Hi,
I finally got my two OpenWRT devices set up. Internet access is working and VLANs for interaction between these two devices seem to also work. Goal is to be able to do everything through the GL-MT6000 router, including PPPoE, routing and management of the Fritzbox and the latter mainly acting as a modem. Direct access to the fritzbox via LAN1-3 should still be possible in case the network configuration gets messed up. The Fritzbox should also have internet access to be able to update, but not directly be exposed to the internet. Overhauled network topology of end devices still has to be done, but the configuration already contains small parts of it (tv + lan). This is how it looks:
Since this is my first interaction with VLANs and a two-OpenWRT-device setup, I would be thankful if someone could check it for possible improvements or security issues, before I continue to make the overhaul of the local networks and end devices.
Fritz!Box 7520 (modem)
/etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdb7:7535:231e::/48'
config atm-bridge 'atm'
option vpi '1'
option vci '32'
option encaps 'llc'
option payload 'bridged'
option nameprefix 'dsl'
config dsl 'dsl'
option annex 'j'
option tone 'b'
option ds_snr_offset '0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan.21'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'dsl0'
option macaddr 'REDACTED'
option mtu '1500'
config interface 'wan'
option proto 'dhcp'
option device 'br-lan.22'
config interface 'wan6'
option device '@wan'
option proto 'dhcpv6'
config bridge-vlan
option device 'br-lan'
option vlan '7'
list ports 'lan4:t'
config bridge-vlan
option device 'br-lan'
option vlan '21'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config device
option type 'bridge'
option name 'br-dsl'
option bridge_empty '1'
list ports 'br-lan.7'
list ports 'dsl0.7'
config device
option type '8021q'
option ifname 'dsl0'
option vid '7'
option name 'dsl0.7'
config interface 'MODEM'
option proto 'none'
option device 'br-dsl'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'lan4:t'
config interface 'management'
option proto 'dhcp'
option device 'br-lan.20'
config bridge-vlan
option device 'br-lan'
option vlan '22'
list ports 'lan4:t'
/etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'MODEM'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'MODEM'
config zone
option name 'management'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'management'
GL-MT6000 (Flint 2)
/etc/config/network
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd89:b436:9633::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
option vlan_filtering '0'
config device
option name 'lan1'
option macaddr 'REDACTED'
config device
option name 'lan2'
option macaddr 'REDACTED'
config device
option name 'lan3'
option macaddr 'REDACTED'
config device
option name 'lan4'
option macaddr 'REDACTED'
config device
option name 'lan5'
option macaddr 'REDACTED'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.11.1'
option netmask '255.255.255.0'
config device
option name 'eth1'
option macaddr 'REDACTED'
config interface 'wan'
option device 'eth1.7'
option proto 'pppoe'
option username 'REDACTED'
option password 'REDACTED'
option ipv6 '1'
option mtu '1490'
config device
option type 'bridge'
option name 'br-tv'
option bridge_empty '1'
config interface 'tv'
option proto 'static'
option device 'br-tv'
option ipaddr '192.168.5.1'
option netmask '255.255.255.0'
config interface 'wan6'
option proto 'dhcpv6'
option device '@wan'
option reqaddress 'try'
option reqprefix 'auto'
config interface 'fritzbox'
option proto 'static'
option device 'eth1.20'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
config interface 'FritzInternet'
option proto 'static'
option device 'eth1.22'
option ipaddr '192.168.22.1'
option netmask '255.255.255.0'
/etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'tv'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'tv'
config rule
option name 'Allow TV DNS'
option src 'tv'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Allow TV DHCP'
list proto 'udp'
option src 'tv'
option dest_port '67'
option target 'ACCEPT'
config rule
option name 'Allow TV Wireguard'
list proto 'udp'
option src 'tv'
option dest 'wan'
option dest_port '51280'
option target 'ACCEPT'
config rule
option name 'Allow TV -> TS STUN Port'
list proto 'udp'
option src 'tv'
option dest 'wan'
option dest_port '3478'
option target 'ACCEPT'
config rule
option name 'Allow TV -> tailscale ip-range'
option src 'tv'
option dest 'wan'
list dest_ip '100.64.0.0/10'
option target 'ACCEPT'
config rule
option name 'Allow TV -> WG-Port'
list proto 'udp'
option src 'tv'
option dest 'wan'
option dest_port '51820'
option target 'ACCEPT'
config rule
option name 'Allow TV -> Tailscale IPset'
option src 'tv'
option ipset 'Tailscale'
option dest 'wan'
option target 'ACCEPT'
option family 'ipv4'
list proto 'tcp'
list proto 'udp'
list proto 'icmp'
config ipset
option name 'Tailscale'
option family 'ipv4'
list match 'dest_ip'
config ipset
option name 'Tailscale-IPv6'
option family 'ipv6'
list match 'dest_ip'
config rule
option name 'Allow Tailscale IPv6'
option family 'ipv6'
option src 'tv'
option ipset 'Tailscale-IPv6'
option dest 'wan'
option target 'ACCEPT'
config redirect
option target 'DNAT'
option name 'DNS TV'
option src 'tv'
option src_dport '53'
option dest_ip '192.168.5.1'
option dest_port '53'
config zone
option name 'fritzbox'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'fritzbox'
config forwarding
option src 'lan'
option dest 'fritzbox'
config rule
option name 'Allow Fritz DHCP'
list proto 'udp'
option src 'fritzbox'
option dest_port '67'
option target 'ACCEPT'
config rule
option name 'Allow Fritz DNS'
option src 'fritzbox'
option dest_port '53'
option target 'ACCEPT'
config zone
option name 'fritz_net'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'FritzInternet'
config rule
option name 'Allow FritzInternet DNS'
option src 'fritz_net'
option dest_port '53'
option target 'ACCEPT'
config rule
option name 'Allow FritzInternet DHCP'
list proto 'udp'
option src 'fritz_net'
option dest_port '67'
option target 'ACCEPT'
config forwarding
option src 'fritz_net'
option dest 'wan'