Vlan Isolation fail

I have 2 routers: TL-WDR4300 and TL-WDR3600.

(this topic is only regarding ip4, I havent yet come to embrace ip6)

The wdr4300 is my nat gateway. Config is default except:

  • webserver disabled
  • macaddr directives with random device parts on every interface
  • One extra interface called internal that has the same config as lan with different subnet.
  • Firewall config default + internal zone without forwarding to wan. internal zone config same as lan except the forward.
  • SSH listens only on internalip:22

My Problem:
From a device in lan I can still connect to internalip:22 or any other port on that ip.
I cannot ping/connect from lan to other devices in the internal subnet.
I can not connect from wan but I can ping any router ip from wan regardless of zone.

I replicated the same setup except the changed mac adresses on the wdr3600 and I could not ping or otherwise reach router ips in different zones.

This isnt a significant security risk as the sshd has only pubkey auth and webserver is off.
But it is very much not elegant.

Post Solution Edit:

  • Are my fundamental assumptions wrong? <--- Seemingly
  • Am I missing some detail? <--- Yes, with default the ping input rule.
  • Is this some obscure voodoo bug? <--- Seems not but I am still baffled why the other router acts differently.

I try to test without changed macaddrs again as soon as nobody else needs internet.

So I will:

  • Delete the default allow icmp ping input from anywhere rule.
  • Set the zones to REJECT on INPUT by default and ACCEPT any port on a specific router dest_ip coming from the specific zone it want it to.
  • Have a way to undo my changes without network access to the router. (1)
  • restart the related init.d's

(1) I use the /etc/rc.buttons/ scripts to copy back the previous versions of the configfiles and restart the inits.

The "input" setting of the zones control access to any router IP address. You need to configure a custom traffic rule if you want to deny the ssh traffic from a zone with input=accept.

Have you enabled forwarding from the lan to the internal zone?

Is this a problem? A default custom traffic rule allows ICMP echo request from any zone to any router IP address.


So if there are Zones x;y with one interface each, packets going into one of the interfaces can reach any router ip by design? Even if the interface the target router ip belongs to isnt in the same zone?

No, that part works as intended. I do not want traffic from/to any other zone to enter/leave the internal zone. (It is just bound to a switch segment with one other machine.)

Wait what? Is it a default rule or a custom rule that would allow that? I guess I know which one you meant: The allow ping rule from the default set. Can I make that just apply to the corresponding zones router ip being pingable, I guess so?
If it is a problem: Maybe. It would allow to enumerate internal networks.

Incoming traffic doesn't need to be routed and it doesn't go to iptables FORWARD-chain, so it's not affected by firewall forward-policy.

1 Like

But why is it possible to specify default I/O/F rules per zone?

If it works as intended and the zones dont matter to router ips: Why does it work the way I think it is intended with the same config on the wdr3600? (As in the router ips seem to be affected by the zone to interface mapping and the ip to interface mapping)

Seen your edit now, that makes it pretty clear. I still have that one question open in my post above.

Because those policies are applied to interfaces, not to IP-addresses.

Yes, I was referring to the Allow-Ping rule. If you only want to allow ping to certain IP addresses then you may list them in the "Destination address" setting. (Use a space as delimiter.)

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.