Separate and secure VLAN


I need a tip on how I can best implement something.

My system:
I am currently using a Pi 4 with OpenWRT 22.03.
My HomeLab consists of 6 Vlans. One of the Vlans (No. 6) is only for my virtualisation (LXC).

My intention:
I would like to block all outgoing connections from Vlan 6 and then allow individual connections via whitelist.
I am primarily interested in the possibility of installing updates.
The whitelist would then include, for example, Github, APT and dokuwiki.

My thoughts so far:

  • One possibility would be to use a DNS server to let all name resolutions that are not on the whitelist run empty.
    So that no request can be sent out. Unfortunately, it would still be possible to connect to the outside world with the direct IP.
  • Another possibility would be to allow only the IPs to the specific servers via FW4. But that would be a lot (Github alone has 24) which could also can still change.

Logically, the other VLANs should continue to run normally.

On the side:
It would be nice if I could do this with my main router, but it would also be possible to run a second router (as a VM) that only takes care of VLAN 6.

Thanks in advance.

Ipset to the rescue.

1 Like

thanks for the link.

I tried it out right away in a test environment and a few questions came up.
If I have understood the procedure correctly, the domain filter list is converted into IPs by the "ipset setup" and then stored in "/var/ipset-filter". In "firewall.filter" you will then see that the file is to be loaded. Is this correct as far as it goes?

  1. In the "IP set extras" script it says "Populate IP sets automatically at startup." So the conversion domain -> ip is only executed at system startup? But a router like this is not restarted every day or every week. Would it also be sufficient to execute the "ipset setup" via cron every X days or is the file "/var/ipset-filter" not reloaded by the firewall during operation?

  2. The name resolution is carried out by "resolveip", but this only returns one IP address. Such services as Gibhup have a load balancer so it can be that with a new request there is another Ip. Or even that there are different IPs due to the service, e.g. Http and git.

Is there also a solution for this?
The only thing I can think of is to set the local DNS server to always return the same IP. So that always returns the same IP.

There is a cronjob in the script and the resolveip will return as many IPs as the authoritative server will reply.