Is it possible to isolate hosts within a single VLAN (and firewall zone) if they are connected via a DSA-capable switch running OpenWrt? I.e. both hosts would be assigned the same VLAN and subject to the same firewall rules, but not able to communicate with each other unless specific rules are added?
I believe this is analogous to "wireless client isolation" and some searching indicates that some enterprise routers offer something like "port isolation" for wired connections as well.
But it's unclear how those features work. E.g. if I have wireless or port isolation I assume that means the "hardware itself" doesn't automatically forward packets — but does it simply drop them? Or does it send them to the router/CPU, and if so can that be configured to selectively un-isolate the clients? The idea just sort of seems confusing where normally a network or a firewall zone is used as sort of all one mutually-reachable space, but with isolation they clients are still very much all on the same network but are somehow prevented from leveraging that?
The real context of this question is simply:
I already have a "DMZ" VLAN set up, currently with a single host that can be somewhat accessed from the WAN but shouldn't be able to get to anything on the main LAN.
I now want to add a second host to that (or conceptually: a/another) DMZ. Since all the rules are ± the same it seems a pain to set up a whole duplicate VLAN/interface/zone/etc. I really don't want to end up with like a whole VLAN configuration to maintain for each individual host. But there is no need for — and I would rather not allow — these two hosts to talk to each other.
That's what I mean by "a DMZ" — practically I'd like to just reuse the existing DMZ setup, but conceptually the end behavior should approximate two separate DMZs. Is this possible using DSA switch configuration, instead of adding VLANs?
That is not possible, the VLANs are bridged in hardware and the router doesn't even know what's happening between two ports of the same VLAN group. Ethernet is designed as a peer-to-peer network, each client can directly address any other on the same physical subnet, your switches and routers won't even get to know about that - nor do they have the performance to do anything about it.
 technically there are way, using ebtables, to filter a bridge -assuming both devices are connected to physical ports of the router and not some downstream switch- but that is a quite major performance hog, as you'd effectively move the hardware bridging (~= switch) and break it up into a software bridge, which then would need to check/ filter each packet on the router's CPU; you'd be looking at high-end x86_64 to cope with that for a handful of concurrent ports.
I installed kmod-br-netfilter which gives ability to assign firewall rules to bridge ports.
I set the 'Forward'-Switch in firewall for the zone to 'Reject'. This isolates the different interfaces in a zone from each other. Together with kmod-br-netfilter it also isolates all ports in a bridge (in all bridges). Setting the 'Forward'-Switch in firewall for the zone to 'Accept' on the other hand allows traffic between all of the interfaces / bridge ports of a zone.
I set up traffic rules to allow only certain ports opened to hosts in the zone by defining the dest ip in the traffic rules.
With this setup, the traffic does not flow via the bridge between ports but is handled by the router and send back to the target bridge port.
For 19.07 this worked well.
At the moment I try to set something like this up in 21.02. Currently it seems as if the routing between the zones interfaces / bridge ports is now not longer possible. So I'm struggling with the setup but I'm still trying.
Doesn’t zone forward=drop do just this (control data between clients in the same zone)?
When I configured my EAP245 I checked the isolate clients on the radio and thought they would see each other in the actual router anyway since forward was allowed in the actual zone/vlan. But that didn’t work.
And all managed switches will little self esteem have port isolation as a function.
With DSA, VLAN is no longer needed for most configurations. DSA gives you an interface (eth) for each switch port. You can create new bridges and assign which ports are bridged together in Network / Interfaces / Devices tab. Bridges on a DSA switch appear as regular bridges to the OS, but moving packets from one port to another is done in hardware by the switch. With the bridge interface you can set up firewall rules, routing, separate DHCP, whatever you want.
If you apply bridge firewall (firewall inside the bridge, on bridge ports, not between bridge interface and anything else), the bridge is no longer DSA accelerated. It's a normal software bridge, so any configuration you used in v19 should also work in v21. But I don't think this is what you want.
You want a bridge called br-lan between LAN-only ports (and wifi) and two separate interfaces (switch ports) outside the bridge for DMZ hosts. Leave default routing for LAN and add your custom rules for the two interfaces that are outside the LAN bridge, like having separate 3 LANs. You also need separate IPs for the 3 LANs.
Heh, thanks all! Hearing that there might be some potential here but also hearing that it's probably not going to be easier (and certainly not simpler) than just setting up another VLAN.
One other takeaway that I hadn't considered is that, rather than also setting up a whole new firewall zone and troubleshooting all the DHCP/DNS/NTP exceptions and such again, I could set up a second interface but share the same zone.
No. The zone forward control affects the default forwarding between networks that are in the same zone. So let's say you had 3 networks on your router and all of them were assigned to the lan firewall zone. If forwarding is allowed, it would mean that a host on one network would be able to connect to one on a different network -- basically inter-VLAN routing.
Under normal circumstances, the router/firewall is not involved in any connections between hosts on the same network. Traffic on the same network is handled at L2 (switching). Connections of hosts across two different networks involves routing (L3).
There are two methods available for blocking L2 connectivity, but these are not always applicable:
wifi client isolation
-- blocks all wifi clients from connecting to other wifi clients on the same SSID.
-- only applies to wifi-to-wifi connectivity. Wifi-to-wired is still possible
-- works best if there is just a single AP in the network.
---- if multiple APs exist on the network, a client connected to AP#1 could talk to a client on AP#2 and vice versa.
-- it is an all-or-nothing approach. You cannot selectively allow/block connectivity between wifi clients.
Bridge firewall (https://openwrt.org/docs/guide-user/firewall/fw3_configurations/bridge)
-- this is a firewall that works across a bridged interface on the same network
-- the device performing the bridging must be between the two hosts that are to be isolated for this to function.
-- it will not work if the two hosts have another path to connect to each other that is not through the bridge device (i.e. a standard ethernet switch or AP)
Alternatively, some managed switches have the ability to perform port isolation. This is also an all-or-nothing approach, and works best if there is just a single host on each of the ports that is to be isolated.
You can't do this with DSA, because DSA is all about switch ports and you can't connect different virtual machines to different switch ports*. You still need VLANs to separate machines connected on the same switch port. I'm talking here about the router's internal switch.
The second problem is that you use another switch between the router and the machines. You need that switch to also be DSA-capable and you need to configure it from the router. If not, the router won't be able to differentiate the second switch ports. Everything connected there will arrive on the same eth interface of the router.
*) In fact, you can, but you need multiple network adapters (or a multi-port network adapter) on the host machine. Assign different adapters to different virtual machines and connect each adapter to a different port on the switch.
In conclusion, no, DSA won't help you. You need VLANs.
Thanks for the explanation.
I havn't found am affordable switch for home users supporting DSA (no of mine do). But the switch in an Openwrt device / the router is handled by DSA, right? And DSA does allow VLANs?
So this is what I tried with 21.02:
But I still don't get it to work correctly. Am I on the wrong path?
I never used VLANs, so I'm no expert, but it looks like you don't have any routing/forwarding rules between VLANs. A VLAN is like a separate LAN. If you want communication between them, you must instruct the firewall to do so. OpenWrt has default rules for WAN <=> LAN. You must add your own for VLANx <=> VLANy.
Ah, good catch — you're paying better attention than I am actually I don't think I said that out loud? (But I was thinking it…)
In my defense it's still up in the air whether I dedicate an actual separate box to this for even more isolation, or just assume that if I get pwned it's far more likely to be through something silly/lazy I did rather than someone actually burning through a series of LXC and KVM 0-days on me…
Maybe this should be its own thread at this point, but just to confuse things further I stumbled across this checkbox on one of my routers while debugging something else: