Porting from AsusWRT: Vlans and firewall rules

I have been a longtime AsusWRT user now migrating to OpenWRT. It’s mostly going well, but I need some help in ensuring that my Vlan and subnets are working properly, and there are significant differences (e.g. no iptables).

Here’s what my network looks like:

• Main network (192.168.1.x) with Diversion for adblocking, This is Vlan 1
• Guest wifi networks on Vlan 101. Addresses are 192.168.20.x
• There’s an AP, also using guest networks tagged as Vlan 101. The AP is connected to an ethernet port on the router that can handle both tagged and untagged packets (due to physical wiring limitations, there are other devices on a dumb switch that feeds into the router). That way Guest network on AP and main router behave the same way, and AP an also work as part of the main network
• Vlan 101 can communicate with the internet and devices with each other but cannot communicate with the main router or the main network devices. These devices still get adblocking
• I can block specific devices (Vizio TV and Chinese IP cameras) on Vlan 101 from accessing the internet using ebtables and their MAC. Can only connect to other devices on Vlan 101
• If a device on the main network establishes a connection with a Vlan 101 IP camera on port 80, 8899 or 554, that device can communicate with the device on the main network
• Finally, I have a WiiM audio streamer on the guest network which also needs an mDNS reflector. So, I activated Avahi and enabled the reflector, plus made the device reachable from the main network (only established packets from the main network) and allow the traffic on port 5353 to travel between vlans.

Here’s my plan for OpenWRT, please help me point out flaws, answer questions and shoot down bad ideas I’m using an older EA8300 with 23.05.2 to figure things out, then I'll get a more powerful/modern router

• For ad blocking, use either adblock-fast or the AdGuard DNS service
• Create a new device under Network, Interfaces, Devices called br-vlan. Type bridge, connected to port 4 (for the AP). Check “bring up empty bridge” in case I only need wifi vlan. Enable Vlan filtering, enter vlan id 101, check “local” and port 4 tagged. I’m assuming I will need to keep port 4 also as part of br-lan, the default lan bridge
• Under Interfaces, create a new vlan101 interface, static address, use br-vlan previously created as device, IP address 192.168.20.1, enter the right settings in the DHCP server tab, and create a new firewall zone called fwvlan
• Set up a new wireless network, mode access point, and network vlan101
• Go into firewall, set fwvlan -> wan as accept, accept, reject to enable the devices to receive an IP address and connect
• Figure out the Avahi redirector once everything else works

Devices are connecting to the router, getting a proper IP address, but as I expected (given the firewall rules) can also interact with devices on the main network. I knew that I need better firewall rules, but that’s where I start being lost.

Can you please point me in the right direction on how to replicate my iptables and ebtables rules?

The syntax and semantics of how VLANs are set up differs, so you will have to re-learn that aspect. Therefore the best approach would be to start small, get the minimum services required working - and then extending the configuration piece by piece, getting each step working before tackling the next one (keep backups of each confirmed-working config, so you can roll back or diff your changes easily).

Yes, that much is clear by now

Problem is, I don't know how to get started. I mean, vlan and bridge are up and working, I now need to figure out the various ways to make packets flow (or not flow) between devices.

For example, if in the firewall I set fwlan to wan as accept accept reject, the devices on the vlan 101 can access devices on the main network, and I don't understand why. It should only have enabled traffic between the vlan and wan, not the main lan. And with iptables it was clear how the processing order worked (first have the "allow" rules, then one that drops everything else not covered by the previous rules.

Nor I understand how to set a rule in the firewall or elsewhere. The DSA mini tutorial is not really helping, and a lot of the OpemWRT info is pre-v21, so not relevant anymore

That's why I'm asking for a few pointers to get started. Once I understand one example, expanding it to work more in general is not hard. I'm facing the classic dilemma that what I'm reading doesn't make sense because I haven't read enough...

EDIT: I'm now watching the Youtube video from onemarcfifty which finally starts making sense... I'll digest that and update this post

as @slh said... it's important to start small. I'd recommend just working with 2 networks -- your trusted lan and maybe guest/iot as the second. Make sure they're generally working. Then you can start to create the firewall rules to make the specific allow/deny rules as needed. From there, you'll be learning the syntax and methodology and you should be able to apply the principles to the other network(s) and firewall rulesets.

I would also recommend that you post your config for review at an early stage -- we can let you know if there are any issues that should be addressed... and it's easiest to adjust one or two networks than all of them!

When you're ready to share those configs...

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Yes, that's what I have been trying. Bring up one guest network, and ensure that the guest network cannot connect to devices on the main network, but the main network can communicate with the guest network. The problem is that the majority of the documentation and tutorials are for older versions, and there are differences in how bridges are created that probably prevent me from making things work enough to move to the next step.

I tried following https://www.youtube.com/watch?v=UvniZs8q3eU&t=0s, just one network for now. I created a guest vlan 101 on port 4 of the my switch (and one wifi), set the firewall as in the tutorial, enabled the rule for DHCP and DNS, but still a device connected to VLAN 101 cannot get an IP address. The tutorial nd terminology is clear, just I can't seem to make it work.

Here's all my configuration info. Can anyone see what I'm doing wrong? It's supposed to be like in the tutorial (simplified, I only used one vlan), If I connect to the guest wifi SSID on vlan101, I cannot get an IP address (and there's no other test I can do). I'm sure I'm doing something stupid... but I can't see where the problem is

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.137",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 5 (v7l)",
        "model": "Linksys EA8300 (Dallas)",
        "board_name": "linksys,ea8300",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "ipq40xx/generic",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}
root@OpenWrt:~# cat /etc/config/network


config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd0b:7b51:8f69::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'

config device
        option name 'lan1'
        option macaddr 'e8:xx:xx:xx:xx:xx'

config device
        option name 'lan2'
        option macaddr 'e8:xx:xx:xx:xx:xx'

config device
        option name 'lan3'
        option macaddr 'e8:xx:xx:xx:xx:xx'

config device
        option name 'lan4'
        option macaddr 'e8:xx:xx:xx:xx:xx'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.1.1'

config device
        option name 'wan'
        option macaddr 'e8:xx:xx:xx:yy:yy'

config interface 'wan'
        option device 'wan'
        option proto 'dhcp'

config interface 'wan6'
        option device 'wan'
        option proto 'dhcpv6'

config interface 'vlan101'
        option proto 'static'
        option device 'br-vlan101'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

config device
        option type 'bridge'
        option name 'br-vlan101'
        list ports 'lan4'
        option bridge_empty '1'

config bridge-vlan
        option device 'br-vlan101'
        option vlan '101'
        list ports 'lan4'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/40000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '116'
        option band '5g'
        option htmode 'VHT40'
        option txpower '10'
        option country 'US'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'RobcaL52'
        option encryption 'psk2'
        option key '-----------'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/a000000.wifi'
        option channel '11'
        option band '2g'
        option htmode 'HT20'
        option txpower '10'
        option country 'US'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'RobcaL24'
        option encryption 'psk2'
        option key '-----------'

config wifi-device 'radio2'
        option type 'mac80211'
        option path 'platform/soc/a800000.wifi'
        option channel '64'
        option band '5g'
        option htmode 'VHT40'
        option txpower '2'
        option country 'US'
        option cell_density '0'

config wifi-iface 'default_radio2'
        option device 'radio2'
        option network 'lan'
        option mode 'ap'
        option ssid 'RobcaL51'
        option encryption 'psk2'
        option key '-----------'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option ssid 'SecureWRT101'
        option encryption 'psk2'
        option key '-----------'
        option network 'vlan101'

config wifi-iface 'wifinet4'
        option device 'radio1'
        option mode 'ap'
        option ssid 'SecureWRT102'
        option encryption 'psk2'
        option key '-----------'
        option disabled '1'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list server '192.168.1.1'
        list server '8.8.8.8'

config dhcp 'lan'
        option interface 'lan'
        option start '10'
        option limit '139'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option start '100'
        option limit '150'
        option leasetime '12h'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'vlan101'
        option interface 'vlan101'
        option start '10'
        option limit '140'
        option leasetime '12h'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list device 'br-vlan'
        list network 'vlan101'

config zone
        option name 'iotvlan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config forwarding
        option src 'lan'
        option dest 'iotvlan'

config forwarding
        option src 'guest'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'guest'

config rule
        option name 'VLAN101 DHCP DNS'
        option src 'guest'
        option dest_port '53 67 68'
        option target 'ACCEPT'

would you be willing to reset to defaults -- then we can build up. Right now there is a bunch of stuff wrong and there are some vestigal configs that would be easier to simply clear out en-mass by resetting.

@psherman sure, happy to nuke everything to the ground I'm using an older router to learn, and that's not my main router. So it's no problem nuking and restarting.

Problem is: if I restart, I end up with more or less the same thing, since I started from scratch for this effort following that video. If you can get me a pointer to what I need to do, I'll happily do it. No need for detailed steps, just a sense of what I need to do in terms of creating devices, interfaces and firewall zones

My preferred method for assisting on the forum is actually directly editing the config files -- I can make recommendations from a default config pretty easily once I know what you want to achieve.

With that in mind... You said this is not your main router. That's fine (actually good here)...

• Will this be a dumb AP? Or will this be operating as a normal router?
• Do the VLANs exist already on your main router, or will they be uniquely created here?
• Will the VLANs need to connect (via ethernet) to any other devices (i.e. other APs or VLAN aware switches/computers, etc.)?
• We'll start with a guest network -- do you have a VLAN ID you want to use for this
• What physical ports will be assigned to the guest network?

@psherman config files are great. Actually right now they make more sense to me than some of the Luci UI (due to me being new to OpenWRT). In any case, you are helping me and "your time, your rules" I'm grateful either way for the help.

OpenWRT will be on my main router, and I'm trying to set it up as a main router for my home network. I said that, at the moment, I have an older EA8300 to play with and avoid "breaking" my home internet and keep the family peace. Please assume that the EA8300 will be the main router connecting to my Xfinity DOCSIS modem.

I have 2 additional APs, connected to a managed switch. The APs each have SSIDs that tag traffic using the same VLAN I plan to use on the router. The managed switch also tags some ethernet devices with the same VLAN tag. That way all my "unsafe" devices use the same VLAN. The APs and the managed switch are connected to a port on the router that allows tagged traffic. For what is worth, this is all working on a router running AsusWRT Merlin. I don't need help with the APs or the managed switch.

I need to create VLANs on the router, if we use 101 it will automatically work with everything else with no other changes. Let's keep it simple, and assume only one vlan for IOT network for now. Devices on the vlan can access the internet, are on a separate dhcp subnet (so can get IP address from the router), but cannot communicate with devices on the main network or the router itself (beyond DHCP/DNS). Devices on the main network can communicate with the iot vlan devices.

For test purposes, let's assign port 3 on the EA8300 as an untagged port for vlan 101 only, and use port 4 for tagged traffic coming from the APs/managed switch (some of that traffic is tagged as vlan 1, the main network, some untagged, some tagged as vlan 101). Port 1 and 2 standard main network ports.

Once I have that running, I think I can figure out most of the rest by myself, leveraging what I learned for AsusWRT Merlin (most of my configuration there uses scripts, AsusWRT has no UI for Vlans or bridges)

Ok... let's reset the device to defaults. Then post the default network, dhcp, and firewall files and I'll make some recommended changes.

Here they are (I just changed the dhcp range to make things work with my static IPs)

dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list server '192.168.1.1'
	list server '8.8.8.8'

config dhcp 'lan'
	option interface 'lan'
	option start '10'
	option limit '139'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option start '100'
	option limit '150'
	option leasetime '12h'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd0b:7b51:8f69::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config device
	option name 'lan1'
	option macaddr 'e8:9f:80:a4:15:50'

config device
	option name 'lan2'
	option macaddr 'e8:9f:80:a4:15:50'

config device
	option name 'lan3'
	option macaddr 'e8:9f:80:a4:15:50'

config device
	option name 'lan4'
	option macaddr 'e8:9f:80:a4:15:50'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.1.1'

config device
	option name 'wan'
	option macaddr 'e8:9f:80:a4:15:4f'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

firewall

config defaults
	option syn_flood	1
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option dest		wan
#	option proto	tcp
#	option target	REJECT

# block a specific mac on wan
#config rule
#	option dest		wan
#	option src_mac	00:11:22:33:44:66
#	option target	REJECT

# block incoming ICMP traffic on a zone
#config rule
#	option src		lan
#	option proto	ICMP
#	option target	DROP

# port redirect port coming in on wan to lan
#config redirect
#	option src			wan
#	option src_dport	80
#	option dest			lan
#	option dest_ip		192.168.16.235
#	option dest_port	80
#	option proto		tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#	option src		wan
#	option src_dport	22001
#	option dest		lan
#	option dest_port	22
#	option proto		tcp

### FULL CONFIG SECTIONS
#config rule
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port	80
#	option dest		wan
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp
#	option target	REJECT

#config redirect
#	option src		lan
#	option src_ip	192.168.45.2
#	option src_mac	00:11:22:33:44:55
#	option src_port		1024
#	option src_dport	80
#	option dest_ip	194.25.2.129
#	option dest_port	120
#	option proto	tcp

We'll start with the network file by making a set of bridge VLANs, putting VLAN 1 untagged on ports 1, 2 and 4 and then VLAN 101 untagged on port 3 and tagged on port 4.

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan4:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '101'
	list ports 'lan3:u*'
	list ports 'lan4:t'

next we'll edit the lan interface to use br-lan.1 and we'll remove the gateway since that is automatically established by the default route.

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

Now we'll create your IoT network on VLAN 101 with br-lan.101:

config interface 'iot'
	option device 'br-lan.101'
	option proto 'static'
	option ipaddr '192.168.101.1'
	option netmask '255.255.255.0'

Now we can move onto the DHCP file where we'll add a DHCP server for your iot network:

config dhcp 'iot'
	option interface 'iot'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

While in the DHCP file, I'd highly recommend that you remove this line:

and also disable the dhcp server on the wan by setting it to ignore like this:

config dhcp 'wan'
	option interface 'wan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ignore '1'

Finally, we'll go into the firewall file. We'll add a new iot zone, allow it to use DHCP and DNS (but no other services on the router), and we'll allow forwarding from iot to wan.

config zone
    option name 'iot'
    list network 'iot'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'


config rule
	option name 'IoT_DHCP'
	list proto 'udp'
	option src 'iot'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'IoT_DNS'
	option src 'iot'
	option dest_port '53'
	option target 'ACCEPT'

config forwarding
    option src 'iot'
    option dest 'wan'

Now, restart your router and test the regular lan on port 1 or 2, and the iot network on port 3. Port 4 has the iot network tagged and the lan untagged.

It all makes sense. I did all of the above (new files below), and now devices on the iot vlan can get an IP address (on the right subnet) and access the internet. Port tagging works as xpected.

But devices on the iot vlan can still access any IP address on the main network, while the main network cannot access the devices on the iot vlan. The latter probably because there's no forwarding rule from lan to iot, but I'm not sure I understand why devices on the iot network can access the lan and router on 192.168.1.1 but not 192.168.10.1 (so some of the rules to block the iot devices work)

As a test, I added

config forwarding
	option src		'lan'
	option dest		'iot'

to the firewall, and as I expected now lan devices can reach the iot ones.

So now the only thing left to understand is how to block the iot devices from accessing the main lan

BTW: I'm using 192.168.10.1 for the vlan dhcp instead of the one you had. irrelevant, I know.

dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list server '8.8.8.8'

config dhcp 'lan'
	option interface 'lan'
	option start '10'
	option limit '139'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'iot'
	option interface 'iot'
	option start '10'
	option limit '139'
	option leasetime '12h'
	option dhcpv4 'server'

network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd0b:7b51:8f69::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config device
	option name 'lan1'
	option macaddr 'e8:9f:80:a4:15:50'

config device
	option name 'lan2'
	option macaddr 'e8:9f:80:a4:15:50'

config device
	option name 'lan3'
	option macaddr 'e8:9f:80:a4:15:50'

config device
	option name 'lan4'
	option macaddr 'e8:9f:80:a4:15:50'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan4:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '101'
	list ports 'lan3:u*'
	list ports 'lan4:t'
	
config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'wan'
	option macaddr 'e8:9f:80:a4:15:4f'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'iot'
	option device 'br-lan.101'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'

firewall
config defaults
	option syn_flood	1
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
# Uncomment this line to disable ipv6 rules
#	option disable_ipv6	1

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wan6'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config zone
    option name 'iot'
    list network 'iot'
    option input 'REJECT'
    option output 'ACCEPT'
    option forward 'REJECT'
	
config forwarding
	option src		lan
	option dest		wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

# Allow IPv4 ping
config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT

config rule
	option name 'IoT_DHCP'
	list proto 'udp'
	option src 'iot'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'IoT_DNS'
	option src 'iot'
	option dest_port '53'
	option target 'ACCEPT'

config forwarding
    option src 'iot'
    option dest 'wan'

From which network to which network? 192.168.10.0/24 to 192.168.2.0/24?
This should not be possible.

I did forget to create a forward rule for that... the rule would be this:

config forwarding
    option src 'lan'
    option dest 'iot'

I'm sorry, I just realized I was typing the wrong subnet address. You are right, devices on 192.168.10.x cannot access 192.168.2.x. Your rules work as expected, my brain doesn't

And, yes, I did figure out the additional forward rule (it was in my previous mesage), it all makes sense now. Finally.

Thanks again and Happy New Year!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.