Two VLANS, Unmanaged Switch, Mesh and routing between zones

Dawiducik · January 8, 2024, 10:14pm

Hello!
Recently I woke up with an idea, to split my network into smaller chunks, specifically to detach my cameras/iot devices from my "home" or "management" devices/servers. I could just simply leave it as br-lan, having the devices in different subnets and then make a firewall rule to block any outgoing traffic from cameras to "home" but I guess it's not a "good practice" (even if it works).
So I created two vlans, sacrificed some ports on my router to those vlans, connected everything together, but event though it "should" work, it does not. Every device can see the other devices, even if these vlans are different firewall zones, and has packets rejected on input. How can I avoid that?
Imagine I have a REST API on the server with address 192.168.1.115/24 and the device 192.168.2.100/24 can still reach that server, which I don't want.
Here is the simplified version of my networking. There is a bunch of other devices not shown in the diagram, but they don't matter.
Maybe the problem is by having unmanaged switch, which still "connects" the devices physically, allowing them to communicate?

ubus call system board

{
        "kernel": "5.15.137",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "D-Team Newifi D2",
        "board_name": "d-team,newifi-d2",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05-SNAPSHOT",
                "revision": "r23633-c7b6cfac40",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05-SNAPSHOT r23633-c7b6cfac40"
        }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxxxx::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        option ipv6 '0'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        option igmp_snooping '1'

config interface 'lan'
        option device 'br-vlans.10'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        list dns '1.1.1.1'
        option delegate '0'

config interface 'wan'
        option device 'wan'
        option proto 'static'
        option ipaddr '192.168.0.100'
        option netmask '255.255.255.0'
        option gateway '192.168.0.1'
        list dns '1.1.1.1'
        list dns '8.8.8.8'

config interface 'cam'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option device 'br-vlans.20'

config device
        option type 'bridge'
        option name 'br-vlans'
        option igmp_snooping '1'
        option ipv6 '0'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'

config bridge-vlan
        option device 'br-vlans'
        option vlan '10'
        list ports 'lan1'
        list ports 'lan2'

config bridge-vlan
        option device 'br-vlans'
        option vlan '20'
        list ports 'lan3'

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'local'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list rebind_domain 'free.aero2.net.pl'
        list server '1.1.1.1'
        list server '8.8.8.8'

config dhcp 'lan'
        option interface 'lan'
        option start '15'
        option limit '100'
        option leasetime '6h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        option start '100'
        option limit '150'
        option leasetime '12h'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option mac '00:D8:61:54:CB:35'
        option ip '192.168.1.69'

config dhcp 'cam'
        option interface 'cam'
        option start '40'
        option limit '90'
        option leasetime '12h'

cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src '*'
        option proto 'icmp'
        option family 'ipv4'
        option target 'ACCEPT'
        list icmp_type 'echo-request'
        option dest '*'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config zone
        option name 'cam'
        option input 'REJECT'
        option output 'REJECT'
        option forward 'REJECT'
        list network 'cam'

config forwarding
        option src 'lan'
        option dest 'cam'

psherman · January 8, 2024, 10:34pm

You cannot use an unmanaged switch for multiple networks/vlans.

While I have not reviewed your configs, it is a non-starter with unmanaged switches.

Dawiducik · January 8, 2024, 10:47pm

I mean, there is a managed switch ("in router"), where using DSA I did split bridge to two vlans, VLAN 10 and VLAN 20, unmanaged switch is only there to have some additional ports wiring more devices, and the unmanaged switch is connected to one of the VLAN 10 port.

And yes, there is br-lan looking exactly the same as br-vlans, br-lan can be omitted.

psherman · January 8, 2024, 11:11pm

The diagram you have drawn will not work. You're feeding 2 networks into a single unmanaged switch. Further, with your range extender thing on the right hand side, you cannot have VLANs traverse like that without a much more sophisticated setup (like B.A.T.M.A.N, or GRE-TAP encapsulation).

Beyond that, your bridge configurations are invalid -- a port can only be included in a single bridge. You've got ports lan1-lan3 included in 2 bridges which will cause problems.

Your cam firewall zone currently would result in the that network being completely isolated from everything (including the router and other networks). It turns out that this is a good thing because you'd be causing more problems if that zone allowed input -- this would result in 2 DHCP servers running on the same l2 switch which would cause major problems.

In short, your proposed network topology will not work. You MUST have either a managed switch or use physically separate devices (i.e. no shared switches or APs) for from a given router port to the end devices on the network.

Dawiducik · January 8, 2024, 11:34pm

Thank you for you very detailed answer!

Well, tbh I don't need a DHCP server in VLAN20, all addresses will be static.

So, there is no possibility to connect to "mesh AP" with different subnet than I am connected physically to concrete VLAN? Even if I buy a managed switch, it still won't work, because I would have to have two, vlan'd SSIDs (so the mesh system needs to support vlans), is that correct?

Do I have any way to have the camera connected to main router, other than having every single device in one VLAN? I just want to have a simple security layer, so the camera will not have a internet connection and can't scan devices in home network. I guess there is a way with multiple routers (rather than "bridges" everywhere) but that would cause a lot of NATs/masquerading...

psherman · January 8, 2024, 11:40pm

That's fine, but you still won't achieve any security benefit, and likely will cause major problems if you put both VLANs into an unmanaged switch, as a general thing.

Is your mesh system either:

VLAN aware with the vendor firmware
or running OpenWrt?

Generally yes, you would need a managed switch a mesh system that supports VLANs. You could sidestep the mesh system if you have another method of connecting the camera(s) to the router -- either by wire or with a different set of APs.

With your current topology, no.

That can be achieved with VLANs and firewall rules on the router, but you have to use hardware that supports VLANs -- i.e. managed switches and likely VLAN aware APs.

Depends on the topology. If you connected a router to the lan of your main network, things behind the router would still be able to see devices on your main lan, but you would not be able to see the cameras from the main lan (at least not without modification of the firewall on the secondary router and/or port forwarding).