VLAN isolation subnets still forwarding to VLAN 1 despite firewall rules

HD7544 · April 10, 2018, 4:29am

I've created a VLAN on my WRT1900AC v2 to isolate my IOT devices. VLAN's are working as they should. Firewall is configured to not forward from other VLAN's to VLAN 1. Devices on other VLAN's are unable to ping or connect to anything on VLAN 1. Each VLAN has it's own firewall zone.

However, devices on other VLAN's can connect to SSH and web interface using VLAN 1 ip address. I've confirmed that SSH is only listening on lan (VLAN 1) and modified uhttp to only listen on VLAN 1 IP. After this change, LuCI only responds to connections on VLAN 1 IP address. However, devices on other VLAN's are able to SSH and access LuCI despite firewall rules.

I've noticed this behavior on other devices like my Asus RT-N13U.

jeff · April 10, 2018, 4:55am

Seeing your (appropriately redacted) /etc/config/network and the output of netstat -nl (lowercase L) would help diagnose the situation.

psherman · April 10, 2018, 5:26am

Check your firewall. You want to make sure that only necessary services are allowed from the other VLANs to the router. Typically that is UDP ports 67-68 (DHCP) and UDP+TCP port 53 (DNS). All others should be dropped.

shm0 · April 11, 2018, 1:37am

If you dont want your devices to access services on the router you have to set INPUT to either reject or drop.
You can find it in Network -> Firewall -> Zones
In the overview of the zones set input to reject/drop for the applicable zone.
And as psherman wrote. You then need to allow the services you need e.g. dns, dhcp and so on.

But actually....

When you configure your services to only listen on certain interfaces on the router that are part of certain vlan/zone. (as you did)
And no forwarding is allowed.
This should not be possible?

mikma · April 11, 2018, 11:56am

Yes, it is. Since as you wrote, packets to one of the IP addresses of the router is classified as INPUT. Those packets aren't forwarded by the router and are therefore not affected by forwarding settings.

shm0 · April 11, 2018, 7:13pm

Yeah.
But...
When I think about this...
The router interface (IP) should be included in the zone. Otherwise the entire "bind to interface for services" makes no sense.
And maybe some users don't want to restrict input to router and only want to restrict forwarding.
And have certain services running only on router interfaces that are corresponding to a certain zone.
So maybe this is a bug?

HD7544 · April 12, 2018, 2:50am

I do appreciate the interest and input. Please excuse me for not responding sooner, but I've been tied up with some personal matters since I posted this originally.

I've been experiencing this on all my LEDE/OpenWRT routers going back to version 15. My home setup I originally wrote about is a bit more complex with several subnets. My office setup is simpler with an Asus RT-N13U running LEDE 17.04, which normally has only one LAN, but I created a separate LAN3 for testing.

I created a separate VLAN on port 3 with VID 3 on 192.168.3.0/24 aka LAN3. My main or default VLAN with VID 1 is on 192.168.16.0/24 aka LAN1. I'm attaching my network file and output from netstat -nl.

I make all my changes via LuCI. Dropbear is configured for only the lan interface (192.168.16.1). uhttp is configured to listen on all ports. My firewall is configured to not forward to either zone. Each zone can only forward to WAN.

In the above state, I can connect to LuCI from both subnets using each other's IP address. SSH of course is only listening on 192.168.16.1. However, I can connect to SSH from LAN3 using LAN1's IP address.

When the firewall is configured to only forward from LAN1 and LAN3 to WAN:

LuCI accepts connections on either both IP's fro both LAN1 and LAN3, even using the other subnet's address.
SSH works from both LAN's using LAN1's IP address.
I cannot ping hosts on the other LAN with the exception of the other interface's IP address (e.g., from LAN1, I can only ping 192.168.16.0/24 and 192.168.3.1)

When I enable enable forwarding from LAN 1 to LAN3, I can ping and connect to hosts on both LAN1 and LAN from LAN1.

Same goes if forwarding from LAN3 to LAN1 is enabled, I can ping and connect to hosts on both LAN1 and LAN3 from LAN3.

I even tried disabling forwarding from LAN3 to anything. This had the expected effect of not being able to pull up websites, but I could still connect to LuCI and SSH using LAN1's IP address from LAN3.

Regardless of how permissive or restrictive the firewall is, every subnet can connect to services on the other subnets IP address (192.168.X.1).

Is this a bug, or am I misunderstanding a feature? If the latter, how do I prevent hosts from my isolated subnets from connecting to LuCI or SSH? Would I create a separate interface just for those services, in it's own zone and only allow forwarding to that zone from my secure LAN?

See below for my network file, firewall file and output from netstat-nl

NETWORK file:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdde:bc3e:948c::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.16.1'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr '00:0c:43:XX:XX:XX'

config interface 'wan'
        option ifname 'eth0.2'
        option _orig_ifname 'eth0.2'
        option _orig_bridge 'false'
        option proto 'static'
        option ipaddr '192.168.1.68'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'
        option dns '8.8.8.8 8.8.4.4'

config device 'wan_dev'
        option name 'eth0.2'
        option macaddr '00:0c:43:XX:XX:XX'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'rt305x'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'rt305x'
        option vlan '1'
        option ports '0 1 3 5 6t'

config switch_vlan
        option device 'rt305x'
        option vlan '2'
        option ports '4 6t'

config switch_vlan
        option device 'rt305x'
        option vlan '3'
        option ports '2 6t'

config interface 'LAN3'
        option proto 'static'
        option ifname 'eth0.3'
        option ipaddr '192.168.3.1'
        option netmask '255.255.255.0'

FIREWALL:

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config forwarding
        option dest 'wan'
        option src 'lan'

config zone
        option name 'lan3'
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option network 'LAN3'

NETSTAT -NL:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN
tcp        0      0 192.168.16.1:22         0.0.0.0:*               LISTEN
tcp        0      0 :::80                   :::*                    LISTEN
tcp        0      0 :::53                   :::*                    LISTEN
tcp        0      0 fdde:bc3e:948c::1:22    :::*                    LISTEN
udp        0      0 0.0.0.0:53              0.0.0.0:*
udp        0      0 0.0.0.0:67              0.0.0.0:*
udp        0      0 :::546                  :::*
udp        0      0 :::547                  :::*
udp        0      0 :::53                   :::*
raw        0      0 ::%1:58                 ::%4443948:*            58
raw        0      0 ::%1:58                 ::%4443948:*            58
raw        0      0 ::%1:58                 ::%4443948:*            58
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node Path
unix  2      [ ACC ]     STREAM     LISTENING        287 /var/run/ubus.sock

leeandy · April 12, 2018, 8:34am

I think you missing some options in firewall rule:

config zone
            option name 'lan3'
            option input 'DROP'
            option output 'ACCEPT'
            option forward 'DROP'
            option network 'LAN3'

config zone
            option name 'lan'
            option input 'DROP'
            option output 'ACCEPT'
            option forward 'DROP'
            option network 'lan'

config rule
                option name 'Allow-DHCP'
                option src 'lan3'
                option proto 'udp'
                option dest_port '67-68'
                option target 'ACCEPT'

config rule
                option name 'Allow-DNS-Http-Ssh'
                option src 'lan3'
                option proto 'tcp udp'
                option dest_port '53 22 80 443'
                option target 'ACCEPT'

config rule
                option name 'Allow-DHCP from lan'
                option src 'lan'
                option proto 'udp'
                option dest_port '67-68'
                option target 'ACCEPT'

config rule
                option name 'Allow-DNS from lan'
                option src 'lan'
                option proto 'tcp udp'
                option dest_port '53'
                option target 'ACCEPT'

config forwarding
                option dest 'wan'
                option src 'lan3'

This config mean:

'lan' only connect to internet out side, dns & dhcp services. Can't connect to anything router services.
'lan3' can connect to internet & device router Luci, SSH, DNS.... services.