I need some help organizing my home network into zones or easily partitioned subnets so I can apply different rules to different parts.
My current network consists of:
router
2 piholes for DNS (one for children, one for everyone else)
3 switches
SmartThings/Philips hubs
devices needing static IPs
childsafe zone
general zone
I'd like to divide the network into at least 4 chunks: infrastructure, static IPs, childsafe zone, and everyone else. I need to be able to apply different firewall & port forwarding rules based on those chunks. For example:
If you are in the general zone, you get pihole #1 for DNS, and any outgoing requests to 53 get captured and redirected back to the pihole #1 using NAT.
if you are in the childsafe zone, you get pihole #2 for DNS and any outgoing requests to 53 get captured and redirected back to the pihole #2 using NAT.
If you are in the infrastructure zone, your outgoing DNS requests don't get redirected, since the piholes need to be able to make requests.
What's the best way to do this so I can make firewall rules that are easy to maintain and apply specifically to certain groups? Do I create more zones (in Luci->Network->Firewall - Zones?) Do I group them using manageable CIDRs, like 192.168.1.1/28 -- it doesn't seem like I can apply firewall rules or forwarding rules based on CIDR ranges in LUCI at least.
I don't want to overcomplicate this, so I'm open to any suggestions.
wan
You can have one interface per zone or combine interfaces into one zone.
With zones you can manage the interzone and intrazone traffic, so you probably want all zones to forward to wan. Then you can have rules to fine tune the firewall settings.
I was looking over those docs and wondered, can I use netmasks/CIDR in src_ip when defining redirects? The docs say src_ip type is "ip address", which implies to me that it is a single IP?
ie:
config redirect
option target 'DNAT'
option name 'Redirect DNS queries to Pihole'
option src 'lan'
option src_ip '192.168.1.128/25'
option src_dport '53'
option dest 'lan'
option dest_ip '192.168.1.3'
option dest_port '53'
You most likely want to have different network interface.
OpenWRT comes with a vlan called "lan" by default. That one uses vlan 1 on eth0, so "eth0.1" is most likely what you have already in your network configuration somewhere.
Let's say you have 192.168.1.1 for your router and 255.255.255.0 as subnet.
Let's say you want to use 192.168.1.0/28 for "servers", 192.168.1.16/28 for "kids" and 192.168.1.32/28 for "IoT".
How do you make sure your kids will always stay in that range? Static DHCP leases on your router? What if your kids learn how IP addresses are set statically e.g. on android and just put "192.168.1.8" in there?
Splitting a given network with no actual internal firewalling into several smaller subnets can be a strategic thing, a rule of thumb when trying to remember your devices by IP. But if it comes to network security, you will not get around setting up actual different interfaces on your router.
So I suggest you
read up on how OpenWRT deals with vlans,
set up different interfaces on your router (192.168.1.1/24 for LAN, 192.168.2.1/24 for IoT, 192.168.3.1/24 for kids)
and create firewall rules based on OpenWRT interfaces instead of IP ranges.
There might be a chance to partitioning a single network into smaller segments by fiddling around with those firewall rules. But since every working example you will find on the internet isn't going to apply, I strongly advice against that.
As to your redirect question: To my knowledge, the "src_ip" really is only a single IP address. So what you're drafting will not work. Please go to Web UI (LuCI) and add your redirect there. There's some validation that will prevent you from saving if you did something wrong.
If you want to have any DNS traffic on a single interface hit the pi hole instead of your OpenWRT, you might just adjust this OpenWRT interfaces DHCP setting and directly announce 192.168.1.3 as DNS server. Your clients will ask the pi hole directly ans your OpenWRT won't have any DNS traffic to handle at all, neither by directly responding nor by redirecting requests.
Thanks - yes, the kid's devices get a static IP based on the MAC address.
I'm not worried so much about my kid trying to circumvent the system. There is always going to be some way for them to work around it, so the system does not have to be bulletproof. (Use cellular, at a friend's house, etc etc) I mainly want to protect her against internet nastiness.
Wouldn't the vlan idea of having a whole Class C for kids have the same issue with assigning static IPs? Why can't they just go in and still another IP assignment in there?
The issue with doing all this in Luci is that not all valid options exist in Luci. For example, IPsets are valid for firewall rules but Luci doesn't seem to let you use them.
If you go with vlans, your router will look like this:
interface "lan":
IP 192.168.1.1/24
dynamic DHCP from 192.168.1.100 to 192.168.1.200
enough headroom for static IPs from 192.168.1.2 to 192.168.1.99
interface "kids":
IP 192.168.2.1/24
dynamic DHCP from 192.168.2.100 to 192.168.2.200
enough headroom for static IPs from 192.168.2.2 to 192.168.2.99
Firewall rules will only be defined "from kids to WAN", without any "source IP" to be typed in.
If your kids go and put e.g. 192.168.1.8 as static IP addresses in, they will simply not be able to establish any network connections because the router leg they are wired to doesn't accept anything from 192.168.1.* but only from 192.168.2.*.
And if they go and put e.g. 192.168.2.8 as static IP address in, they will be able to establish network connections to the router and to the internet, but they will be undergo the very same firewall rules they would have if they had used dynamic DHCP.
Sorry, I'm about to go read and watch some videos on VLANs, but most of their devices are wireless. Am I being too literal when reading what you wrote about "leg they are wired to"?
The leg is just a figure of speech. I'm not sure if you even find something in any kind of literature about that.
Your router has five different hardware ports. One is labeled "wan", four are labeled "lan1" to "lan4".
OpenWRT default setting is:
Internal interface "lan" is set to "br0.1", which is vlan 1.
Internal interface "wan" is set to "br0.2", which is vlan 2.
br0 is bridged to the hardware switch exposing those 5 ports.
hardware outlet "wan" is tagged as "vlan 2 untagged", which means it exposees whatever "br0.2", hence, whatever the internal "wan" port has to offer in terms of traffic.
hardware outlet "lan 1" to "lan port 4" are tagged as "vlan 1", which means they expose whatever "br0.1", hence, whatever internal port "lan" brings.
So by default, the internal interface "lan" and the hardware ports "lan 1" to "lan 4" alligned.
Now imagine you invent an internal interface "kids".
Use vlan 3 for them.
Make the hardware port "lan 4" not be tagged "vlan 1 untagged" but rather "vlan 3 untagged".
Now lan ports 1 to 3 are "lan" and lan port 4 is "kids".
Now add a new kids SSID.
Technically, you don't wire the SSID to the hardware port "lan 4" but to the internal interface called "kids".
This internal interface has the IP address 192.168.2.1.
Now imagine your kids using an android device connected to the kids SSID.
What will be the default gateway they are useing?
It's 192.168.2.1 on the internal interface "kids".
If you hook up a regular computer on lan 4 and sniff all packages there, you will see traffic between your kids and your routers 192.168.2.1 -- but no traffic at all from any of your devices on your "lan" network. They are completely separated.
I'm just lacking a professional name for that "internal interface" thingy. Interfaces are all of them. The wifi is an interface, the hardware outlet is an interface, the internal (logical) device that has an IP address assigned to it is an interface.
So whenever I talk about a direct connection with no routing involved but only "layer 2" in terms of OSI, that's when I'm calling it "the router has a leg in this network". Quite literally.
But as mentioned, that's no where near an official term.
Sorry for the confusion
Regarding how to make sure the kids will stay in the kids' network, you can create a separate SSID for their devices which will be attached to a kids interface and assign it to the kids firewall zone. Same applies for all the other zones/interfaces. There is no need to mess with vlans, unless there are wired devices.
Ah yes, I'm starting to see how this would work and have been able to set up SSIDs for a kids network that uses the correct pihole for DNS. One issue, however, is that because it is on a different zone than the pihole, all the DNS requests appear to come from the router instead of the device. Is there a way around this?
OK, I'm definitely making progress I think. I have a Wifi SSID set up for IOT assigned to 192.168.3.1/24. Now, I have a few hubs (SmartThings, Hue) that have ethernet connections instead of Wifi. Is it possible to get them a static or dynamic IP in that range as well? If I just assign one using the normal LUCI interface, it doesn't work.
Here you don't declare the DNS that will be advertised to the users, but the upstream DNS. For the first one you need to use option 6 in dhcp options. Same applies to kidzone and iot.
Hmm, I'm having trouble making this work. I assume the br-iot/br_iot difference is just a typo? I made them both br_iot.
Anyway, it isn't working and it seems to mess up the 5G radio for some reason which makes no sense to me!
I tried looking and following a YouTube video to just get the initial vlan working, but the example kept showing lan0 and lan1 interfaces and I'm not sure how to recreate that on my device. I see eth0.0 (vlan0) is assigned to the physical LAN ports and eth0.1 (vlan1) is to the physical WAN port. br-lan bridges the LAN and WIFI.
I have an additional WIFI ssid for IOT, so how do I combine that WiFi with a devices on a physical LAN port?