I understand that by default VLANs are not isolated from each other. Hence I created a traffic rule to block access to VLAN "lan" (subnet 192.168.1.x) from VLAN "ILAN" (subnet 192.168.10.x).
But after applying this rule, I still have access to 192.168.1.x
VLAN is L2 data tagging, so VLAN are isolated already in hardware data management. L3 settings won’t change that.
Yes there are theoretical ways to attack VLAN systems by VLAN jumping.
But the firewall and interface settings you are doing something in right now is logical L3 routing, so do you have a data leak between different VLAN on L3 routing then you have mixed up the L2 switch settings.
VLAN at L2 doesn’t have anything to do with firewall zones at L3.
The VLAN’s work just fine totally isolated from each other with unmanaged interfaces on L3 level and with firewall not even installed in OpenWRT.
But you can make firewall rules that allow more or less specific data transmission from one VLAN to another VLAN.
But as I tried to say earlier. That doesn’t happen randomly by itself. Someone have to do that firewall rule or the switching setup on L2 is screwed up if the VLAN’s talk to eachother, which is usually the case after the introduction of DSA in OpenWRT.
I have a TP-Link Archer A7 (ath79), and as such DSA is currently not supported yet for this device.
This makes configuring the device sometimes extra confusing (for me as tech savvy, but still with basic network admin skills) since I have to combine old documentation (v19) with new ones (v21).
That is pretty much my experience also on the EAP245 and Ath79. On those devices you need to specify the hardware connectors setup in the old swconfig as “some kind of pre filter” between OpenWRT DSA and the real world. But once that is done you don’t need to care about swconfig, after that you only touch the DSA settings in OpenWRT unless you add VLAN in your network or change the usage of the connectors.
But OpenWRT internals is still DSA on all models from 21.02 and later so you need to specify the DSA settings to get the internals of OpenWRT from 21.02 and later to work.
It is probably easier to understand the dataflow if you take a look in the default network config file of your device, instead of working in luci. Then you see that swconfig first takes care of the data in and out of the port, tags it and put it in a vlan and send it onwards. Then the DSA device takes over and then if you use that function the dsa vlan filter takes over and then the interfaces at L3 level do their thing with the data.
Unfortunately it has been from my point of view some kind of black and white official message from OpenWRT in this question that you either have or do not have DSA. Well that has not been my experience, all have DSA (maybe not the hardware but the setup is there). But some still have swconfig on top of DSA.
Interesting pointers, flygarn12. If you have references I can read further on, that would be great.
If I understand correctly, VLANs should already be defined in swconfig. After looking into swconfig and noticing that the PORT/VLAN mapping is also there, I imagine that I should also map all ports that are involved in any new VLAN I want to define. But I am wondering if overlaps are allowed?
E.g. would this work:
And then, once I have all my VLAN definitions, I can just use them in LuCI/DSA and apply (L3) firewall rules. And that's where your last post fits into your earlier one?
No!
You can’t have two untagged vlan on the same port. That means vlan 99 and vlan 1 is connected to each other at port 3, or the isolation you talk about is really a short circuit in this case.
Usually in Luci VLAN 1 and 99 will be painted red if you config it like this.
Have no reference I guess, the reference is reading the default network config file, logic thinking and simple experience.
But both the DSA and “old” switch instructions in the user guide still applies for these devices.
Don’t think that is a isolation problem. That is a feature since uhttpd listen to everything and every firewall zone that has input=accept is allowed to access luci.
To fix this you need all firewall zones to have input=drop/reject and to open specific input rules for port 22 (dropbear/ssl), 80 (http) and 443 (https) for the zones you like to give luci access. Also remember to open the DHCP server ports on all zones that use dhcp server!
And to make it a little nicer looking you can change the listening settings in uhttpd to only allow the routers actual IP number.
And change the dropbear setting to which interface to listening to.
As @flygarn12 stated, when you test by accessing the router (even by its address in another subnet), it is actually subject to the input rule. That is why I asked.
Try connecting from one host in one network to another host in a different network and you should see that the neetworks are in fact isolated.
The listening settings for uhttpd and dropbear will not actually secure the router itself - the input rule is the way to do this.
Not all the zones need to have the input rule set to reject/drop, but usually any untrusted zones will be setup that way. The trusted zone(s) can maintain input=accept. And you will create traffic rules to accept connections on ports udp 67-68 for dhcp and tcp +udp 53 for dns for the other networks.