TD W8970 V1 traffic switch

I've just installed 19.07.3 version on TP LINK W8970 v1.2, configured aditional VLAN to isolate webcams and confirmed that traffic is passing between all ports without restrictions (so no VLAN configuration has sense). Any changes on driver/configuracion to do it working ok to isolate ports?

Please show us your switch configuration.

(source: https://openwrt.org/toh/tp-link/td-w8970_v1)

You might be using version v1, v1.2?

Sure. 

**Simple br-lan bridge with lan-wan and 1 vlan in port 1:**
root@NetDOME:~# cat /etc/config/network 

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxxx'

config atm-bridge 'atm'
	option vpi '1'
	option vci '32'
	option encaps 'llc'
	option payload 'bridged'
	option nameprefix 'dsl'

config dsl 'dsl'
	option annex 'a'
	option tone 'av'
	option ds_snr_offset '0'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'dhcp'

config interface 'wan'
	option proto 'dhcp'
	option ifname 'br-lan'

config device 'wan_dsl0_dev'
	option name 'dsl0'
	option macaddr 'xxxxxxxxxx'

config interface 'wan6'
	option ifname '@wan'
	option proto 'dhcp'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '6t 0 2 4'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '10'
	option ports '6t 5'

config interface 'DMZ'
	option ifname 'eth0.10'
	option delegate '0'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr 'xxxxx'

config interface 'wwan'
	option proto 'dhcp'

**Most important rules at Firewall:**
with some nat fowarding to access my cams, shaded folders in server, etc.

root@NetDOME:~# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option input 'REJECT'
	option network 'wan wan6 wwan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config zone
	option log '1'
	option name 'DMZ'
	option network 'DMZ'
	option input 'ACCEPT'
	option forward 'REJECT'
	option family 'ipv4'
	option output 'ACCEPT'

config forwarding
	option dest 'wan'
	option src 'DMZ'

config redirect
	option dest_port '22'
	option src 'wan'
	option target 'DNAT'
	option name 'CamSERVER'
	option dest_ip 'xxxxxxx'
	option dest 'DMZ'
	option src_dport '22'
	option enabled '0'

config redirect
	option dest_port '443'
	option src 'wan'
	option name 'SSL NextCloud'
	option src_dport '443'
	option target 'DNAT'
	option dest_ip 'xxxxxxx'
	option dest 'DMZ'

config redirect
	option dest_port '5900'
	option src 'wan'
	option name 'VNC'
	option src_dport '5900'
	option target 'DNAT'
	option dest 'DMZ'
	option dest_ip 'xxxxxx'

config redirect
	option dest_port '445'
	option src 'wan'
	option name 'SMB'
	option src_dport '445'
	option target 'DNAT'
	option dest_ip 'xxxxxxxxx'
	option dest 'DMZ'
	list proto 'tcp'

config redirect
	option dest_port 'xx'
	option src 'wan'
	option src_dport 'xxxxxxxx'
	option target 'DNAT'
	option dest_ip 'xxxxxxxxx'
	option dest 'DMZ'
	option name 'ToCAM1'

config redirect
	option dest_port 'xx'
	option src 'wan'
	option name 'ToCAM2'
	option src_dport 'xxxxxx'
	option target 'DNAT'
	option dest_ip 'xxxxxxxxx'
	option dest 'DMZ'

config redirect
	option dest_port 'xx'
	option src 'wan'
	option name 'ToCAM3'
	option src_dport 'xxxxxxx'
	option target 'DNAT'
	option dest_ip 'xxxxxxxxxxx'
	option dest 'DMZ'

config rule
	option target 'ACCEPT'
	list proto 'udp'
	option family 'ipv4'
	option src 'DMZ'
	option name 'dhcp-dmz'
	option dest_port '67'

config rule
	option src 'DMZ'
	option name 'dns-dmz'
	option target 'ACCEPT'
	list proto 'udp'
	option family 'ipv4'
	option dest_port '53'
	list dest_ip 'xxxxxxxx'

config redirect
	option dest_port 'xxxxxxx'
	option src 'wan'
	option name 'ToCAM4'
	option src_dport 'xxxxxx'
	option target 'DNAT'
	option dest_ip 'xxxxxxxx'
	option dest 'lan'

config redirect
	option dest_port 'xxxxxxxx'
	option src 'wan'
	option name 'ToCAM5'
	option src_dport 'xxxxxx'
	option target 'DNAT'
	option dest_ip 'xxxxxxxxx'
	option dest 'DMZ'

config redirect
	option dest_port 'xxxxxx'
	option src 'wan'
	option name 'ToCAM6'
	option src_dport 'xxxxxx'
	option target 'DNAT'
	option dest_ip 'xxxxxxxx'
	option dest 'DMZ'

config redirect
	option dest_port 'xxxxxxxxx'
	option src 'wan'
	option name 'ToCAM7'
	option src_dport '1997'
	option target 'DNAT'
	option dest_ip 'xxxxxxxxx'
	option dest 'DMZ'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest_ip 'xxxxxxxxx'
	option dest 'DMZ'
	option src_dport '1-21'
	option name 'DMZ_Tram0'
	option dest_port '1-21'

config redirect
	option src 'wan'
	option target 'DNAT'
	option dest_ip 'xxxxxxxxx'
	option dest 'DMZ'
	option dest_port '23-442'
	option src_dport '23-442'
	option name 'DMZ_Tram1'

config redirect
	option dest_port '444-1990'
	option src 'wan'
	option src_dport '444-1990'
	option target 'DNAT'
	option dest_ip 'xxxxxxxxxx'
	option dest 'DMZ'
	option name 'DMZ-Tram2'

config redirect
	option dest_port '1998-65535'
	option src 'wan'
	option src_dport '1998-65535'
	option target 'DNAT'
	option dest_ip 'xxxxxxxxxx'
	option dest 'DMZ'
	option name 'DMZ_Tram3'

config forwarding
	option dest 'DMZ'
	option src 'lan'

config redirect
	option dest_port '139'
	option src 'wan'
	option name 'SMB2'
	option src_dport '139'
	option target 'DNAT'
	option dest_ip 'xxxxxxxxxxx'
	option dest 'DMZ'
	list proto 'tcp'

Yes I readed that info so is why I'm asking if there is possible to do port isolation with VLAN's

First of all please use the "preformated text (Ctrl+Shift+C)" feature when posting lengthy configs and second of all you might want to hide MAC and IP addresses.

Apart from that you config looks quite comprehensive already. Since the issue you are describing seams to be a known bug (or VLAN just not working on hardware level) your approach of tackling it on layer 3 seams reasonable to me. In fact there is no definitive better or worse way of where to implement security but only different levels of complexity of getting it right.

Well... as long as your cameras are not hacked and somehow start attacking other devices on your switch on layer 2 that is... which I would not consider to be a highly probable concern. But maybe someone else has a more elaborate opinion on that one.

Thanks. I've modified the post as you said.. I'm newbe so I didn't know that.
I hope anybody will do any working patch for that hardware soon.
Thanks again.

Sure. no worries. You have come here in search of help. Unfortunately there seams to be no quick or easy way of getting it the way you want (if even possible). Maybe you ask more specifically in the developers area. But since that device is a bit older already please don't expect to much.

Okay. Thanks for your attention.

If you are at least somewhat happy with the knowledge gained here consider marking the discussion as solved: