Turn off inter-VLAN routing or block communications between VLANs

My scenary

  1. VLAN1-br-lan (default) [10.4.4.1/24]
  2. VLAN2-br-ext (vlan20) [10.5.5.1/24]

In VLAN2-br-ext I have 3 routers in front of him with the addresses 192.168.130.1/24, 192.168.140/24,192.168.150.1/24

When I connect to any of the routers in front of VLAN2-br-ext I can connect between the 3 routers, on all ports

I want a way to be able to stop this inter-communication between the routers 192.168../24

etc/config/firewall

config defaults                                                                                                                        
        option input 'ACCEPT'                                                                                                          
        option output 'ACCEPT'                                                                                                         
        option forward 'REJECT'                                                                                                        
        option synflood_protect '1'                                                                                                    
        option drop_invalid '1'                                                                                                        
        option flow_offloading '1'                                                                                                     
        option flow_offloading_hw '1'                                                                                                  
                                                                                                                                       
config zone                                                                                                                            
        option name 'lan'                                                                                                              
        option input 'ACCEPT'                                                                                                          
        option output 'ACCEPT'                                                                                                         
        option forward 'REJECT'                                                                                                        
        list network 'lan'
config zone                                                                                                                            
        option name 'wan'                                                                                                              
        option input 'REJECT'                                                                                                          
        option output 'ACCEPT'                                                                                                         
        option forward 'REJECT'                                                                                                        
        option masq '1'                                                                                                                
        option mtu_fix '1'                                                                                                             
        list network 'wan'                                                                                                             
        list network 'wan6'                                                                                                            
                                                                                                                                       
config forwarding                                                                                                                      
        option src 'lan'                                                                                                               
        option dest 'wan'                                                                                                              
                                                                                                                                       
config rule                                                                                                                            
        option name 'Allow-DHCP-Renew'                                                                                                 
        option src 'wan'                                                                                                               
        option proto 'udp'                                                                                                             
        option dest_port '68'                                                                                                          
        option target 'ACCEPT'                                                                                                         
        option family 'ipv4'
config rule                                                                                                                            
        option name 'Allow-Ping'                                                                                                       
        option src 'wan'                                                                                                               
        option proto 'icmp'                                                                                                            
        option icmp_type 'echo-request'                                                                                                
        option family 'ipv4'                                                                                                           
        option target 'ACCEPT'                                                                                                         
                                                                                                                                       
config rule                                                                                                                            
        option name 'Allow-DHCPv6'                                                                                                     
        option src 'wan'                                                                                                               
        option proto 'udp'                                                                                                             
        option dest_port '546'                                                                                                         
        option family 'ipv6'                                                                                                           
        option target 'ACCEPT'                                                                                                         
                                                                                                                                       
config rule                                                                                                                            
        option name 'Allow-IGMP'                                                                                                       
        option src 'wan'                                                                                                               
        option proto 'igmp'                                                                                                            
        option family 'ipv4'                                                                                                           
        option target 'ACCEPT'
config rule                                                                                                                            
        option name 'Allow-MLD'                                                                                                        
        option src 'wan'                                                                                                               
        option proto 'icmp'                                                                                                            
        option src_ip 'fe80::/10'                                                                                                      
        list icmp_type '130/0'                                                                                                         
        list icmp_type '131/0'                                                                                                         
        list icmp_type '132/0'                                                                                                         
        list icmp_type '143/0'                                                                                                         
        option family 'ipv6'                                                                                                           
        option target 'ACCEPT'
config rule                                                                                                                            
        option name 'Allow-ICMPv6-Input'                                                                                               
        option src 'wan'                                                                                                               
        option proto 'icmp'                                                                                                            
        list icmp_type 'echo-request'                                                                                                  
        list icmp_type 'echo-reply'                                                                                                    
        list icmp_type 'destination-unreachable'                                                                                       
        list icmp_type 'packet-too-big'                                                                                                
        list icmp_type 'time-exceeded'                                                                                                 
        list icmp_type 'bad-header'                                                                                                    
        list icmp_type 'unknown-header-type'                                                                                           
        list icmp_type 'router-solicitation'                                                                                           
        list icmp_type 'neighbour-solicitation'                                                                                        
        list icmp_type 'router-advertisement'                                                                                          
        list icmp_type 'neighbour-advertisement'                                                                                       
        option limit '1000/sec'                                                                                                        
        option family 'ipv6'                                                                                                           
        option target 'ACCEPT'
config rule                                                                                                                            
        option name 'Allow-IPSec-ESP'                                                                                                  
        option src 'wan'                                                                                                               
        option dest 'lan'                                                                                                              
        option proto 'esp'                                                                                                             
        option target 'ACCEPT'                                                                                                         
                                                                                                                                       
config rule                                                                                                                            
        option name 'Allow-ISAKMP'                                                                                                     
        option src 'wan'                                                                                                               
        option dest 'lan'                                                                                                              
        option dest_port '500'                                                                                                         
        option proto 'udp'                                                                                                             
        option target 'ACCEPT'                                                                                                         
                                                                                                                                       
config zone                                                                                                                            
        option name 'guestwifi'                                                                                                        
        option output 'ACCEPT'                                                                                                         
        option forward 'REJECT'                                                                                                        
        option input 'REJECT'                                                                                                          
        list network 'guestwifi'
config rule                                                                                                                            
        option name 'Allow-Guest-DHCP'                                                                                                 
        list proto 'udp'                                                                                                               
        option src 'guestwifi'                                                                                                         
        option dest_port '67'                                                                                                          
        option target 'ACCEPT'                                                                                                         
                                                                                                                                       
config rule                                                                                                                            
        option name 'Allow-Guest-DNS'                                                                                                  
        option src 'guestwifi'                                                                                                         
        option dest_port '53'                                                                                                          
        option target 'ACCEPT'                                                                                                         
                                                                                                                                       
config rule                                                                                                                            
        option src 'guestwifi'                                                                                                         
        option target 'REJECT'                                                                                                         
        option name 'Deny-All-Proto-Guest'                                                                                             
        list proto 'all'                                                                                                               
                                                                                                                                       
config forwarding                                                                                                                      
        option src 'guestwifi'                                                                                                         
        option dest 'wan'
config zone                                                                                                                            
        option name 'vlan20'                                                                                                           
        option output 'ACCEPT'                                                                                                         
        option forward 'REJECT'                                                                                                        
        list network 'vlan20'                                                                                                          
        option input 'REJECT'                                                                                                          
                                                                                                                                       
config forwarding                                                                                                                      
        option src 'vlan20'                                                                                                            
        option dest 'wan'                                                                                                              
                                                                                                                                       
config rule                                                                                                                            
        option name 'Allow-VLAN20-DHCP'                                                                                                
        list proto 'udp'                                                                                                               
        option src 'vlan20'                                                                                                            
        option dest_port '67'                                                                                                          
        option target 'ACCEPT'
config rule                                                                                                                            
        option src 'vlan20'                                                                                                            
        option dest_port '53'                                                                                                          
        option target 'ACCEPT'                                                                                                         
        option name 'Allow-VLAN20-DNS'

Can you draw a picture of the topology of this setup and from where you wish to block these connections?

2 Likes

Presumably you have these 3 routers running as non-nat masquerading devices.

So, you should be able to create a rule applied to your vlan20 firewall zone that drops or rejects all protocols from a source of 192.168.0.0/16 to destination 192.168.0.0/16.

These three routers are in a vlan (10.5.5.1/24) that when it connects to my router it arrives with the ip addresses:

R1 10.5.5.100
R2 10.5.5.101
R3 10.5.5.102

I tried this rule but it didn't work

I think I have to use routes, however, I have no idea how to do it, as I've never used

Do the 3 192.168.x.0/24 routers have nat masquerading enabled or not? Are they running openwrt?

Let’s see your config on the openwrt 10.5.5.0/24 router.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/firewall

The 3 routers use DD-WRT config default

etc/config/firewall


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option drop_invalid '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guestwifi'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	list network 'guestwifi'

config rule
	option name 'Allow-Guest-DHCP'
	list proto 'udp'
	option src 'guestwifi'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option name 'Allow-Guest-DNS'
	option src 'guestwifi'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option src 'guestwifi'
	option target 'REJECT'
	option name 'Deny-All-Proto-Guest'
	list proto 'all'

config forwarding
	option src 'guestwifi'
	option dest 'wan'

config zone
	option name 'vlan20'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'vlan20'
	option input 'REJECT'

config forwarding
	option src 'vlan20'
	option dest 'wan'

config rule
	option name 'Allow-VLAN20-DHCP'
	list proto 'udp'
	option src 'vlan20'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option src 'vlan20'
	option dest_port '53'
	option target 'ACCEPT'
	option name 'Allow-VLAN20-DNS'

config rule
	option name 'Remote-Access-LAN-to-VLAN20'
	option src 'lan'
	option dest 'vlan20'
	option target 'ACCEPT'
	option enabled '0'

etc/config/network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd6c:de18:1de5::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	option igmp_snooping '1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '10.4.4.1'
	option ip6assign '64'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '1.1.1.1'
	list dns '8.8.8.8'
	list dns '208.67.222.222'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config device
	option type 'bridge'
	option name 'br-guest'

config interface 'guestwifi'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

config device
	option type 'bridge'
	option name 'br-ext'
	list ports 'lan4'
	option igmp_snooping '1'

config bridge-vlan
	option device 'br-ext'
	option vlan '20'
	list ports 'lan4'

config interface 'vlan20'
	option proto 'static'
	option device 'br-ext.20'
	option ipaddr '10.5.5.1'
	option netmask '255.255.255.0'

This would mean that the firewall and NAT masquerading is enabled on those devices. therefore, it should be impossible for any host one network (i.e. 192.168.140.0/24) to reach a host on another network (such as 192.168.150.0/24).

Are you experiencing something different?

Yes and no!

I can access SSH between the routers (192.168.0.0/24)
And I can access SSH from vlan (10.5.5.1/24). I want to close this door too, I've tried everything, but I'm not excited

Please elaborate.... what address is initiating the ssh connection and what is the destination address?

If this is working, it sounds like ssh access is allowed on the WAN of the DD-WRT devices. You would need to fix it on those devices... there is nothing you can do on the OpenWrt router and your topology to limit this.

Please elaborate.... what address is initiating the ssh connection and what is the destination address?

e.g. i am connected to router1 (192.168.130.1)

i can access ssh from the router (192.168.140.1) using the address of vlan20 (10.5.5.101)

I want to close this vlan20 connection with the SSH between the routers

This has nothing to do with your VLANs or anything about your configuration on OpenWrt (in the current state).

You have 2 options:

  1. Turn off ssh access from the WAN on the DD-WRT routers. This is a setting you'll find in the DD-WRT configuration, and is unrelated to anything you can do in OpenWrt.
  2. put each of the 3 DD-WRT routers on their own VLAN.

Since all of the DD-WRT routers are currently on the same network (VLAN20) the traffic between them is switched (L2), not routed (L3). The firewall is never involved in L2 connections, so there is no way to limit these connections.

If I put each router in a vlan, does that mean I have to put each 1 in a router/switch port?

How are they physically connected right now? Do they all connect to the OpenWrt router? If so, you can configure the switch on that device with a different VLAN on each physical port.

Or... do you have a managed switch? If so, you can configure that switch to handle the VLANs.

If you're using an unmanaged switch, it will not be possible to connect them all to the same switch and have them on different VLANs.

BTW, if you're using an unmanaged switch currently, a quick way to prove that the OpenWrt router is not involved at all is to simply unplug it from the switch and then try to connect from one DDWRT router to the other.

My switch is not managed!

Isn't there any way to do this using static routes?

Nope. Static routes affect routing (as they suggest, L3), whereas VLANs are implemented at L2.

You must use a managed switch to have VLANs work properly through a switch (L2)

The VLAN only exists on my router VLAN20 (10.5.5.1) the 3 routers are as subnets

There is a much better way of doing all of this -- instead of using the 3 DD-WRT routers, put all of your VLANs on your OpenWrt router... It makes your topology much more streamlined and allows you to control exactly what access is desired between the networks.

I thought about changing the SSH port of each router. will it work?