Restrict communication between two vlans to only single host in each VLAN

Greetings all,

I have created two VLANs and a zone for each VLAN. I then enabled one-way communication from zone_VLAN_1 to zone_VLAN_2, but not in the opposite direction. Consequently, only the hosts from VLAN_1 can initiate communications with hosts in VLAN_2.

I need one and only one host in VLAN_2 to initiate communication with one and only one host in VLAN_1. Can I:

(i) create an exception using the traffic rules(?) for the two IP addresses to enable this; or
(ii) do I need to enable two-way communications between the zone_VLAN_1 and the zone_VLAN_2, and restrict the two hosts using the traffic rules(?) by, e.g., their IP addresses?

Kindest regards,

M

Create a traffic rule that accepts traffic with:

  • protocol depends on the application -- often TCP and/or UDP
  • source zone VLAN_2
  • source IP < host.ip.address.vlan2 >
  • destination zone VLAN_1
  • destination IP < host.ip.address.vlan1 >
  • Optionally add port(s) to the rule if you want to restrict it to only specific ports

Hi @psherman,

thank you very much for your reply.

Is this corrector at least close:

config rule
        option name 'Allow-IP_Adresses'
        option src 'Lan_2'
        option src IP '192.168.2.10'
        option dest 'Lan_1'
        option dest IP '192.168.1.10'
        option proto 'tcp'
        option target 'ACCEPT'

Kindest regards,

M

conceptually yes, but I think the syntax is incorrect.

Hi @psherman,

thank you, I did not find many examples in the Manual. I will keep searching.

Kindest regards,

M

It should look like this:

config rule
        option name 'Allow-IP_Adresses'
        list proto 'tcp'
        option src 'Lan_2'
        list src_ip '192.168.2.10'
        option dest 'Lan_1'
        list dest_ip '192.168.1.10'
        option target 'ACCEPT'

Hi @psherman,

yes, thank ypu.

I figured it out, fixed the firewall, but still have some issue. Perhaps the traffic rule cannot overwrite the zones' setting.

I am investigating.

Kindest regards,

M

It should be independent of the zone's settings, but the order of rules is relevant.

cat /etc/config/firewall

Hi @psherman,

Thank you, I did not know that, but it seems that there is not any logic to the ordering in the firewall listing, see:

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'Lan_WS'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'Lan_WS'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'Lan_WS'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'Lan_WS'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'Lan_Servers'
        option input 'ACCEPT'
        option output 'ACCEPT'
        list network 'Lan_Servers'
        option forward 'ACCEPT'

config forwarding
        option src 'Lan_WS'
        option dest 'wan'

config forwarding
        option src 'Lan_WS'
        option dest 'Lan_Servers'

config forwarding
        option src 'Lan_Servers'
        option dest 'Lan_WS'

config zone
        option name 'Lan_Legacy'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'Lan_Legacy'
        option masq '1'

config forwarding
        option src 'Lan_WS'
        option dest 'Lan_Legacy'

config rule
        option name 'Allow IP_adresses'
        option src 'Lan_Legacy'
        list src_ip '192.168.0.10'
        option dest 'Lan_Servers'
        list dest_ip '192.168.2.10'
        option target 'ACCEPT'
        option family 'ipv4'

The problem here is that Lan_Legacy does not have a route to 192.168.2.10. So this rule cannot work.

You can create a port forward for this, but it has to be selected ports, and the way that the device on Lan_Legacy will reach the host within your network is by the router's address on the Lan_Legacy interface (I can't remember what it was, but something like 192.168.x.5, IIRC)

Hi @psherman,

yes, but I do not want the hosts on Lan_Legacy to reach the Lan_Servers in general. I am trying to allow this single host to backup the host as courtesy.

Let me learn about port forwarding.

Kindest regards,

M

I understand... and, in fact, due to the masquerading and the lack of a route, they can't actually reach the servers behind your own router. But you can selectively forward one or more ports from the Lan_Legacy interface to the server of interest.

Hi @psherman,

Exactly, I had tested this extensively, and it works beautifully.

So, the port forwarding appears as the only option. I am researching it now. I think that I need to mount the server on the host via SMB/CIFS, which is port 445 if I am not mistaken.

Kindest regards,

M

Hi @psherman,

I am missing something:

config redirect
        option dest 'Lan_Legacy'
        option target 'DNAT'
        option family 'ipv4'
        option src 'Lan_Servers'
        option src_dport '445'
        option dest_port '445'
        list proto 'tcp'
        option name 'SMB'
        option dest_ip '192.168.0.5'

But, what?

Kindest regards,

M

Is the server located here 192.168.1.10?

If so, the destination IP should match that:

config redirect
        option dest 'Lan_Legacy'
        option target 'DNAT'
        option family 'ipv4'
        option src 'Lan_Servers'
        option src_dport '445'
        option dest_port '445'
        list proto 'tcp'
        option name 'SMB'
        option dest_ip '192.168.1.10'

And your connection (from the host on the lan_legacy network) should be to IP 192.168.0.5 (which I believe is the router's address on that network).

Hi @psherman,

I do not care, what they say about you :grin:, you are awesome. This was the problem:

I am so used to the gateway being at XXX.XXX.X.1/24, that this was what I accidentally entered.

Thank you very much.

Kindest regards,

M

You're welcome!

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

Hi @psherman,

O.K., marked it as solved.

Kindest regards,

M

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.