[Solved] Firewall zones not working on eth0.xx vlans

I created an interface with as device type eth0.50 (making it vlanned without needed a switch because I do not have a switch as OpenWRT is running as a VM)
created a firewall zone during the creation of the interface and have setup dhcp. I allowed tcp and upd traffic to port 53 67 68 (dor DHCP and DNS) and allowed forwarding to WAN zone

when connected to the guests network I am still able to connect to the router and other devices on the network. Where did I go wrong?

uci export network

package network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd2b:1367:f843::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.0.0'
	option ipaddr '10.1.0.1'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config interface 'virtualization'
	option proto 'static'
	option ipaddr '10.2.0.1'
	option netmask '255.255.0.0'
	option device '@lan'

config interface 'trusted'
	option proto 'static'
	option device 'eth0.40'
	option ipaddr '10.4.0.1'
	option netmask '255.255.0.0'

config interface 'guests'
	option proto 'static'
	option device 'eth0.50'
	option ipaddr '10.5.0.1'
	option netmask '255.255.0.0'

uci export firewall

package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'trusted'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled '0'

config include
	option path '/etc/firewall.user'

config forwarding
	option dest 'lan'

config zone
	option name 'virtualization'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'virtualization'

config zone
	option name 'guests'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guests'

config rule
	option name 'Allow-DNS-DHCP-Guest'
	option src 'guests'
	option dest_port '53 67 68'
	option target 'ACCEPT'
	option family 'ipv4'

config forwarding
	option src 'guests'
	option dest 'wan'

The input policy of the guests zone is ACCEPT so it will allow any inbound access to the router itself.

You should also remove

config forwarding
	option dest 'lan'

as that will allow access to the lan zone from any source zone. Alternatively add an explicit source to it (virtualization?) if it was supposed to allow forwarding from a specific zone towards lan.

In addition, add an option proto 'udp' to the 'Allow-DNS-DHCP-Guest' rule.

And remove port 68 from Allow-DNS-DHCP-Guest rule.

thanks all

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.