OpenWrt as bridge with firewall

Hello,
I've used openwrt as my main router for quite some time now and it works to the perfection. Recently, I started to use VLAN to have a somehow cleaner network infrastructure to separate my lan, from my dmz and from another "lan" network for IOT with access to wan disabled.

Today, I changed my ISP and upgraded my PC and my NAS to 2.5gbps and it led me to significant changes.
The things to know first are :

• I want my connection PC-NAS to be 2.5gbps
• I want my connection PC-Internet to be 2.5gbps
• My OpenWrt router is only 1gbps on WAN and on all 4 LAN ports
• My ISP router provides a single 2.5gbps port, and then two 1gbps ports
• I want to have a DMZ with various virtual machine that can be accessed from the internet (behind nat)
• I don't want these DMZ machines to access my LAN
• I want my LAN to be able to access my DMZ (ideally without adding a custom route on my computer)
• I want my OpenWrt router to emit a WLAN for my IOT devices that won't have access to anything (no WAN, no LAN, no DMZ). But at least one LAN machine should be able to reach
• I have a 2.5gbps unmanaged switch
• ISP router does not support vlan

So with all that, I thought about doing something like that:

image1046×524 26.6 KB

The idea is to have one 192.168.1.0/24 network that would contain both LAN and DMZ (allowing LAN to contact DMZ without manually adding route on my LAN machines).
The DMZ part would be differentiated by either a sub-range (192.168.1.192/26) or simply by the physical ports on my openwrt router.

The openwrt router would just bridge the ISP router to the DMZ adding some firewall rules in-between to limit the DMZ exchanges.

For the IOT part, I'd have a dedicated wlan interface on my router with its own dhcp server and no forwarding rules between zones. Then a VM would have a network interface with the appropriate VLAN to access these devices.

And then... I tried to implement all that. But it doesn't quite work :

• I don't seem to be able to control the traffic from my DMZ to my LAN
• EDIT: no longer true apparently? //I can't connect to my 'iot' wifi. In OpenWRT it shows my device getting an IP but my device reports getting no IP//

So, do you have idea recommendation/improvement regarding my base design?
Then, do you have an idea of what I have done wrong?

Network

config interface 'loopback'       
        option device 'lo'        
        option proto 'static'     
        option ipaddr '127.0.0.1' 
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd0d:56a4:b54e::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'wan'

config interface 'lan'
        option proto 'dhcp'
        option device 'br-lan.1'

config interface 'offline'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.2.1'
        option device 'br-lan.2'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
        list ports 'lan4:u*'
        list ports 'wan:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'lan1:t'

config device
        option name 'br-lan.1'
        option type '8021q'
        option ifname 'br-lan'
        option vid '1'

Firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'offline'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'offline'
        option forward 'ACCEPT'

config include
        option path '/etc/firewall.user'

# not working:
config rule
        option src 'lan'
        list src_ip '192.168.1.192/26'
        option dest 'lan'
        list dest_ip '!192.168.1.192/26'
        list proto 'all'
        option target 'REJECT'

Wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option encryption 'psk2'
        option key 'myPassword'
        option network 'offline'
        option ssid 'IOT'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option disabled '1'

DHCP

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option dhcpv4 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option start '200'
        option limit '50'
        option leasetime '7d'
        option ra 'hybrid'
        option dhcpv6 'hybrid'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'offline'
        option interface 'offline'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option force '1'
        list ra_flags 'none'

Sorry, I have not understood, what device performs basic routing functions. "Bridge" is just bridge, without firewall rules.

However there is option to filter traffic between interfaces, but without specific IP:

Well, the router is the ISP's router. Basically I want my OpenWRT router to act like a switch, but with some firewall rules for the traffic passing through.

This : https://openwrt.org/docs/guide-user/firewall/fw3_configurations/bridge seems to match what I want to do, but the page kind of doesn't explain anything.

I tried to blindly run:

uci -q delete firewall.lan1
uci set firewall.lan1="zone"
uci set firewall.lan1.name="lan1"
uci set firewall.lan1.input="ACCEPT"
uci set firewall.lan1.output="ACCEPT"
uci set firewall.lan1.forward="ACCEPT"
uci add_list firewall.lan1.device="lan1"
uci -q delete firewall.wan
uci set firewall.wan="zone"
uci set firewall.wan.name="wan"
uci set firewall.wan.input="ACCEPT"
uci set firewall.wan.output="ACCEPT"
uci set firewall.wan.forward="ACCEPT"
uci add_list firewall.wan.device="wan"
uci -q delete firewall.lan1_wan
uci set firewall.lan1_wan="rule"
uci set firewall.lan1_wan.name="Deny-LAN1-wan"
uci set firewall.lan1_wan.src="lan1"
uci set firewall.lan1_wan.dest="wan"
uci set firewall.lan1_wan.proto="all"
uci set firewall.lan1_wan.target="REJECT"
uci commit firewall
/etc/init.d/firewall restart

And now have :

config zone 'lan1'
        option name 'lan1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list device 'lan1'

config zone 'wan'
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list device 'wan'

config rule 'lan1_wan'
        option name 'Deny-LAN1-wan'
        option src 'lan1'
        option dest 'wan'
        option proto 'all'
        option target 'REJECT'

in my firewall
But it doesn't seem to work and it seems to simply have created empty zones. I'm not sure the :

uci add_list firewall.lan1.device="lan1"
uci add_list firewall.wan.device="wan"

works in my situation...

But then, I bridged my WAN with my LAN[1-4] because I seemed the right way to do it, but maybe it's not...

Do you have lan1 network, specified in /etc/config/network?

No, but the zones above attach on device, not on network afaics

What is default configuration for wan? Please, give default /etc/config/network

I gave you my full /etc/config/network earlier. I don't have a lan1 or wan network. I removed the wan network.

Yes, but device 'lan1' should be described, it is not just port name.

Default configuration, not yours.

I'm sorry I'm not sure where to find the default one now that I made all theses changes. Isn't the default the same for everyone?

Yes, OK, please, specify model of your router.

I have a netgear AC2000 R6850 : https://www.netgear.com/fr/home/wifi/routers/r6850/

OK, make sure, you have transparent bridge wan, lan.

Configuring single device, covering all ports, you have not any possibility to filter traffic.

Example about bridge firewall uses TWO SEPARATE ZONES, not single one, as in your case.

OK, make sure, you have transparent bridge wan, lan.

I'm not sure what you mean by that. My bridge seems to work perfectly fine and at the moment, I can access everything connected to my WAN port from my LAN1-4 ports and the other way around.

Configuring single device, covering all ports, you have not any possibility to filter traffic.

I don't understand sorry.

Example about bridge firewall uses TWO SEPARATE ZONES, not single one, as in your case.

When I tried the configuration presented in the wiki, I have 2 separate firewall zones.
I had the zone "wan" associated to the device "wan" and the zone "lan1" associated to the device "lan1".

In the meantime, I changed my network a bit to remove port WAN from br-lan and I created a new bridge between port WAN and bridge br-lan.

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config device
        option name 'br-lan.1'
        option type '8021q'
        option ifname 'br-lan'
        option vid '1'

config device
        option type 'bridge'
        option name 'br-wan'
        list ports 'br-lan.1'
        list ports 'wan'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
        list ports 'lan4:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'lan1:t'

config interface 'lan'
        option proto 'dhcp'
        option device 'br-wan'

config interface 'offline'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.2.1'
        option device 'br-lan.2'

I then tried to create 2 firewalls zone as in the wiki :

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list device 'wan'
        option forward 'REJECT'

config zone
        option name 'dmz'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list device 'br-lan.1'

and tried a couple of hard rules:

config rule
        list proto 'all'
        option src 'dmz'
        option dest 'wan'
        option target 'DROP'

But the rule never applies

Transparent bridge, no filtering. In example 'bridge' between zones is implemented on 'firewall' level. But it is bad idea, so bridge is transparent link.

I fail to see how in the wiki's example the bridge is implemented on 'firewall' level? I don't see any configuration or info about this. If I need to bridge with firewall instead of bridge device, so be it, but I don't understand how?

There are two separate zones, configured in firewall. 'Bridge' between zones is configured as forwarding in firewall.

But if I don't use a bridge device to like my WAN et LAN. Then I'd need to create 2 interfaces :

• one my WAN in DHCP client mode to get an IP from the ISP router
• but what about the LAN interface? I want this interface to be on the same subnet as the wan's. Do I create an "unmanaged" interface? Or maybe I don't need this interface at all because the firewall zone will be attached to the device directly? How will my devices will reach the DHCP server of my ISP?

Sorry, it is too complicated. I do not think, it is possible.

It turned out to be quite easy using relayd : https://openwrt.org/docs/guide-user/network/wifi/relay_configuration

network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd0d:56a4:b54e::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config interface 'offline'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.2.1'
        option device 'br-lan.2'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'
        list ports 'lan4:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'lan1:t'

config device
        option name 'br-lan.1'
        option type '8021q'
        option ifname 'br-lan'
        option vid '1'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'dmz'
        option proto 'static'
        option device 'br-lan.1'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

config interface 'wandmz'
        option proto 'relay'
        option ipaddr '192.168.1.3'
        list network 'dmz'
        list network 'wan'

firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'offline'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'offline'

config include
        option path '/etc/firewall.user'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'wan'

config zone
        option name 'dmz'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'dmz'

config forwarding
        option src 'dmz'
        option dest 'wan'

config forwarding
        option src 'wan'
        option dest 'dmz'

config redirect
        option dest 'dmz'
        option target 'DNAT'
        list proto 'tcp'
        option src 'wan'
        option src_dport '443'
        option dest_ip '192.168.1.201'
        option name 'https'

config redirect
        option dest 'dmz'
        option target 'DNAT'
        option name 'http'
        list proto 'tcp'
        option src 'wan'
        option dest_ip '192.168.1.201'
        option src_dport '80'

config redirect
        option target 'DNAT'
        option name 'webadmin'
        list proto 'tcp'
        option src 'wan'
        option src_dport '4321'
        option dest_ip '192.168.1.3'
        option dest_port '80'

dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'offline'
        option interface 'offline'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option force '1'
        list ra_flags 'none'

config dhcp 'dmz'
        option interface 'dmz'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ignore '1'