Hello,
I setup openwrt on my x86 machine with the current networks:
-
VLAN 5: Management (192.168.5.0/24)
-
VLAN 100: Home Net (192.168.0.0/24) (through a switch, it's the default vlan used for all devices)
-
VLAN 150: IoT (192.168.150.0/24)
-
VLAN 200: Sec (10.0.0.0/24)
-
WAN1/WAN2 (two PPPoE session over the same port, two IPs)
I have setup PBR (Policy Based Routing) to route everything from VLAN200 to WAN2 as I do not want devices on that VLAN to share my WAN1 public IP. (I just used the existing wan6 config, too lazy to rename it to WAN2, and it just worked so why not).
I setup FW Zones as bellow:
Each VLAN and WAN is in its own Zone. I disabled input for IoT and Sec and created a new rule to allow DNS and DHCP ports access to them (I do not want any device to communicate to the router from those zones at all except for the necessary services).
However I want some zones to be able to communicate with some devices in other zones as such:
- Mgmt Zone: access devices on LAN, IoT and Sec (eg. IoT web config, NVR web config, other computers/devices on LAN...), and not the other way around (block any incoming requests from LAN/IoT/Sec to Mgmt)
- LAN Zone: access devices on IoT but not the other way around, and block router access (the router access can be disabled later on)
- IoT Zone: no access to router or any other Zone, but be able to communicate to other devices in the same zone
- Sec Zone: same as IoT in its own Zone
All Zones must have internet access.
My current issue is that I cannot access Sec Zone from the other zones that are supposed to be able to do so. Any pointers to fix this?
PS: if there are any other settings that should be fixed/changed, please point that out, thank you.
UPDATE: Somehow after a few reboots, it started working and I can access devices on the Sec Zone from the Mgmt Zone. Still, if anyone has any advice to improve this setup, it would be appreciated.