VLAN can reach management IP

Hi,

I am in the process of learning how VLANs work on OpenWRT. I am using an R7800, of which I became aware that it doesn't use DSA yet. I've so far managed to create a VLAN with the ID 10, and it seems to work fine so far. The only weird thing is that for some reason I can reach 192.168.1.1 and the management web interface from the VLAN, which imo should not be possible, since forwarding is disabled for the vlan network. Could someone tell me what wrong with my config?

/etc/config/firewall:

root@openwrt:/etc/config# cat firewall                                                                                                                                                      
                                                                                                                                                                                            
config defaults                                                                                                                                       
        option input 'REJECT'                                                                                                                         
        option output 'ACCEPT'                                                                                                                        
        option forward 'REJECT'                                                                                                                       
        option synflood_protect '1'                                                                                                                   
                                                                                                                                                      
config zone                                                                                                                                           
        option name 'lan'                                                                                                                             
        option input 'ACCEPT'                                                                                                                         
        option output 'ACCEPT'                                                                                                                        
        option forward 'ACCEPT'                                                               
        list network 'lan'                                                         
                                     
config zone                          
        option name 'wan'                                                          
        option input 'REJECT'                                                      
        option output 'ACCEPT'                                             
        option forward 'REJECT'                                                               
        option masq '1'              
        option mtu_fix '1'                                                 
        list network 'wan'                                                 
        list network 'wan6'          
                                                                                   
config forwarding                    
        option src 'lan'                                                   
        option dest 'wan'            
                                     
config rule                                                                
        option name 'Allow-DHCP-Renew'                                                        
        option src 'wan'                                                   
        option proto 'udp'                                                         
        option dest_port '68'                                                                 
        option target 'ACCEPT'                                             
        option family 'ipv4'         
                                     
config rule                                                                
        option name 'Allow-DHCPv6-Renew'                                                      
        option src 'wan'                                                   
        option proto 'udp'               
        option dest_port '546'                                                     
        option family 'ipv6'                                               
        option target 'ACCEPT'                                                                
                                                                                   
config rule                          
        option name 'Allow-Ping'                                           
        option src 'wan'                 
        option proto 'icmp'                                                        
        option icmp_type 'echo-request'                                    
        option family 'ipv4'         
        option target 'ACCEPT'                                                                
                                                                                   
config rule                                                                
        option name 'Allow-SSH'                                                    
        list proto 'tcp'             
        option src 'wan'             
        option src_port '22'                                               
        option target 'ACCEPT'                                             
                                                                           
config rule                              
        option name 'Allow-Cert-Renewal'                                                      
        list proto 'tcp'             
        option src 'wan'             
        option src_port '80'             
        option target 'ACCEPT'                                                                
                                     
config zone                                                                        
        option name 'guest'              
        option input 'ACCEPT'                                                                 
        option output 'ACCEPT'                                                     
        option forward 'ACCEPT'                                                    
                                                                           
config forwarding                    
        option src 'guest'           
        option dest 'wan'                                                  
                                                                           
config forwarding                                                          
        option src 'lan'                 
        option dest 'guest'          
                                                                                   
config redirect                                                                    
        option dest 'lan'                                                  
        option target 'DNAT'         
        option name '80 - traefik-rev-proxy'                                                  
        list proto 'tcp'                                                   
        option src 'wan'                                                   
        option src_dport '80'                                              
        option dest_ip '192.168.1.2'                                               
        option dest_port '80'                                                                 
                                     
config redirect                                                            
        option dest 'lan'                                                  
        option target 'DNAT'                                                                                                                                           
        option name '443 - traefik-rev-proxy'                                                                                                                          
        list proto 'tcp'                                                                                                                                               
        option src 'wan'                                                           
        option src_dport '443'                                                                
        option dest_ip '192.168.1.2'                                                          
        option dest_port '443'                                                                

config zone                                    
        option name 'vlan10'                   
        option input 'ACCEPT'                                                                 
        option output 'ACCEPT'                                                                
        option forward 'REJECT'                                                               
        list network 'VLAN'  
                  
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd2b:8114:bd31::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option delegate '0'

config interface 'wan'
        option device 'eth0.2'
        option proto 'dhcp'
        option peerdns '0'
        list dns '1.1.1.1'
        list dns '8.8.8.8'

config interface 'wan6'
        option device 'eth0.2'
        option proto 'dhcpv6'
        option reqaddress 'try'
        option reqprefix 'auto'
        option peerdns '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '6t 4 3'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 5'
        option vid '2'

config device
        option type 'bridge'
        option name 'br-guest'
        option bridge_empty '1'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '6t 2 1'
        option vid '10'

config device
        option type '8021q'
        option ifname 'eth1'
        option vid '10'
        option name 'eth1.10'

config interface 'VLAN'
        option proto 'static'
        option device 'eth1.10'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

It is possible, as you allow input to the device from VLAN 10. So input is allowed from the VLAN, regardless of the DST IP used to reach the device.

You'll need to fix the firewall configuration if that's not your desire.

Ok, I would have assumed, that denying forwarding traffic would include local router IPs in other networks.

So if I want the vlan clients to be able to ping the vlan gateway IP, I have to allow input, but block them accessing any other local IP using a firewall rule?

It's the default behavior of Linux to answer all request where an address is locally assigned and not only for the address on the incoming interface.
If you want to you can reject SSH and http(s) but you still want to allow DHCP,DNS, ipv6 and icmp on that interface/zone

Forwarding is not involved if the address is associated on an other interface of the router. It's some wired old quirk dating back to early 199x after long arguments between Linux and bsd folks...

1 Like

No, a default allow rule won't work - thats the issue you seem to be describing currently.

You'll have to Block All Input on VLAN 10 zone - then make allow rules for each protocol you wish to allow (you can also specify a particular DSP IP if that's your desire).

As @_bernd noted, the Input setting on the VLAN10 firewall zone applies, not Forwarding.

Ok, then I will try that out. Thanks alot guys!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.