Pi4 multi vlan + firewall config Review

Hello, i have gotten a TON of help here on the forum, and i finally have my system up and running, i have posted my modified files and i am only looking for insight into anything i could be doing better, or if anything is wrong and i mean anything, i want to make sure it is clean and correct

i am open to suggestions and will consider all comments, i am not opposed to research if you give me a nifty idea.

everything seems to be working, looking for any oversights, or holes in the config, (primarily around the custom "iso" firewall zone for vlans 30 and 40)

Network

root@openwrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc4:5204:2fcd::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'vlan10'
        option device 'eth0.10'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '2606:4700:4700::1111'
        list dns '2606:4700:4700::1001'

config interface 'vlan20'
        option device 'eth0.20'
        option proto 'static'
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '2606:4700:4700::1111'
        list dns '2606:4700:4700::1001'

config interface 'vlan30'
        option device 'eth0.30'
        option proto 'static'
        option ipaddr '192.168.30.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '2606:4700:4700::1111'
        list dns '2606:4700:4700::1001'

config interface 'vlan40'
        option device 'eth0.40'
        option proto 'static'
        option ipaddr '192.168.40.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '2606:4700:4700::1111'
        list dns '2606:4700:4700::1001'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option peerdns '0'

config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix '56'
        option peerdns '0'

DHCP

root@openwrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'vlan10'
        option interface 'vlan10'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'vlan20'
        option interface 'vlan20'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'vlan30'
        option interface 'vlan30'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'vlan40'
        option interface 'vlan40'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

FIREWALL

root@openwrt:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'vlan10'
        list network 'vlan20'

config zone
        option name 'iso'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'vlan30'
        list network 'vlan40'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'iso'
        option dest 'wan'

config forwarding
        option src 'lan'
        option desk 'iso'

config rule
        option name 'iso-dhcp-dns'
        option src 'iso'
        option dest_port '53 67 68'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
         option family 'ipv6'
         list proto 'icmp'
         option src 'iso'
         option target 'ACCEPT'
         option name 'IPv6 allow specific ICMP'
         list icmp_type 'bad-header'
         list icmp_type 'destination-unreachable'
         list icmp_type 'echo-reply'
         list icmp_type 'echo-request'
         list icmp_type 'neighbour-advertisement'
         list icmp_type 'neighbour-solicitation'
         list icmp_type 'packet-too-big'
         list icmp_type 'parameter-problem'
         list icmp_type 'router-advertisement'
         list icmp_type 'router-solicitation'
         list icmp_type 'time-exceeded'
         list icmp_type 'unknown-header-type'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

SYSTEM

root@openwrt:~# ubus call system board
{
        "kernel": "5.15.134",
        "hostname": "openwrt",
        "system": "ARMv8 Processor rev 3",
        "model": "Raspberry Pi 4 Model B Rev 1.5",
        "board_name": "raspberrypi,4-model-b",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.0",
                "revision": "r23497-6637af95aa",
                "target": "bcm27xx/bcm2711",
                "description": "OpenWrt 23.05.0 r23497-6637af95aa"
        }
}

Move these from vlan interfaces to wan6.

68 is not needed.

thank you for the quick response, i moved the list dns to wan 6 and setup 1.1.1.1 and 1.0.0.1 on wan *i thought i might be able to do this, but wasnt sure, i knew i could do it on lan though. that slims down the network file by 8 lines so thats nice

can i ask why?

DHCP servers only listen for messages addressed to UDP port 67.
DHCP clients send messages via UDP (source) port 68 and only respond to messages sent to that port.

very cool, do i need any rule to allow that response on 68 or is it covered in another rule present?

No, no additional rules are required.

This is how I learn best; thanks for the diagram.

config rule
        option name 'iso-dhcp-dns'
        option src 'iso'
        option dest_port '53 67'
        option target 'ACCEPT'

config rule
         option family 'ipv6'
         list proto 'icmp'
         option src 'iso'
         option target 'ACCEPT'
         option name 'IPv6 allow specific ICMP'
         list icmp_type 'bad-header'
         list icmp_type 'destination-unreachable'
         list icmp_type 'echo-reply'
         list icmp_type 'echo-request'
         list icmp_type 'neighbour-advertisement'
         list icmp_type 'neighbour-solicitation'
         list icmp_type 'packet-too-big'
         list icmp_type 'parameter-problem'
         list icmp_type 'router-advertisement'
         list icmp_type 'router-solicitation'
         list icmp_type 'time-exceeded'
         list icmp_type 'unknown-header-type'

these are my 2 custom rules, to better understand, i believe the first allows internet traffic into the iso zone? and the second one is to get ipv6 up and running on the iso zone?

for real lol. see one do one teach one, iv been through probs 100 reset to factory settings but i keep just learning a bit more by flooding the forum with questions i love the activity level here

And just in case you do not know: open ... and you can bookmark!

The first allows DNS and DHCP requests to the router originating from the iso firewall zone.
The second allows the router to receive ICMPv6 messages of the listed types.

is the second rule needed? i guess if i shut it off i can test it lol)

Not, if you don't use IPv6.

i tested it out and saw that in practice, i could turn off ipv6 by turning that rule off lol. trying to follow the way the existing rules were setup to understand what this rule does, and i believe it allows ipv6 to respond back through the router similar to how the other rule allows wan traffic through to the iso zone. its not a forward but it kinda is?

It's essential for the proper IPv6 functionality for each lan host to communicate with the router for address allocation etc. If you don't allow it, it won't work.

as a whole does the firewall file look pretty good? i dont want to leave somthing out because im not thinking about it.

The default it is pretty fine, you only need to allow the extras you need.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.