Restricting Guest VLAN From accessing LuCI or SSH

Hello Everyone,

I am currently setting up a guest network on my OpenWRT Router on a CM4. But one issue with it is that my guest network can access my management LuCI and SSH, which is a major security risk. I have my wireless handled through a Cisco 5508 WLC, So that’s not a issue. The only thing is preventing the guest VLAN from accessing LuCI or SSH.

My guest VLAN is tagged with 802.1q (Guest is 963, Mgmt is 71) and I tried implementing Traffic Rules to prevent HTTP, HTTPS, SSH, and permitting DNS and DHCP, and I have my LuCI only accessible through the Management IP. Wireless and wired versions of the guest network are able to bypass the firewalls rules preventing the guest VLAN IP Range from talking to the Management VLAN IP Range, so I had to try to resort to traffic rules.

If someone could help me out that would be very apricated. And if anyone has questions about the setup to try to help me resolve this I will try to answer as fast as possible, but these photos should help you out.

image1190×598 53.1 KB

We would need to see your complete config to fix this, but chances are you have the zone input rule set to accept. It should be set to reject if you want to prevent access to the router itself from the guest network/zone. You’ll need to add rules to accept dhcp and dns.

See this for reference:

If you want us to review your config or need help, we’ll need to see the whole thing:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

{
        "kernel": "6.6.73",
        "hostname": "JRHL_R001",
        "system": "ARMv8 Processor rev 3",
        "model": "Raspberry Pi Compute Module 4 Rev 1.1",
        "board_name": "raspberrypi,4-compute-module",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.0",
                "revision": "r28427-6df0e3d02a",
                "target": "bcm27xx/bcm2711",
                "description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
                "builddate": "1738624177"
        }
}
root@JRHL_R001:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd92:f951:620f::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth1'
        option peerdns '0'
        list dns '10.0.20.1'
        list dns '1.1.1.2'

config device
        option name 'eth1'
        option macaddr '02:09:5B:24:52:AE'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '10'
        option name 'br-lan.10'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '20'
        option name 'br-lan.20'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '71'
        option name 'br-lan.71'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '165'
        option name 'br-lan.165'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '963'
        option name 'br-lan.963'

config interface 'VLAN_10'
        option proto 'static'
        option device 'br-lan.10'
        list ipaddr '10.0.10.1/24'

config interface 'VLAN_20'
        option proto 'static'
        option device 'br-lan.20'
        option ipaddr '10.0.20.97'
        option netmask '255.255.252.0'

config interface 'VLAN_71'
        option proto 'static'
        option device 'br-lan.71'
        list ipaddr '172.16.71.52/24'

config interface 'VLAN_165'
        option proto 'static'
        option device 'br-lan.165'
        option ipaddr '10.1.65.1'
        option netmask '255.255.255.0'

config interface 'VLAN_963'
        option proto 'static'
        option device 'br-lan.963'
        option ipaddr '192.168.96.37'
        option netmask '255.255.252.0'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '72'
        option name 'br-lan.72'

config interface 'VLAN_72'
        option proto 'static'
        option device 'br-lan.72'
        option ipaddr '192.168.72.1'
        option netmask '255.255.255.240'

root@JRHL_R001:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
        option band '5g'
        option channel '36'
        option htmode 'VHT80'
        option country 'US'
        option cell_density '0'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'VLAN_20'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'sae-mixed'
        option key 'JRHL_20@cC3$s!'
        option ocv '0'
        option disabled '1'

root@JRHL_R001:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list interface 'VLAN_10'
        list interface 'VLAN_20'
        list interface 'VLAN_71'
        list interface 'VLAN_72'
        list interface 'VLAN_165'
        list interface 'VLAN_963'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'VLAN_963'
        option interface 'VLAN_963'
        option start '38'
        option limit '900'
        option leasetime '12h'

config dhcp 'VLAN_20'
        option interface 'VLAN_20'
        option start '10.0.20.98'
        option limit '700'
        option leasetime '12h'

config dhcp 'VLAN_10'
        option interface 'VLAN_10'
        option start '100'
        option limit '150'
        option leasetime '12h'

config dhcp 'VLAN_71'
        option interface 'VLAN_71'
        option start '172.16.71.100'
        option limit '100'
        option leasetime '12h'

config dhcp 'VLAN_165'
        option interface 'VLAN_165'
        option start '100'
        option limit '150'
        option leasetime '12h'

config domain
        option name 'jrhl.r001.net'
        option ip '172.16.71.52'

config domain
        option name 'jrhl.lfs42001.net'
        option ip ''

config domain
        option name 'jrhl.tftpservice.net'
        option ip ''

config domain
        option name 'jrhl.wlc001.net'
        option ip ''

config domain
        option name 'guest.jrhlhosting.com'
        option ip '192.168.0.2'

root@JRHL_R001:~# cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Permit DHCP Guest'
        option src 'VLAN_963'
        option src_port '67-68'
        option dest_port '67-68'
        option target 'ACCEPT'

config rule
        option name 'Permit DNS Guest'
        option src 'VLAN_963'
        option src_port '53'
        option dest_port '53'
        option target 'ACCEPT'

config rule
        option name 'Drop HTTP Router Guest'
        option src 'VLAN_963'
        option src_port '80'
        option dest_port '80'
        option target 'DROP'

config rule
        option name 'Drop HTTPS Router Guest'
        option src 'VLAN_963'
        option src_port '443'
        option dest_port '443'
        option target 'DROP'

config rule
        option name 'Drop SSH Router Guest'
        option src 'VLAN_963'
        option src_port '22'
        option dest_port '22'
        option target 'DROP'
        list dest_ip '172.16.71.52'

config rule
        option name ' WAN ICMP Block'
        list proto 'icmp'
        option src 'wan'
        option target 'DROP'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'VLAN_10'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'VLAN_10'

config zone
        option name 'VLAN_20'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'VLAN_20'

config zone
        option name 'VLAN_71'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'VLAN_71'

config forwarding
        option src 'VLAN_20'
        option dest 'VLAN_10'

config forwarding
        option src 'VLAN_20'
        option dest 'VLAN_71'

config forwarding
        option src 'VLAN_20'
        option dest 'wan'

config zone
        option name 'VLAN_165'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'VLAN_165'

config zone
        option name 'VLAN_963'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'VLAN_963'

config forwarding
        option src 'VLAN_20'
        option dest 'lan'

config forwarding
        option src 'VLAN_20'
        option dest 'VLAN_165'

config forwarding
        option src 'VLAN_20'
        option dest 'VLAN_963'

config forwarding
        option src 'VLAN_165'
        option dest 'wan'

config forwarding
        option src 'VLAN_963'
        option dest 'wan'

config redirect
        option dest ''
        option target ''
        option name ''
        option src ''
        option src_dport ''
        option dest_ip ''
        option dest_port ''
        option enabled '0'

config redirect
        option dest 'VLAN_20'
        option target 'DNAT'
        option name 'Force DNS to Router'
        option src 'VLAN_20'
        option src_dport '53'
        option dest_ip '10.0.20.1'
        option dest_port '53'
        option enabled '0'

config redirect
        option dest 'VLAN_963'
        option target 'DNAT'
        option name 'Force DNS to Router'
        option src 'VLAN_963'
        option src_dport '53'
        option dest_ip '192.168.96.37'
        option dest_port '53'

config redirect
        option dest ''
        option target ''
        option name ''
        option family ''
        list proto ''
        option src ''
        option src_dport ''
        option dest_ip ''
        option dest_port ''
        option enabled '0'

config redirect
        option dest ''
        option target ''
        option name ''
        option family ''
        list proto ''
        option src ''
        option src_dport ''
        option dest_ip ''
        option dest_port ''
        option enabled '0'

config redirect
        option dest ''
        option target ''
        option name ''
        option family ''
        list proto ''
        option src ''
        option src_dport ''
        option dest_ip ''
        option dest_port ''
        option enabled '0'

config redirect
        option dest ''
        option target ''
        option name ''
        option family ''
        list proto ''
        option src ''
        option src_dport ''
        option dest_ip ''
        option dest_port ''
        option enabled '0'

config redirect
        option dest ''
        option target ''
        option name ''
        option family ''
        list proto ''
        option src ''
        option src_dport ''
        option dest_ip ''
        option dest_port ''
        option enabled '0'

config redirect
        option dest ''
        option target ''
        option name ''
        option src ''
        option src_dport ''
        option dest_ip ''
        option dest_port ''
        option enabled '0'

config redirect
        option dest ''
        option target ''
        option name ''
        option src 'wan'
        option src_dport ''
        option dest_ip ''
        option dest_port ''
        option enabled '0'

config forwarding
        option src 'VLAN_71'
        option dest 'VLAN_20'

config zone
        option name 'VLAN_72'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'VLAN_72'

config forwarding
        option src 'VLAN_20'
        option dest 'VLAN_72'

I redacted all of the inwards port forwarding, but all internal forwarding (Like the DNS Forces) are not redacted to better help resolve the issue

None of your (guest) firewall rules will work (except for DHCP by chance) because you specify a source port.

The source port is random, chosen by the operating system from a range of ephemeral ports.

Note that DNS for the guest network is currently only working because the default input policy of the guest firewall zone is set to accept. Set it to reject as already suggested and adjust the DHCP and DNS traffic rules.

config zone
        option name 'VLAN_963'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'VLAN_963'

config rule
        option name 'Permit DHCP Guest'
        option src 'VLAN_963'
	    list proto 'udp'
        option dest_port '67'
        option target 'ACCEPT'

config rule
        option name 'Permit DNS Guest'
        option src 'VLAN_963'
        option dest_port '53'
        option target 'ACCEPT'

Your config has a bunch of things that should be optimized...

First, in your network config file, use direct dotted notation for your VLANs instead of a pseudo-bridge VLAN method.

Delete all of the 802.1q stanzas:

Then edit the network interfaces to use eth0.x where x is the VLAN ID. For example:

config interface 'VLAN_10'
        option proto 'static'
        option device 'eth0.10'
        list ipaddr '10.0.10.1/24'

Repeat for all of the others.

You have some odd choices for your network interface addresses and subnets... they are fine from a technical standpoint, but are not necessarily as easy to work with from a 'human factors' perspective. Generally speaking, /24 networks are recommended for this reason (less cognitive loading) unless you need to have something that is specifically larger or smaller (although with larger subnets, this can be problematic for network efficiency).

Further, your addresses are sort of random inside the subnet... VLAN_71 for example is using the .52 address. This is technically not problematic as long as this is outside the DHCP pool, but convention for home/smb networks is to have the router at the top or bottom of the address range (again, not required). Doing otherwise does not increase security, but does make it a bit harder to keep everything straight from that human factors element.

Moving on to DHCP...

I recommend removing these:

If you don't list the interfaces, the server will listen on all interfaces and the firewall will dictate which interfaces can actually connect. If you do list interfaces, anything not on the list won't work as expected, which means (again) possibly more headaches when making changes and/or administering things.

The start value below should just be 98:

similarly... this start value should be 100:

@pavelgl covered the primary firewall fixes, but there is another I'd recommend:

All of these can be deleted as long as you have the guest zone's input rule set to REJECT:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.