Separate VLANs

Hi All. I am building out a new router to replace my old one. This is not in production yet.

Firmware Version	OpenWrt 23.05.2 r23630-842932a63d / LuCI 7739e9f5b03b830f51d53c384be4baef95054cb3 branch git-23.334.55645-2026e51

I have 3 interfaces to use on my router.
1 is for WAN
1 is for everything but iot hosts
1 is for iot hosts only

I have several VLANs set up (possibly incorrectly)
VLAN
3 - iot
4 - dmz
5 - internet restricted (cameras/TVs/things that don't need to access the internet)
7 - guest
9 - nailed up vpn
10 - lan

I also have several interfaces set up
iot - br-iot.3
dmz - br-lan.4
spy (internet restricted for cameras/TVs) - br-lan.5
guest - br-lan.7
vpn - br-lan.9
lan - br-lan.10

Screenshot 2024-01-18 11:38:46425×616 52 KB

All VLANs need to be trunked on eth1 to go down to the L3 switch.

My concern is that if I have all these VLANs on a bridge (br-lan) that they will be able to communicate with one another. Is that the case?

My firewall settings look like this:

Screenshot 2024-01-18 13:45:40652×616 40.2 KB

Thank you.

Just because they're based on a common bridge doesn't immediately mean that they are able to communicate with each other. But we need to see te details of the config to be able to advise further:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/firewall

Thank you, Peter.

/etc/conf/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'eth2'
	option macaddr '82:d4:8b:55:b6:8a'

config interface 'wan'
	option device 'eth2'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth2'
	option proto 'dhcpv6'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'

config device
	option name 'eth1'
	option macaddr '82:d4:8b:55:b6:8b'

config device
	option name 'eth0'
	option macaddr '82:d4:8b:55:b6:8b'

config interface 'lan'
	option device 'br-lan.10'
	option proto 'static'
	option ipaddr '172.22.10.1'
	option netmask '255.255.254.0'
	option ip6assign '60'

config interface 'docker'
	option device 'docker0'
	option proto 'none'
	option auto '0'

config device
	option type 'bridge'
	option name 'docker0'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'eth1:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '7'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '5'
	list ports 'eth1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'eth1:t'

config interface 'spy'
	option proto 'static'
	option device 'br-lan.5'
	option ipaddr '172.22.5.1'
	option netmask '255.255.255.0'

config interface 'iot'
	option proto 'static'
	option device 'br-iot.3'
	option ipaddr '172.22.3.1'
	option netmask '255.255.255.0'

config interface 'guest'
	option proto 'static'
	option device 'br-lan.7'
	option ipaddr '172.22.7.1'
	option netmask '255.255.255.0'

config interface 'wg0'
<removed>

config wireguard_wg0
<removed>

config bridge-vlan
	option device 'br-lan'
	option vlan '9'
	list ports 'eth1:t'

config interface 'vpn'
	option proto 'static'
	option device 'br-lan.9'
	option ipaddr '172.22.9.1'
	option netmask '255.255.255.0'

config device
	option type 'bridge'
	option name 'br-iot'
	list ports 'eth0'
	option bridge_empty '1'

config bridge-vlan
	option device 'br-iot'
	option vlan '3'
	list ports 'eth0:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '4'
	list ports 'eth1:t'

config interface 'dmz'
	option proto 'static'
	option device 'br-lan.4'
	option ipaddr '172.22.4.1'
	option netmask '255.255.255.0'

/etc/conf/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'wg0'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option fullcone4 '1'
	option fullcone6 '1'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-WireGuard'
	list proto 'udp'
	option src 'wan'
	option dest_port '443'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Reject-IPv6'
	option family 'ipv6'
	option src 'wan'
	option dest '*'
	option target 'REJECT'
	option enabled '0'

config zone 'docker'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option name 'docker'
	list network 'docker'

config zone
	option name 'dmz'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'dmz'

config zone
	option name 'restricted'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'cameras'
	list network 'spy'

config forwarding
	option src 'restricted'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'restricted'

config zone
	option name 'guest'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'guest'

config forwarding
	option src 'guest'
	option dest 'wan'

config rule
	option name 'iNetRestricted'
	list proto 'all'
	option src 'restricted'
	option dest 'wan'
	option target 'DROP'

config zone
	option name 'vpn'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'vpn'

config forwarding
	option src 'dmz'
	option dest 'wan'

config zone
	option name 'iot'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'iot'

config forwarding
	option src 'iot'
	option dest 'wan'

Bridge VLANs are fine with respect to maintaining the L2 isolation. But...

You don't need bridge-VLANs for this... you can use standard dotted notation. so you'd delete the above, and change the below to use eth1.10:

config interface 'lan'
	option device 'eth.10'
	option proto 'static'
	option ipaddr '172.22.10.1'
	option netmask '255.255.254.0'
	option ip6assign '60'

Repeat that for all of the other VLANs.

Meanwhile, it is the firewall that is responsible for the isolation beyond that... and it looks like all networks are able to reach the router itself (this may or may not be something you want to restrict).

In the restricted zone, cameras and spy can connect to each other because of the zone forward rule (ACCEPT).
Then because of the following bidirectional ruleset, lan can reach restricted and vice versa.

The next section is not necessary since (and as long as) there isn't a forwarding rule that allows restricted > wan.

There are a lot of networks and zones, and so it's hard to know exactly what you want to happen from an allow/deny perspective... if you can elaborate on that, we can help you make sure it'll perform as you desire.

Thank you, Peter.

Here's what I want to do:
Have these VLANs trunked on eth1:
VLAN
3 - iot
4 - dmz
5 - internet restricted (cameras/TVs/things that don't need to access the internet)
7 - guest
9 - nailed up vpn
10 - lan

VLANs 3, 4, 7, 9, 10 will have internet access
VLAN 5 does not have internet access
VLANs 5 and 10 can communicate with one another (bidirectional traffic initiation)
Other VLANs to not have the ability to communicate with other VLANs.
Only VLAN 10 should have access to the router (this is something I did not know how to restrict in the fw)

I think I understand. I can drop the bridge interfaces and just create eth1. interfaces. Is that correct?

I assume this is x86 or Pi hardware with direct CPU ports, so there is no DFS switch.
In that case you can create VLANs directly on the CPU ports with the ethX.N notation. These tagged ports can be either in bridges or directly as the option device of an interface block, if there is only to be the one port in that network. So for the future you may want to build the whole config out on the structure of a separate bridge for each network, even if right now that bridge only has one member.

Thank you.

Is there a way to specify the native vlan for an interface along with the tagged vlans?

You are correct, this is an SBC Arm device with no built in switch.

All I want to do is ensure that my VLANs aren't accessible other than what I noted above.

Thank you both again for your help.

Attempting to use tagged and untagged on the same port generally does not work with direct ports. In theory, untagged packets will be sent to ethX (with no VLAN). So there really isn't an implementation of "native VLAN". On a trunk port such as your eth1, a plain eth1 should not appear anywhere in the configuration--have only eth1 with a VLAN number. That will cause any stray incoming untagged packets or packets with a tag number that is not defined, to be dropped.