Unable to block Inter-VLAN Traffic

Hello,

I've tried searching every article possible and tried all the steps possible, but I've been unable to Block Inter-VLAN Traffic on my Netgear R6220 router with OpenWrt 19.07.4 installed.

This is my Setup:

1> VLAN 1: Main / Primary VLAN (Interface: LAN, Bridged: br-lan, Physical Port: eth0.1)
2> VLAN 10: Second VLAN (Interface: LAN4_VENU, Physical Port: eth0.10)
3> VLAN 20: Guest VLAN (Interface: LAN3_GUEST, Bridged: br-LAN3_GUEST)
4> 2 Main Wireless SSID's on 2.4 GHz and 5 GHz radios bridged with bridged interface br-lan.
5> 2 Guest Wireless SSID's on 2.4 GHz and 5 GHz radios bridged with bridged interface br-LAN3_GUEST

VLAN 1: Static IP: 192.168.1.1/24
VLAN 10: Static IP: 192.168.10.1/24
VLAN 20: Static IP: 192.168.20.1/24

My requirement:

1> Communication from 192.168.1.0/24 should be allowed to all other VLAN's.
2> Communication from 192.168.10.0/24 and 192.168.20.0/24 SHOULD NOT be allowed between each other and SHOULD NOT be allowed to 192.168.1.0/24.

What I've tried so far:

1> Create separate firewall zones for each Interface with Forwarding Rejected, except the following exceptions:

 1.a> Firewall Zone for interface LAN should allow forwarding to Destination Zones with Interface LAN3_GUEST and LAN4_VENU.
 1.b> Firewall Zones for Interfaces LAN3_GUEST and LAN4_VENU should allow Forwarding from Source Zone with Interface LAN.

2> IPTABLES tried as follows:

 2.a> iptables -A FORWARDING -s 192.168.10.0/24 -d 192.168.1.0/24 -j REJECT
 2.b> iptables -A FORWARDING -s 192.168.20.0/24 -d 192.168.1.0/24 -j REJECT
 2.c> iptables -A OUTPUT -s 192.168.10.0/24 -d 192.168.1.0/24 -j REJECT
 2.d> iptables -A OUTPUT -s 192.168.20.0/24 -d 192.168.1.0/24 -j REJECT

None of the steps above have helped me block traffic the way I intended.

Can somebody please tell me if I'm doing something wrong?

Thanks & Regards,
Clifford!

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

cat /etc/config/network; cat /etc/config/wireless; \
cat /etc/config/dhcp; cat /etc/config/firewall; \
head -n -0 /etc/firewall.user; \
iptables-save -c; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru
2 Likes

Zone LAN must have forwarding to zone second and zone guest. That's all. Everything else is by default rejected. The forwarding you configured is for intrazone traffic.

2 Likes
root@OpenWrt_Netgear_R6220:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdb7:e176:4b25::/48'

config interface 'lan'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.1.1'
        option type 'bridge'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'static'
        option netmask '255.255.255.0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option ipaddr 'x.x.x.x'
        option gateway 'x.x.x.x'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '6t 3'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '6t 4'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '6t 2'
        option vid '20'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option ports '6t 1'
        option vid '10'

config interface 'LAN4_Venu'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option ifname 'eth0.10'

config interface 'LAN3_Guest'
        option proto 'static'
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'
        option ifname 'eth0.20'
        option type 'bridge'

root@OpenWrt_Netgear_R6220:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11g'
        option path 'pci0000:00/0000:00:01.0/0000:02:00.0'
        option noscan '1'
        option htmode 'HT40'
        option channel '3'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option key 'Xxxxxxxxxx'
        option ssid 'OpenWrt-Cliff'
        option encryption 'psk2'
        option network 'lan'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
        option htmode 'VHT80'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option key 'Xxxxxxxxxx'
        option ssid 'OpenWrt-5G-Cliff'
        option encryption 'psk2'
        option network 'lan'

config wifi-iface 'wifinet2'
        option ssid 'OpenWrt-Guest-Cliff'
        option encryption 'psk2'
        option device 'radio0'
        option mode 'ap'
        option network 'LAN3_Guest'
        option key 'Xxxxxxxxxx'

config wifi-iface 'wifinet3'
        option ssid 'OpenWrt-5G-Guest-Cliff'
        option encryption 'psk2'
        option device 'radio1'
        option mode 'ap'
        option network 'LAN3_Guest'
        option key 'Xxxxxxxxxx'
root@OpenWrt_Netgear_R6220:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'
        option start '101'
        option limit '100'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'LAN3'
        option leasetime '12h'
        option interface 'LAN3'
        option start '101'
        option limit '50'

config dhcp 'LAN4_Venu'
        option leasetime '12h'
        option interface 'LAN4_Venu'
        option start '101'
        option limit '50'

config dhcp 'LAN3_Guest'
        option leasetime '12h'
        option interface 'LAN3_Guest'
        option start '101'
        option limit '100'

config host
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'XboxOne'
        option dns '1'
        option ip '192.168.1.253'

config host
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'GS308-Switch'
        option dns '1'
        option ip '192.168.1.100'

config host
        option name 'xx:xx:xx:xx:xx:xx'
        option dns '1'
        option ip '192.168.1.5'
        option mac 'D0:37:45:99:94:A3'

config host
        option mac 'xx:xx:xx:xx:xx:xx'
        option name 'HP-Printer'
        option dns '1'
        option ip '192.168.1.10'
root@OpenWrt_Netgear_R6220:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'lan LAN4_Venu LAN3_Guest'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config redirect
        option target 'DNAT'
        option name 'RDP'
        option src 'wan'
        option src_dport '3389'
        option dest 'lan'
        option dest_ip '192.168.1.5'
        option dest_port '3389'

config zone
        option name 'PrimaryVLAN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option network 'lan'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option network 'LAN4_Venu'
        option name 'VenuLAN'

config forwarding
        option src 'PrimaryVLAN'
        option dest 'VenuLAN'

config zone
        option name 'GuestVLAN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option network 'LAN3_Guest'

config forwarding
        option src 'PrimaryVLAN'
        option dest 'GuestVLAN'
root@OpenWrt_Netgear_R6220:~# head -n -0 /etc/firewall.user
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.

root@OpenWrt_Netgear_R6220:~# iptables-save -c
# Generated by iptables-save v1.8.3 on Wed Sep 16 17:16:14 2020
*nat
:PREROUTING ACCEPT [922:161675]
:INPUT ACCEPT [225:14841]
:OUTPUT ACCEPT [205:14086]
:POSTROUTING ACCEPT [29:1780]
:postrouting_GuestVLAN_rule - [0:0]
:postrouting_PrimaryVLAN_rule - [0:0]
:postrouting_VenuVLAN_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_GuestVLAN_rule - [0:0]
:prerouting_PrimaryVLAN_rule - [0:0]
:prerouting_VenuVLAN_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_GuestVLAN_postrouting - [0:0]
:zone_GuestVLAN_prerouting - [0:0]
:zone_PrimaryVLAN_postrouting - [0:0]
:zone_PrimaryVLAN_prerouting - [0:0]
:zone_VenuLAN_postrouting - [0:0]
:zone_VenuLAN_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[948:163035] -A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
[203:16153] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[424:118441] -A PREROUTING -i eth0.10 -m comment --comment "!fw3" -j zone_lan_prerouting
[168:19694] -A PREROUTING -i br-LAN3_Guest -m comment --comment "!fw3" -j zone_lan_prerouting
[153:8747] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[203:16153] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_PrimaryVLAN_prerouting
[424:118441] -A PREROUTING -i eth0.10 -m comment --comment "!fw3" -j zone_VenuLAN_prerouting
[168:19694] -A PREROUTING -i br-LAN3_Guest -m comment --comment "!fw3" -j zone_GuestVLAN_prerouting
[515:46568] -A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
[28:1740] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o eth0.10 -m comment --comment "!fw3" -j zone_lan_postrouting
[0:0] -A POSTROUTING -o br-LAN3_Guest -m comment --comment "!fw3" -j zone_lan_postrouting
[487:44828] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[28:1740] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_PrimaryVLAN_postrouting
[0:0] -A POSTROUTING -o eth0.10 -m comment --comment "!fw3" -j zone_VenuLAN_postrouting
[0:0] -A POSTROUTING -o br-LAN3_Guest -m comment --comment "!fw3" -j zone_GuestVLAN_postrouting
[0:0] -A zone_GuestVLAN_postrouting -m comment --comment "!fw3: Custom GuestVLAN postrouting rule chain" -j postrouting_GuestVLAN_rule
[168:19694] -A zone_GuestVLAN_prerouting -m comment --comment "!fw3: Custom GuestVLAN prerouting rule chain" -j prerouting_GuestVLAN_rule
[28:1740] -A zone_PrimaryVLAN_postrouting -m comment --comment "!fw3: Custom PrimaryVLAN postrouting rule chain" -j postrouting_PrimaryVLAN_rule
[203:16153] -A zone_PrimaryVLAN_prerouting -m comment --comment "!fw3: Custom PrimaryVLAN prerouting rule chain" -j prerouting_PrimaryVLAN_rule
[28:1740] -A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.5/32 -p tcp -m tcp --dport 3389 -m comment --comment "!fw3: RDP (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.1.0/24 -d 192.168.1.5/32 -p udp -m udp --dport 3389 -m comment --comment "!fw3: RDP (reflection)" -j SNAT --to-source 192.168.1.1
[0:0] -A zone_lan_postrouting -s 192.168.10.0/24 -d 192.168.1.5/32 -p tcp -m tcp --dport 3389 -m comment --comment "!fw3: RDP (reflection)" -j SNAT --to-source 192.168.10.1
[0:0] -A zone_lan_postrouting -s 192.168.10.0/24 -d 192.168.1.5/32 -p udp -m udp --dport 3389 -m comment --comment "!fw3: RDP (reflection)" -j SNAT --to-source 192.168.10.1
[0:0] -A zone_lan_postrouting -s 192.168.20.0/24 -d 192.168.1.5/32 -p tcp -m tcp --dport 3389 -m comment --comment "!fw3: RDP (reflection)" -j SNAT --to-source 192.168.20.1
[0:0] -A zone_lan_postrouting -s 192.168.20.0/24 -d 192.168.1.5/32 -p udp -m udp --dport 3389 -m comment --comment "!fw3: RDP (reflection)" -j SNAT --to-source 192.168.20.1
[795:154288] -A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d x.x.x.235/32 -p tcp -m tcp --dport 3389 -m comment --comment "!fw3: RDP (reflection)" -j DNAT --to-destination 192.168.1.5:3389
[0:0] -A zone_lan_prerouting -s 192.168.1.0/24 -d x.x.x.235/32 -p udp -m udp --dport 3389 -m comment --comment "!fw3: RDP (reflection)" -j DNAT --to-destination 192.168.1.5:3389
[0:0] -A zone_lan_prerouting -s 192.168.10.0/24 -d x.x.x.235/32 -p tcp -m tcp --dport 3389 -m comment --comment "!fw3: RDP (reflection)" -j DNAT --to-destination 192.168.1.5:3389
[0:0] -A zone_lan_prerouting -s 192.168.10.0/24 -d x.x.x.235/32 -p udp -m udp --dport 3389 -m comment --comment "!fw3: RDP (reflection)" -j DNAT --to-destination 192.168.1.5:3389
[0:0] -A zone_lan_prerouting -s 192.168.20.0/24 -d x.x.x.235/32 -p tcp -m tcp --dport 3389 -m comment --comment "!fw3: RDP (reflection)" -j DNAT --to-destination 192.168.1.5:3389
[0:0] -A zone_lan_prerouting -s 192.168.20.0/24 -d x.x.x.235/32 -p udp -m udp --dport 3389 -m comment --comment "!fw3: RDP (reflection)" -j DNAT --to-destination 192.168.1.5:3389
[487:44828] -A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
[487:44828] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[153:8747] -A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
[27:1412] -A zone_wan_prerouting -p tcp -m tcp --dport 3389 -m comment --comment "!fw3: RDP" -j DNAT --to-destination 192.168.1.5:3389
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 3389 -m comment --comment "!fw3: RDP" -j DNAT --to-destination 192.168.1.5:3389
COMMIT
# Completed on Wed Sep 16 17:16:14 2020
# Generated by iptables-save v1.8.3 on Wed Sep 16 17:16:14 2020
*mangle
:PREROUTING ACCEPT [28273:26506480]
:INPUT ACCEPT [1166:195234]
:FORWARD ACCEPT [26697:26196257]
:OUTPUT ACCEPT [892:213669]
:POSTROUTING ACCEPT [27582:26409622]
[212:12004] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
[224:12560] -A FORWARD -i eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Wed Sep 16 17:16:14 2020
# Generated by iptables-save v1.8.3 on Wed Sep 16 17:16:14 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_GuestVLAN_rule - [0:0]
:forwarding_PrimaryVLAN_rule - [0:0]
:forwarding_VenuVLAN_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_GuestVLAN_rule - [0:0]
:input_PrimaryVLAN_rule - [0:0]
:input_VenuVLAN_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_GuestVLAN_rule - [0:0]
:output_PrimaryVLAN_rule - [0:0]
:output_VenuVLAN_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_GuestVLAN_dest_ACCEPT - [0:0]
:zone_GuestVLAN_dest_REJECT - [0:0]
:zone_GuestVLAN_forward - [0:0]
:zone_GuestVLAN_input - [0:0]
:zone_GuestVLAN_output - [0:0]
:zone_GuestVLAN_src_ACCEPT - [0:0]
:zone_PrimaryVLAN_dest_ACCEPT - [0:0]
:zone_PrimaryVLAN_dest_REJECT - [0:0]
:zone_PrimaryVLAN_forward - [0:0]
:zone_PrimaryVLAN_input - [0:0]
:zone_PrimaryVLAN_output - [0:0]
:zone_PrimaryVLAN_src_ACCEPT - [0:0]
:zone_VenuLAN_dest_ACCEPT - [0:0]
:zone_VenuLAN_dest_REJECT - [0:0]
:zone_VenuLAN_forward - [0:0]
:zone_VenuLAN_input - [0:0]
:zone_VenuLAN_output - [0:0]
:zone_VenuLAN_src_ACCEPT - [0:0]
:zone_VenuVLAN_forward - [0:0]
:zone_VenuVLAN_input - [0:0]
:zone_VenuVLAN_output - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[0:0] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[1169:195366] -A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
[501:71880] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[123:5912] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[90:5919] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[55:3592] -A INPUT -i eth0.10 -m comment --comment "!fw3" -j zone_lan_input
[98:6504] -A INPUT -i br-LAN3_Guest -m comment --comment "!fw3" -j zone_lan_input
[425:107471] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_PrimaryVLAN_input
[0:0] -A INPUT -i eth0.10 -m comment --comment "!fw3" -j zone_VenuLAN_input
[0:0] -A INPUT -i br-LAN3_Guest -m comment --comment "!fw3" -j zone_GuestVLAN_input
[26697:26196257] -A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
[26423:26162326] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[115:8385] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[62:10944] -A FORWARD -i eth0.10 -m comment --comment "!fw3" -j zone_lan_forward
[70:13190] -A FORWARD -i br-LAN3_Guest -m comment --comment "!fw3" -j zone_lan_forward
[27:1412] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_PrimaryVLAN_forward
[0:0] -A FORWARD -i eth0.10 -m comment --comment "!fw3" -j zone_VenuLAN_forward
[0:0] -A FORWARD -i br-LAN3_Guest -m comment --comment "!fw3" -j zone_GuestVLAN_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[896:214581] -A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
[691:200495] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[1:328] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o eth0.10 -m comment --comment "!fw3" -j zone_lan_output
[0:0] -A OUTPUT -o br-LAN3_Guest -m comment --comment "!fw3" -j zone_lan_output
[204:13758] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_PrimaryVLAN_output
[0:0] -A OUTPUT -o eth0.10 -m comment --comment "!fw3" -j zone_VenuLAN_output
[0:0] -A OUTPUT -o br-LAN3_Guest -m comment --comment "!fw3" -j zone_GuestVLAN_output
[110:4984] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[315:102487] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[123:5912] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[0:0] -A zone_GuestVLAN_dest_ACCEPT -o br-LAN3_Guest -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_GuestVLAN_dest_REJECT -o br-LAN3_Guest -m comment --comment "!fw3" -j reject
[0:0] -A zone_GuestVLAN_forward -m comment --comment "!fw3: Custom GuestVLAN forwarding rule chain" -j forwarding_GuestVLAN_rule
[0:0] -A zone_GuestVLAN_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_GuestVLAN_forward -m comment --comment "!fw3" -j zone_GuestVLAN_dest_REJECT
[0:0] -A zone_GuestVLAN_input -m comment --comment "!fw3: Custom GuestVLAN input rule chain" -j input_GuestVLAN_rule
[0:0] -A zone_GuestVLAN_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_GuestVLAN_input -m comment --comment "!fw3" -j zone_GuestVLAN_src_ACCEPT
[0:0] -A zone_GuestVLAN_output -m comment --comment "!fw3: Custom GuestVLAN output rule chain" -j output_GuestVLAN_rule
[0:0] -A zone_GuestVLAN_output -m comment --comment "!fw3" -j zone_GuestVLAN_dest_ACCEPT
[0:0] -A zone_GuestVLAN_src_ACCEPT -i br-LAN3_Guest -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_PrimaryVLAN_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_PrimaryVLAN_dest_REJECT -o br-lan -m comment --comment "!fw3" -j reject
[0:0] -A zone_PrimaryVLAN_forward -m comment --comment "!fw3: Custom PrimaryVLAN forwarding rule chain" -j forwarding_PrimaryVLAN_rule
[0:0] -A zone_PrimaryVLAN_forward -m comment --comment "!fw3: Zone PrimaryVLAN to VenuLAN forwarding policy" -j zone_VenuLAN_dest_ACCEPT
[0:0] -A zone_PrimaryVLAN_forward -m comment --comment "!fw3: Zone PrimaryVLAN to GuestVLAN forwarding policy" -j zone_GuestVLAN_dest_ACCEPT
[0:0] -A zone_PrimaryVLAN_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_PrimaryVLAN_forward -m comment --comment "!fw3" -j zone_PrimaryVLAN_dest_REJECT
[0:0] -A zone_PrimaryVLAN_input -m comment --comment "!fw3: Custom PrimaryVLAN input rule chain" -j input_PrimaryVLAN_rule
[0:0] -A zone_PrimaryVLAN_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_PrimaryVLAN_input -m comment --comment "!fw3" -j zone_PrimaryVLAN_src_ACCEPT
[0:0] -A zone_PrimaryVLAN_output -m comment --comment "!fw3: Custom PrimaryVLAN output rule chain" -j output_PrimaryVLAN_rule
[0:0] -A zone_PrimaryVLAN_output -m comment --comment "!fw3" -j zone_PrimaryVLAN_dest_ACCEPT
[0:0] -A zone_PrimaryVLAN_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_VenuLAN_dest_ACCEPT -o eth0.10 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_VenuLAN_dest_REJECT -o eth0.10 -m comment --comment "!fw3" -j reject
[0:0] -A zone_VenuLAN_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_VenuLAN_forward -m comment --comment "!fw3" -j zone_VenuLAN_dest_REJECT
[0:0] -A zone_VenuLAN_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_VenuLAN_input -m comment --comment "!fw3" -j zone_VenuLAN_src_ACCEPT
[0:0] -A zone_VenuLAN_output -m comment --comment "!fw3" -j zone_VenuLAN_dest_ACCEPT
[0:0] -A zone_VenuLAN_src_ACCEPT -i eth0.10 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[1:328] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_lan_dest_ACCEPT -o eth0.10 -m comment --comment "!fw3" -j ACCEPT
[41:4457] -A zone_lan_dest_ACCEPT -o br-LAN3_Guest -m comment --comment "!fw3" -j ACCEPT
[247:32519] -A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
[247:32519] -A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[41:4457] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[243:16015] -A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[243:16015] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[1:328] -A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
[1:328] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[90:5919] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[55:3592] -A zone_lan_src_ACCEPT -i eth0.10 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[98:6504] -A zone_lan_src_ACCEPT -i br-LAN3_Guest -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[7:304] -A zone_wan_dest_ACCEPT -o eth0.2 -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
[403:41516] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[27:1412] -A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
[0:0] -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
[27:1412] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[425:107471] -A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
[0:0] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[0:0] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[425:107471] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[204:13758] -A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
[204:13758] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[425:107471] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Wed Sep 16 17:16:14 2020
root@OpenWrt_Netgear_R6220:~# ip -4 addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: br-LAN3_Guest: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.20.1/24 brd 192.168.20.255 scope global br-LAN3_Guest
       valid_lft forever preferred_lft forever
7: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
9: eth0.10@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 192.168.10.1/24 brd 192.168.10.255 scope global eth0.10
       valid_lft forever preferred_lft forever
10: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet x.x.x.235/24 brd x.x.x.255 scope global eth0.2
       valid_lft forever preferred_lft forever
root@OpenWrt_Netgear_R6220:~# ip -4 ro li tab all
default via x.x.x.1 dev eth0.2
x.x.x.0/24 dev eth0.2 scope link  src x.x.x.x
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1
192.168.10.0/24 dev eth0.10 scope link  src 192.168.10.1
192.168.20.0/24 dev br-LAN3_Guest scope link  src 192.168.20.1
broadcast x.x.x.0 dev eth0.2 table local scope link  src x.x.x.x
local x.x.x.235 dev eth0.2 table local scope host  src x.x.x.x
broadcast x.x.x.255 dev eth0.2 table local scope link  src x.x.x.x
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1
broadcast 192.168.1.0 dev br-lan table local scope link  src 192.168.1.1
local 192.168.1.1 dev br-lan table local scope host  src 192.168.1.1
broadcast 192.168.1.255 dev br-lan table local scope link  src 192.168.1.1
broadcast 192.168.10.0 dev eth0.10 table local scope link  src 192.168.10.1
local 192.168.10.1 dev eth0.10 table local scope host  src 192.168.10.1
broadcast 192.168.10.255 dev eth0.10 table local scope link  src 192.168.10.1
broadcast 192.168.20.0 dev br-LAN3_Guest table local scope link  src 192.168.20.1
local 192.168.20.1 dev br-LAN3_Guest table local scope host  src 192.168.20.1
broadcast 192.168.20.255 dev br-LAN3_Guest table local scope link  src 192.168.20.1
root@OpenWrt_Netgear_R6220:~# ip -4 ru
0:      from all lookup local
32766:  from all lookup main
32767:  from all lookup default

You've got all LANs in one firewall zone here with an accept rule for forwarding. That's why they can all talk to each other.

2 Likes

Thanks a ton, I've removed that default rule and modified by firewall zones like so, now, I have the setup almost like how I want.

root@OpenWrt_Netgear_R6220:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'PrimaryVLAN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option network 'lan'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option network 'LAN4_Venu'
        option name 'VenuLAN'

config forwarding
        option src 'PrimaryVLAN'
        option dest 'VenuLAN'

config zone
        option name 'GuestVLAN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option network 'LAN3_Guest'

config forwarding
        option src 'PrimaryVLAN'
        option dest 'GuestVLAN'

config forwarding
        option src 'PrimaryVLAN'
        option dest 'wan'

config forwarding
        option src 'VenuLAN'
        option dest 'wan'

config forwarding
        option src 'GuestVLAN'
        option dest 'wan'

While I'm not able to ping any other VLAN' Client IPs from VLAN 10 and VLAN 20, I'm still able to ping the Default Gateway IP's of other VLAN's from both the VLAN's 10 and 20, is there anyway to prohibit them from being able to reach other VLAN gateway's apart from their own gateway's?

Wireless LAN adapter Wi-Fi 2:

   Connection-specific DNS Suffix  . : lan
   Link-local IPv6 Address . . . . . : fe80::4522:9ace:65a9:db35%26
   IPv4 Address. . . . . . . . . . . : 192.168.20.135
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.20.1

C:\Users\cliff>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:
Reply from 192.168.1.1: bytes=32 time=2ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=1ms TTL=64
Reply from 192.168.1.1: bytes=32 time=2ms TTL=64

Ping statistics for 192.168.1.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 2ms, Average = 1ms

C:\Users\cliff>ping 192.168.20.1

Pinging 192.168.20.1 with 32 bytes of data:
Reply from 192.168.20.1: bytes=32 time=1ms TTL=64
Reply from 192.168.20.1: bytes=32 time=1ms TTL=64
Reply from 192.168.20.1: bytes=32 time=1ms TTL=64
Reply from 192.168.20.1: bytes=32 time=2ms TTL=64

Ping statistics for 192.168.20.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 2ms, Average = 1ms

C:\Users\cliff>ping 192.168.10.1

Pinging 192.168.10.1 with 32 bytes of data:
Reply from 192.168.10.1: bytes=32 time=1ms TTL=64
Reply from 192.168.10.1: bytes=32 time=1ms TTL=64
Reply from 192.168.10.1: bytes=32 time=1ms TTL=64
Reply from 192.168.10.1: bytes=32 time=1ms TTL=64

Ping statistics for 192.168.10.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 1ms, Average = 1ms

C:\Users\cliff>ping 192.168.1.5

Pinging 192.168.1.5 with 32 bytes of data:
Reply from 192.168.20.1: Destination port unreachable.
Reply from 192.168.20.1: Destination port unreachable.
Reply from 192.168.20.1: Destination port unreachable.
Reply from 192.168.20.1: Destination port unreachable.

Ping statistics for 192.168.1.5:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

You can set the zone input policy to REJECT and add custom rules to selectively allow the input traffic, i.e. allow only specific destination IPs.

1 Like

I think I'll leave it at this config, never mind they can ping the gateway's of other VLAN's.

I have one final caveat. Even though have set the listen address on my uhttpd service to listen to just the network 192.168.1.0/24 for both http and https, it still loads the Luci Web Interface if I put in 192.168.10.1 and 192.168.20.1, this shouldn't happen right?

root@OpenWrt_Netgear_R6220:~# cat /etc/config/uhttpd
# Server configuration
config uhttpd main

        # HTTP listen addresses, multiple allowed
        list listen_http        192.168.1.0:80
        # list listen_http      [::]:80

        # HTTPS listen addresses, multiple allowed
        list listen_https       192.168.1.0:443
        # list listen_https     [::]:443

        # Redirect HTTP requests to HTTPS if possible
        option redirect_https   1

        # Server document root
        option home             /www

        # Reject requests from RFC1918 IP addresses
        # directed to the servers public IP(s).
        # This is a DNS rebinding countermeasure.
        option rfc1918_filter 1

        # Maximum number of concurrent requests.
        # If this number is exceeded, further requests are
        # queued until the number of running requests drops
        # below the limit again.
        option max_requests 3

        # Maximum number of concurrent connections.
        # If this number is exceeded, further TCP connection
        # attempts are queued until the number of active
        # connections drops below the limit again.
        option max_connections 100

        # Certificate and private key for HTTPS.
        # If no listen_https addresses are given,
        # the key options are ignored.
        option cert             /etc/uhttpd.crt
        option key              /etc/uhttpd.key

        # CGI url prefix, will be searched in docroot.
        # Default is /cgi-bin
        option cgi_prefix       /cgi-bin

        # List of extension->interpreter mappings.
        # Files with an associated interpreter can
        # be called outside of the CGI prefix and do
        # not need to be executable.
#       list interpreter        ".php=/usr/bin/php-cgi"
#       list interpreter        ".cgi=/usr/bin/perl"

        # List of prefix->Lua handler mappings.
        # Any request to an URL beneath the prefix
        # will be dispatched to the associated Lua
        # handler script. Lua support is disabled when
        # no handler mappings are specified. Lua prefix
        # matches have precedence over the CGI prefix.
        list lua_prefix         "/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua"

        # Specify the ubus-rpc prefix and socket path.
#       option ubus_prefix      /ubus
#       option ubus_socket      /var/run/ubus.sock

        # CGI/Lua timeout, if the called script does not
        # write data within the given amount of seconds,
        # the server will terminate the request with
        # 504 Gateway Timeout response.
        option script_timeout   60

        # Network timeout, if the current connection is
        # blocked for the specified amount of seconds,
        # the server will terminate the associated
        # request process.
        option network_timeout  30

        # HTTP Keep-Alive, specifies the timeout for persistent
        # HTTP/1.1 connections. Setting this to 0 will disable
        # persistent HTTP connections.
        option http_keepalive   20

        # TCP Keep-Alive, send periodic keep-alive probes
        # over established connections to detect dead peers.
        # The value is given in seconds to specify the
        # interval between subsequent probes.
        # Setting this to 0 will disable TCP keep-alive.
        option tcp_keepalive    1

        # Basic auth realm, defaults to local hostname
#       option realm    OpenWrt

        # Configuration file in busybox httpd format
#       option config   /etc/httpd.conf

        # Do not follow symlinks that point outside of the
        # home directory.
#       option no_symlinks      0

        # Do not produce directory listings but send 403
        # instead if a client requests an url pointing to
        # a directory without any index file.
#       option no_dirlists      0

        # Do not authenticate any ubus-rpc requests against
        # the ubus session/access procedure.
        # This is dangerous and should be always left off
        # except for development and debug purposes!
#       option no_ubusauth      0

        # For this instance of uhttpd use the listed httpauth
        # sections to require Basic auth to the specified
        # resources.
#       list httpauth prefix_user


# Defaults for automatic certificate and key generation
config cert defaults

        # Validity time
        option days             730

        # key type: rsa or ec
        option key_type         rsa

        # RSA key size
        option bits             2048

        # EC curve name
        # Curve names vary between mbedtls/px5g and openssl
        # P-256 or P-384 are guaranteed to work
        option ec_curve         P-256

        # Location
        option country          ZZ
        option state            Somewhere
        option location         Unknown

        # Common name
        option commonname       'OpenWrt'

# config httpauth prefix_user
#       option prefix /protected/url/path
#       option username user
#       option password 'plaintext_or_md5_or_$p$user_for_system_user'

uci -q delete uhttpd.main.listen_http
uci add_list uhttpd.main.listen_http="192.168.1.1:80"
uci -q delete uhttpd.main.listen_https
uci add_list uhttpd.main.listen_https="192.168.1.1:443"
uci commit uhttpd
/etc/init.d/uhttpd restart
2 Likes

It still loads the Luci Web Interface after making the above changes on 192.168.10.1 and 192.168.20.1. :frowning:

If it helps, I'm using nginx also, I didn't install just openssl.

This is the command I used to setup https on my router:

opkg update
opkg install luci-ssl-nginx

It went away and did it's thing installing all the dependencies and setting up a self signed certificate.

I followed the instructions in this URL, to install nginx with ssl:

https://openwrt.org/docs/guide-user/luci/luci.essentials#installation

Then you should probably modify the nginx config.

1 Like

Right, I did that, it now blocks it perfectly fine, I'm all set.

I modified /etc/nginx/nginx.conf as follows and restarted both nginx and uhttpd:

server {
        listen 192.168.1.1:80 default_server;
        listen [::]:80 default_server;
        server_name _;
        return 301 https://$host$request_uri;
    }

server {
        listen 192.168.1.1:443 ssl default_server;
        listen [::]:443 ssl default_server;
        server_name  localhost;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:DHE+AESGCM:DHE:!RSA!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!CAMELLIA:!SEED";
        ssl_session_tickets off;

        ssl_certificate /etc/nginx/nginx.cer;
        ssl_certificate_key /etc/nginx/nginx.key;

        location ~* .(jpg|jpeg|png|gif|ico|css|js)$ {
            expires 365d;
        }

/etc/init.d/nginx restart
/etc/init.d/uhttpd restart
1 Like

Sorry to bother you again.

Just out of curiosity, what exact custom rules will I need to put in, in order to block access to 192.168.1.1 from 192.168.10.0/24 and 192.168.20.0/24.

Since 192.168.1.0/24 is my PrimaryVLAN and the ONLY way to get to my router through Luci and SSH with dropbear set to listen to just my lan port, if I set the PrimaryVLAN INPUT to Reject, the changes are getting rejected and getting rolled back automatically.

Before I set my PrimaryVLAN INPUT to REJECT, I'll need my Custom Rules to be able to do the following:

1> Allow all clients within my PrimaryVLAN to be able to reach 192.168.1.1
2> Allow my RDP Port Forwarding request from WAN to reach 192.168.1.5 on the default RDP port 3389.

Please let me know if you can give me the exact custom rule commands to accomplish the above.

Thank You!

Do you mean for the firewall zone? As you've seen all that does is stop access from traffic on interfaces in that zone from reaching the router. It's not going to stop traffic from other zones. You don't need custom commands either. Just add firewall rules preventing input to the router from either of the unwanted vlans. Something like:

config rule
        option src 'VenuLAN'
        option target 'REJECT'

config rule
        option src 'GuestVLAN'
        option target 'REJECT'

I tested with just the GuestVLAN, but I'm still able to ping 192.168.1.1 from the GuestVLAN network after applying the above change and restarting the firewall service.

Can you post your network and firewall config files?

root@OpenWrt_Netgear_R6220:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'PrimaryVLAN'
        option output 'ACCEPT'
        option forward 'REJECT'
        option network 'lan'
        option input 'ACCEPT'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option network 'LAN4_Venu'
        option name 'VenuLAN'

config forwarding
        option src 'PrimaryVLAN'
        option dest 'VenuLAN'

config zone
        option name 'GuestVLAN'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option network 'LAN3_Guest'

config forwarding
        option src 'PrimaryVLAN'
        option dest 'GuestVLAN'

config forwarding
        option src 'PrimaryVLAN'
        option dest 'wan'

config forwarding
        option src 'VenuLAN'
        option dest 'wan'

config forwarding
        option src 'GuestVLAN'
        option dest 'wan'

config redirect
        option target 'DNAT'
        option name 'RDP'
        option src 'wan'
        option src_dport '3389'
        option dest 'PrimaryVLAN'
        option dest_ip '192.168.1.5'
        option dest_port '3389'

config rule
        option name 'BlockGuest'
        list proto 'all'
        option src 'GuestVLAN'
        option dest 'PrimaryVLAN'
        option target 'REJECT'
root@OpenWrt_Netgear_R6220:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdb7:e176:4b25::/48'

config interface 'lan'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.1.1'
        option type 'bridge'

config device 'lan_eth0_1_dev'
        option name 'eth0.1'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'static'
        option netmask '255.255.255.0'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        option ipaddr 'x.x.x.x'
        option gateway 'x.x.x.x'

config device 'wan_eth0_2_dev'
        option name 'eth0.2'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '6t 3'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '6t 4'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '6t 2'
        option vid '20'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option ports '6t 1'
        option vid '10'

config interface 'LAN4_Venu'
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'
        option ifname 'eth0.10'

config interface 'LAN3_Guest'
        option proto 'static'
        option ipaddr '192.168.20.1'
        option netmask '255.255.255.0'
        option ifname 'eth0.20'
        option type 'bridge'

Is this the rule you added after my earlier post? That didn't work?