLAN as listed below.

  1. Created a new interface called admin
  2. Setup a static IP and a different sub-net on admin interface
  3. Setup up DHCP on admin interface
  4. Created a firewall zone called admin
  5. Assigned firewall zone to interface
  6. Allow forward to destination zone Private_LAN zone on admin zone
  7. Allow forward from source zone Private_LAN zone on admin zone
  8. Added a new VLAN with ID of 8 and attached to CPU (eth0)
  9. Assign eth0.8 VLAN to admin interface
  10. Created a VLAN trunk between my Guest_LAN and admin VLANs and tagged them to the router's physical port 4
  11. Setup the corresponding VLAN on my 24-port switch

My plan is to put all of my switches and routers onto the new admin VLAN and then setup inter-VLAN connectivity on the main OpenWrt router so that I can access each device from the Private_LAN on certain devices. Unfortunately my firewall zone and traffic rules don't seem to be working unless I set accept on all three parameters to the General Settings.

Even though I am going to be using this for inter-VLAN connectivity only I wanted to test acquiring an internet connection on a device connected to the admin VLAN. With my Guest_LAN network, all this is, is a separate interface and zone which is configured to forward to the destination zone WAN, the zone's input set to reject and two traffic rules to only allow accept ports 53 (DNS) and 67 (DHCP).

With that simple concept in mind, I wanted to apply it to the admin VLAN but with the zone input set to accept so that I didn't need to worry about restricting it to only DNS and DHCP. Sadly this didn't work. In fact the only way I got internet connection was to set accept on all three parameters of the Global Settings. I have included my configs below for reference:

/etc/config/firewall

config defaults
        option syn_flood '1'
        option output 'ACCEPT'
        option flow_offloading '1'
        option flow_offloading_hw '1'
        option input 'REJECT'
        option forward 'REJECT'
config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'lan'
        option forward 'ACCEPT'
config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan'
        option forward 'REJECT'
config zone
        option output 'ACCEPT'
        option network 'guest_lan'
        option name 'guest_lan'
        option forward 'REJECT'
        option input 'REJECT'
config zone
        option forward 'REJECT'
        option output 'ACCEPT'
        option name 'tor'
        option network 'tor'
        option input 'REJECT'
config forwarding
        option src 'lan'
        option dest 'wan'
config forwarding
        option dest 'wan'
        option src 'guest_lan'
config forwarding
        option dest 'wan'
        option src 'tor'
config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'
config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'
config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'
config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'
config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
config rule
        option target 'ACCEPT'
        option proto 'tcp udp'
        option dest_port '53'
        option name 'Guest DNS'
        option src 'guest_lan'
config rule
        option target 'ACCEPT'
        option proto 'udp'
        option dest_port '67-68'
        option name 'Guest DHCP'
        option src 'guest_lan'
config rule
        option target 'ACCEPT'
        option dest_port '1194'
        option name 'Allow-OpenVPN'
        option enabled '0'
        option src 'wan'
        option proto 'tcp udp'
        option dest 'tor'
config rule
        option src 'tor'
        option proto 'udp'
        option dest_port '67'
        option target 'ACCEPT'
        option name 'Tor DHCP'
        option enabled '0'
config rule
        option target 'ACCEPT'
        option src 'tor'
        option name 'Tor DNS'
        option proto 'udp'
        option dest_port '9053'
        option enabled '0'
config rule
        option target 'ACCEPT'
        option src 'tor'
        option name 'Tor Tranparent DNS'
        option proto 'tcp'
        option dest_port '9040'
        option enabled '0'
config redirect
        option target 'DNAT'
        option proto 'tcp udp'
        option name 'OMV_FTP_SERVER'
        option dest 'lan'
        option src 'wan'
        option src_dport '20-21'
        option dest_port '20-21'
        option dest_ip '192.168.1.12'
config redirect
        option target 'DNAT'
        option src 'wan'
        option proto 'tcp udp'
        option dest 'lan'
        option name 'OMV_FTP_PASSIVE'
        option dest_ip '192.168.1.12'
        option dest_port '49152-65534'
        option src_dport '49152-65534'
config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '990'
        option dest_port '990'
        option name 'OMV_FTPS'
        option dest_ip '192.168.1.12'
config redirect
        option target 'DNAT'
        option src 'wan'
        option dest 'lan'
        option proto 'tcp udp'
        option src_dport '3074'
        option dest_port '3074'
        option name 'PlayStation_4'
        option dest_ip '192.168.1.14'
        option enabled '0'
config redirect
        option name 'Redirect-Tor-Traffic'
        option src 'tor'
        option src_dip '!10.0.0.1'
        option dest_port '9040'
        option proto 'tcp'
        option target 'DNAT'
        option dest 'tor'
        option enabled '0'
config redirect
        option name 'Redirect-Tor-DNS'
        option src 'tor'
        option src_dport '53'
        option dest_port '9053'
        option proto 'udp'
        option target 'DNAT'
        option dest 'tor'
        option enabled '0'
config include
        option path '/etc/firewall.user'
config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'
config rule
        option target 'ACCEPT'
        option src 'wan'
        option name 'wan-luci'
        option enabled '0'
config redirect
        option dest_port '6672'
        option src 'wan'
        option name 'GTA V (1)'
        option src_dport '6672'
        option target 'DNAT'
        option dest_ip '192.168.1.14'
        option dest 'lan'
        list proto 'udp'
config redirect
        option src 'wan'
        option name 'GTA V (2)'
        option target 'DNAT'
        option dest_ip '192.168.1.14'
        option dest 'lan'
        list proto 'udp'
        option dest_port '61455-61458'
        option src_dport '61455-61458'
config redirect
        option dest_port '1935'
        option src 'wan'
        option name 'RTMP'
        option src_dport '1935'
        option target 'DNAT'
        option dest_ip '192.168.1.18'
        option dest 'lan'
        option enabled '0'
config zone
        option name 'admin'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option input 'ACCEPT'
config rule
        list proto 'all'
        list src_ip '192.168.1.226'
        list src_ip '192.168.1.18'
        option dest 'admin'
        option target 'ACCEPT'
        option src 'lan'
        option enabled '0'
        option name 'Admin VLAN Access'
config rule
        option src_port '53'
        option src 'admin'
        option name 'Admin VLAN DNS'
        option target 'ACCEPT'
        option dest_port '53'
        list proto 'tcp'
        list proto 'udp'
        option enabled '0'
config forwarding
        option dest 'lan'
        option src 'admin'
config forwarding
        option dest 'admin'
        option src 'lan'

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
config globals 'globals'
        option ula_prefix 'fdcf:15da:0492::/48'
config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option broadcast '192.168.1.255'
        option igmp_snooping '1'
        list dns '192.168.1.1'
        option delegate '0'
        option stp '1'
        option ifname 'eth0.5'
config interface 'wan'
        option ifname 'eth1.20'
        option proto 'pppoe'
        option password '*****'
        option ipv6 'auto'
        option username '*****'
        option peerdns '0'
        list dns '208.67.222.222'
        option mtu '1492'
config interface 'guest_lan'
        option proto 'static'
        option type 'bridge'
        option ipaddr '172.16.0.1'
        option netmask '255.255.255.240'
        option broadcast '172.16.0.15'
        option ifname 'eth0.10'
        option igmp_snooping '1'
        option stp '1'
        option delegate '0'
config interface 'tor'
        option proto 'static'
        option ipaddr '10.0.0.1'
        option netmask '255.255.255.240'
        option broadcast '10.0.0.15'
        list dns '192.168.1.1'
        option auto '0'
        option ifname 'eth0.9'
config interface 'vpn_lan'
        option proto 'none'
        option delegate '0'
        option ifname 'tun0'
config interface 'vpn_guest_lan'
        option proto 'none'
        option ifname 'tun1'
        option delegate '0'
        option auto '0'
config interface 'vpn_tor'
        option proto 'none'
        option ifname 'tun2'
config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'
config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '5'
        option ports '5t 3'
config switch_vlan
        option device 'switch0'
        option vlan '2'
        option vid '20'
        option ports '6t 4'
config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '10'
        option ports '5t 0t'
config switch_vlan
        option device 'switch0'
        option vlan '4'
        option vid '9'
        option ports '5t'
config switch_vlan
        option device 'switch0'
        option vlan '5'
        option vid '8'
        option ports '5t 2 0t'
config interface 'admin'
        option ifname 'eth0.8'
        option proto 'static'
        option netmask '255.255.255.0'
        option delegate '0'
        option ipaddr '192.168.127.1'

/etc/config/dhcp

config dnsmasq
        option localise_queries '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option rebind_protection '0'
        option localservice '1'
config dhcp 'lan'
        option interface 'lan'
        option limit '254'
        option leasetime '12h'
        option start '10'
config dhcp 'guest_lan'
        option interface 'guest_lan'
        option leasetime '5m'
        option start '0'
        option limit '254'
config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
config dhcp 'tor'
        option interface 'tor'
        option start '200'
        option limit '254'
        option leasetime '15m'
config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
config dhcp 'admin'
        option interface 'admin'
        option start '1'
        option leasetime '1h'
        option limit '10'

Many thanks in advance

Will

There is no option network 'admin' in admin zone.
On a sidenote remove the list dns '192.168.1.1' from lan and tor interfaces. Broadcast is calculated automatically and you'd better not use it.
Other than that your implementation of the admin (or management) vlan is fine, just don't allow all traffic from/to lan, just the management stations you have. Also output/forward/input could all be DROP as you only want a couple of IPs in the lan to access it (the 'Admin VLAN Access' rule is fine if you enable it)

Thanks for looking over my configs @trendy

Ok it seems that yes the 'option network' was missing from the config. Weirdly though LuCI clearly showed it as been set.

I've fixed it by removing it from LuCI clicking apply, editing the config file with that line added and then re-checked LuCI to see if reappears, which it did. I will check tomorrow when I can connect everything back and re-test.

In regards to the DNS listings, I have a problem with my HP Wireless Printer in which it can't be seen by any of the devices on the same LAN network. I could never get my head around it, but adding the DNS seem to fix it. Any ideas what this could be?

In regards to functionality, assigning the nameservers to different interfaces makes no difference. All of them will be merged into the /tmp/resolv.conf.auto . They are however bound to an interface and if the interface goes down, they are not used anymore. That is why the guideline is to assign nameservers to the interfaces where they will be reachable, in your case the wan.

Happy belated Easter to you :slight_smile:

I will test my HP printer later on to see if taking the DNS option affects it again.

In regards to the admin VLAN I think I've finally got it working. However, through the testing I was doing I couldn't prevent my main LAN (192.168.1.1) from being pinged on a device on the admin VLAN.

Obviously I have intended for devices on the admin VLAN to be able to ping the LAN, but at the time of the testing to see if the firewall was working properly, I tried to stop the inter-VLAN communication but had no success.

Unfortunately no matter what combination I did with the firewall zones and general settings I couldn't prevent the router from being pinged from a device on the admin VLAN. This makes testing hard as to test something like this I need two devices I can physically access at the time that have the ability to ping to each other and switch networks. Using the router on one VLAN as one of those devices would make it so much easier. Any ideas?

Create a firewall rule to block the icmp from admin to the device itself with destination IP 192.168.1.1

If I want to test the firwall zone from the admin VLAN to the the router which is on the LAN VLAN (the device I want to ping) will putting a traffic rule stop it altogether? I only to be able to ping if the firewall zone forwardings are in place. In other words between the traffic rule and zone which takes higher prevalence?

If I ping the router from a device on the admin VLAN I would use its network IP (same subnet and VLAN) to test I don't have a DHCP or DNS issue on. Here I would expect that to work as I'm not crossing any VLANs. What I'm trying to ge my head around is how I can ping another VLAN when the firewall zone forwarding is set to reject and the global firewall settings are set to reject too.

Once the firewall zones have been put in place to then test connecting to the other VLAN I would ping the IP address of the other LAN.

If you ping the router it is considered INPUT.
If you ping another host in another zone it is considered FORWARD.
Hope this is clear because I did not understand everything from your previous post.

I will try and explain it better.

I have two VLANs with the following network IP addresses:

  • 192.168.1.1 (private LAN)
  • 192.168.127.1 (admin/management LAN)

A computer connected to the admin VLAN with an IP address of 192.168.127.6 for example should be able to ping the network IP address 192.168.127.1 as they're on the same subnet. The same goes for my mobile phone for example on the private LAN with an IP address of 192.168.1.234 should be able to ping the network address 192.168.1.1.

In both these cases I would consider this as normal behaviour unless someone was purposely restrict LAN ICMP traffic which isn't done by default.

However, my computer on the admin LAN with the IP address 192.168.127.6 can ping the network address of the private LAN 192.168.1.1 but can't ping any of the hosts such as my phone 192.168.1.234.

I would of expected to be unable to ping anything on the private LAN from the admin LAN especially with no firewall zones and rules in place.

I hope that clears things up.

It is correct and what I told you before is a valid answer.
As long as the packets are destined to the router, then the INPUT policy applies, no matter which IP. Since you have ACCEPT policy in INPUT of admin and lan zone, then the hosts of those zones can ping the router, as well as SSH/HTTP/etc. The interface IP doesn't make any difference, but if you want to block it for your reasons, you can create a rule to block input traffic from admin zone to 192.168.1.1 specifically.

Just to let you know I have set specific devices on my LAN to be able to access the Admin VLAN and it works perfectly with the firewall rules. However, I've ran into another hiccup from the Admin VLAN side.

I've setup an additional dumb access point with one interface, it has as static IP address of 192.168.127.3 and is on the same IP range as the main router where the Admin LAN resides. I have physically connected my PC to the dumb AP on untagged port assigned to the Admin VLAN but I can't seem to access the main router's webgui (LuCI) via the Admin interface's IP address 192.168.127.1. If I ping 192.168.127.1 I can a response back. If I ping the hostname of the main router which is named OpenWrt-AP1 I see the 192.168.127.1 IP address. I did an nslookup command to bbc.co.uk and it tells me the DNS is being resolved at the main router which is what I would expect.

>nslookup bbc.co.uk
Server:  OpenWrt-AP1.lan
Address:  192.168.127.1

Non-authoritative answer:
Name: bbc.co.uk 
Addresses: 2a04:4e42:600::81
2a04:4e42::81
2a04:4e42:200::81
2a04:4e42:400::81
151.101.0.81
151.101.64.81
151.101.128.81
151.101.192.81

Any ideas?

sounds like rfc1918/rebind issue...

Check the firewall if it is blocking the incoming requests and uhttpd if it is bound on the the management IP address.

You mentioned uhttpd which is the default web server used for LuCI and It reminded me that on my main router I used NGINX instead. I've had a dig through the config files and I've found some files that point it to specific IP address, the lan, hence why I can't reach via any other interface.

/etc/nginx/conf.d/_lan.conf

# default_server for the LAN addresses getting the IPs by:
# ifstatus lan | jsonfilter -e '@["ipv4-address","ipv6-address"].*.address'
server {
    server_name _lan;
    include '/var/lib/nginx/lan_ssl.listen.default';
    ssl_certificate '/etc/nginx/conf.d/_lan.crt';
    ssl_certificate_key '/etc/nginx/conf.d/_lan.key';
    ssl_session_cache 'shared:SSL:32k';
    ssl_session_timeout '64m';
    # access_log /proc/self/fd/1 openwrt; # use logd (init forwards stdout).
    include conf.d/*.locations;
}

As seen on line 6 it points to this location /var/lib/nginx/ and there are 4 files:-

  • lan.listen
  • lan.listen.default
  • lan_ssl.listen
  • lan_ssl.listen.default

Inside the lan_ssl.listen.defaut is

# This file is re-created if Nginx starts or a LAN address changes.
    listen 127.0.0.1:443 ssl default_server;
    listen 192.168.1.1:443 ssl default_server;
    listen [2a00:23c6:8c01:4f00::1]:443 ssl default_server;
    listen [fd14:350:c840::1]:443 ssl default_server;

I tried adding 192.168.127.1 to the list and then restated NGINX but it reverts straight back. I then had a look in /etc/init.d/nginx as I had a feeling that will be whats' controlling everything, and I can see it does set the directories and files

#!/bin/sh /etc/rc.common
# Copyright (C) 2015 OpenWrt.org

START=80

USE_PROCD=1

NGINX_UTIL="/usr/bin/nginx-util"

eval $("${NGINX_UTIL}" get_env)

start_service() {
    [ -d /var/log/nginx ] || mkdir -p /var/log/nginx
    [ -d /var/lib/nginx ] || mkdir -p /var/lib/nginx
    ${NGINX_UTIL} init_lan
    procd_open_instance
    NCPUS="$(grep -c '^processor\s*:' /proc/cpuinfo)"
    procd_set_param command /usr/sbin/nginx -c "${NGINX_CONF}" \
        -g "daemon off; worker_processes $NCPUS;"
    procd_set_param stdout 1
    procd_set_param stderr 1
    procd_set_param file "${LAN_LISTEN}" "${LAN_LISTEN}.default" \
        "${NGINX_CONF}" "${CONF_DIR}*.conf" "${CONF_DIR}*.locations"
    [ "${LAN_SSL_LISTEN}" == "" ] \
    || procd_append_param file "${CONF_DIR}*.crt" "${CONF_DIR}*.key" \
        "${LAN_SSL_LISTEN}" "${LAN_SSL_LISTEN}.default"
    procd_set_param respawn
    procd_close_instance
}

stop_service() {
    rm -f "${LAN_LISTEN}" "${LAN_LISTEN}.default"
    [ "${LAN_SSL_LISTEN}" == "" ] \
    || rm -f "${LAN_SSL_LISTEN}" "${LAN_SSL_LISTEN}.default"
}

service_triggers() {
    procd_add_reload_interface_trigger loopback
    procd_add_reload_interface_trigger lan
}

reload_service() {
    [ -d /var/log/nginx ] || mkdir -p /var/log/nginx
    [ -d /var/lib/nginx ] || mkdir -p /var/lib/nginx
    ${NGINX_UTIL} init_lan
    procd_send_signal nginx
}

relog() {
    [ -d /var/log/nginx ] || mkdir -p /var/log/nginx
    procd_send_signal nginx '*' USR1
}
EXTRA_COMMANDS="relog"
EXTRA_HELP="    relog   Reopen log files (without reloading)"

I could edit the NGINX service to note re-wrtite the files but then I might break something else. What can I do?

I've found the help document > https://openwrt.org/docs/guide-user/services/webserver/nginx#new_server_parts but I'm trying to get my head around the instructions.