VLAN interfaces exposing all of my router ports to all my sub network


I have created 3 VLAN in my main openwrt router (LAN, IOT, GUEST) .

Each of the vlan interfaces created as static protocol with different IP segment. And they act as DHCP server for client devices.

Ex. Lan has IP range, IOT has IP range etc )

And each of the interfaces itself gets its own IP ex IOT interface gets which is gateway for other IOT devices.

Using firewall I blocked traffic from IOT zone to Lan zone.
But any device in the iot zone still can use the IP to reach my main routers admin (Luci) page . I have blocked this using uhttpd config so that router Luci listen only

But my question: is this the right way to prevent access to router admin portal/ services from IOT zone ? I just blocked uhttpd (80,443) access but what about otherservices running in the router . They are still accessible . Yes I understand that some ports like dns 53,68 etc will be needed by the client devices and that is specifically open in the firewall zone.

It will be greate if you share any best practices in this topic


You haven’t blocked anything, you have only specified what number to use when knocking on the door.

To block the traffic you need to set the zone input to reject and open the specific port to destination ‘device’.

I explained this in more detail on another thread just a while back:
The uhttpd and dropbox listening interface settings is only a setting specifying what ip interface number the call are supposed to have to be interesting. But it is always the firewall that open up the possibility to make the call to begin with.

So if you have two lan interfaces with gateway ip of lan1= and lan2=

If you have both lan1 and lan2 zone input to accept you can connect to device and dropbear with both gateway ip and from both zones.

If you set dropbear listening to lan1 and firewall zones input to accept. Then you can connect with only lan1 gateway ip from both lan1 and lan2 interface.

If you unspecify dropbear interface and set firewall zone lan1 input to reject and zone lan2 to allow or reject with allow port 22 to device. Then you can never get a ssh server answer from lan1 no matter ssh ip address. From lan2 you will get connection to dropbear on both lan1 and lan2 gateway ip.

And so on…

So firewall makes it possible, listening interface only makes it look nice if possible to begin with.

But my practical experience is that this function is more stable if uhttpd and dropbear have their default settings for listening ip/interface and you instead set the destination ip in the firewall rule.

I don’t use openwrt wifi so I don’t have that much experience with the client isolation function but the question has been around earlier and I don’t think you can isolate clients within the same zone.

Yes I think I know the reason now. Client isolation will work only under same radio. It will not work under different radio or different AP . Ex, Clients in SSID (Wifi1) in 2.4 Ghz & Clients in SSID (Wifi1 ) 5Ghz can connect with each other.

Can we achieve this using firewall ? like Ip pattern 192.168.10.x should not be able to connect to 192.168.10.y where x != y

Probably in some way, possible with manual nf tables. You can specify ip numbers in firewall in cidr form.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.