Removing wan from lan to isolate management

So basically I want one port on the lan to be used for management only but at the same time i dont want this port to have access to the internet (wan), i have already isolated the other ports from this one port, i was thinking all i needed to do was remove the check mark from the lan that says “allow forward to destination zones” which is found in the firewall tab, i found out later that i couldn’t reach websites but i could still ping Google. Can someone tell me how to fix this, thanks in advanced

Isn't there a traffic rule in the default configuration which allows ICMP ping?

I wouldn't worry to much about that, but you can add a reject/drop rule for the management zone before the mentioned rule.

Is the management LAN on it's own subnet, or still utilizing LAN's subnet? Generally speaking, management vLANs are usually on their own subnet, utilizing their own separate vLAN.

You would make a second LAN using its own VLAN ID (and new subnet)...it would only be configured on the port you specify. From there, you set the firewall zone to forward NOWHERE. You also allow INPUT to the router for management via HTTP and SSH.

See: Separate subnet on physical port #4

@mikma does it matter in what order I enter the firewall rules? I placed this rule at the very end
config rule
option src 'lan'
option dest 'wan'
option name 'Deny lan WAN'
option proto 'all'
option target 'DROP'

@JW0914 yes it is in its own subnet and own vlan, which is the default vlan 1, vlan 1 only has this port, was i supposed to make a new vlan instead of using the default vlan? The CPU is tagged

@lleachii so then I cant used the default vlan1 for port 1 even though the CPU is tagged? I was reading your comment from the other tread which says "From there, you will go to the “Switch” tab. You will add this VLAN to the CPU, and add it to what the OpenWRT manual notes as your 4th port (removing the other LAN from the port)." Im not to sure what is the 4th port, is this the physical port 4?

Yes it matters, the rules are executed in order as entered. You may want to place the drop rule first.

and by first you mean right after my section /etc/firewall/user correct, or do you mean at the very beginning of /etc/config/firewall

I was thinking of rules in /etc/config/firewall. The order of those can be changed by editing the file, using "uci reorder" or in the web interface using the arrow buttons.

:crazy_face: what! Well I learned something new today, so in your opinion should I have all my drops and rejects first then instead of the original default rules? is it safe to change the order or the original rules (default ones) and since you mentioned to just place my drop at the beginning do I even need an /etc/firewall/user section?

I think you're making this quite difficult.

I think two solutions have been presented:

  • Use firewalling to separate the management
  • Instead, firewall access to the router on VLAN1, only allow DHCP on VLAN 1. Then, make a separate management VLAN and switch port for management - this is what I suggest. It does require creating a VLAN Interface, new Firewall Zone and adding this to a switch port.

You can renumber the LANs if you desire, it's your router. Please be aware, the CPU must be tagged with the VLAN you wish to access the router on...in fact, you may be able to remove the tag for others, but I don't advise this.

You have to place drops first if your zone accepts by default.

It depends what you used it for. I only add RAW rules to it. All other rules should be configurable in the UCI.

@lleachii but my firewall rule does not seem to work which is

config rule
option src ‘lan’
option dest ‘wan’
option name ‘Deny lan WAN’
option proto ‘all’
option target ‘DROP’

As for the separate vlan I think I already did that when I tagged vlan1 on the CPU, it looks something like this

config interface 'lan’
option type 'bridge’
option proto 'static’
option ipaddr '9.9.1.1’
option netmask '255.255.255.0’
option ip6assign '60’
option ifname ‘eth1.1’

config switch_vlan
option device 'switch0’
option vlan '1’
option vid '1’
option ports ‘0t 2 ’

Unless I'm missing a command, the only step I haven't done is to add a separate firewall zone as I was using the default lan firewall zone

What do you mean by RAW rules, the /etc/firewall/user section was added automatically when I created a guest network

No, you did not, I am telling you to createa a NEW VLAN only used for management. You will also tag this one...e.g. VLAN 8.

It was NOT created automatically, please read the Firewall Wiki. That is where you place custom firewall rules. You should only place rules there if you cannot place them in the UCI.

Pick one:

  • Use firewalling to separate the management
    OR
  • make a separate management VLAN and switch port for management

DO NOT DO BOTH.

I understand the point you're making with the above in the context it was used, however there are use cases for adding iptables rules to /etc/firewall.user, even when the same rules can be added to /etc/config/firewall.

  • fw3 is what controls the firewall in OpenWrt and /etc/config/firewall cannot be configured to place specific rules 1st in order of processing by iptables. Placing a rule 1st in /etc/config/firewall will place the rule fairly high up in the order of iptables rules, but it will never be the 1st rule processed by iptables.
    • This can be seen by comparing the output from the following two commands:
      • fw3 print
      • iptables --list-rules

@lleachii okay so i created a new vlan and firewall interface but I can still ping google, so maybe I'm doing something wrong, so can you share how a config should look like

  • Are you pinging from the new VLAN...OR THE ROUTER???
  • Do you have a permit FORWARD of ICMP-Echo-Request or to 8.8.8.8 anywhere in your firewall rules???

Generally, if you're logged into the OpenWRT box, no matter the interface you used to get there, you can ping the outside through the WAN interface. This is due to the routing table doing what it is supposed to; sending packets out the "right" interface for the destination.

Same thing for a "desktop" as they typically will have more than just the VLAN for the management interface.

1 Like

If the OP is trunking both VLANs to his desktop, yes. If that's the case, then that's a routing issue. Performing a traceroute from the client will determine what gateway (VLAN) is being used.

@jeff @lleachii! I cant ping 8.8.8.8 from the vlan (computer) but I can ping from the router, I'm under the impression if the new vlan is not forwading to wan (“Zone => REJECT”) that I shouldn't be able to ping even from the router correct? No I'm not trunking my vlans. Ill have to check the ICMP-echo later today
Dont pay attention to the label "lan" in the zone, my zone name is different but everything else is identical to the picture

No, pinging from the router is "OUTPUT" not "FORWARD"

At this point, I'd strongly suggest taking the time to understand some basic networking concepts and how the Linux firewall works, at least in terms of

  • PREROUTING
  • POSTROUTING
  • INPUT
  • OUTPUT
  • FORWARD

The presence of the management VLAN has nothing to do with the router's outside-world connectivity.

You circled the wrong item, the REJECT underneath "Forwardings" is actually what prevents the connectivity to the Internet.

If you use the router to test ping you must:

ping 8.8.8.8 -I <IP_of_LAN>

The OUTPUT ACCEPT config is the reason you're still able to ping from the router. The default ESTABLISHED,RELATED rule is why you receive the ECHO-Reply. IF YOU CHANGE THE DEFAULT OUTPUT ACCEPT, YOU WILL STOP RECEIVING PACKETS LIKE DHCP replies, DNS replies, etc.!!!