VLAN noob questions

Hello dear Community!

I am configuring VLANs on GL.iNET GL-MT6000. My goal at this point:

  • VLAN 10: home network
  • VLAN 20: IoT devices
  • No access from IoT to home
  • Limited access from home to IoT (watch cameras cast to TV)
  • IoT can access internet
  • home can access internet

Which I believe is fairly typical setup. I am following this tutorial under section 3. Mostly I achieved my goals, but I have a few questions in order to better understand OpenWrt principles.

My current configs:

network
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd6d:67f:d976::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'lan4'
	list ports 'lan5'

config interface 'lan'
	option device 'br-lan.10'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'iot'
	option proto 'static'
	option device 'br-lan.20'
	option ipaddr '192.168.20.1'
	option netmask '255.255.255.0'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'
	option type 'bridge'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'
wireless
config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi'
	option band '2g'
	option channel 'auto'
	option htmode 'HE20'
	option country 'CA'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'REDACTED'
	option encryption 'psk2'
	option key 'REDACTED'

config wifi-iface 'iot_radio0'
	option device 'radio0'
	option network 'iot'
	option mode 'ap'
	option ssid 'REDACTED-IoT'
	option encryption 'psk2'
	option key 'REDACTED'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi+1'
	option band '5g'
	option channel '36'
	option htmode 'HE80'
	option disabled '1'

5Ghz interface is not in use yet, that's fine.

firewall
config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'iot'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'iot'

config forwarding
	option src 'iot'
	option dest 'wan'
dhcp
config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'iot'
	option interface 'iot'
	option start '100'
	option limit '150'
	option leasetime '12h'

1. Is firewall rule required to make VLAN 20 working?

VLAN 10 worked right away after following the setup from the above mentioned tutorial, however I spent hours trying to figure out what's wrong with VLAN 20. The symptoms were like if you connect the cord to live but "empty" switch: it fails to obtain IP and nothing works. After some searching and talking to ChatGpt, I added a firewall zone configuration like so:

config zone
	option name 'iot'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'iot'

(originally it was option input 'REJECT', after network creation and adding "iot" firewall zone, my change was only to make it 'ACCEPT'). This made VLAN 20 working perfectly, but I don't think I fully understand it. Fitting the solution to the answer, it might make sense – the firewall was denying all communication including DHCP, making the behavior I observed – but what worries me is that the tutorial says nothing about adding a firewall rule, which makes me doubt if this is expected.

So, should creation of every VLAN be followed by a firewall adjustment like above to make it usable? Should the tutorial be updated?

2. Why can I access LuCi cross-VLAN?

This is a really puzzling one...

After making the second VLAN working, I started validating that routing works as expected. I connected devices to both VLANs and ensured that traffic flows freely within a VLAN and does not pass cross-VLAN (I have not added lan->iot allow rules yet). This all worked as expected, but I found one interesting exception.

I discovered that I can access LuCi from each VLAN: in my case, on 192.168.10.1 from VLAN 10, and on 192.168.20.1 from VLAN 20. This fact on its own is not as surprising, because 192.168.*.1 in both cases is the router itself and

config uhttpd 'main'
	list listen_http '0.0.0.0:80'
	list listen_http '[::]:80'
	list listen_https '0.0.0.0:443'
	list listen_https '[::]:443'

so it binds to all local addresses. But what's interesting is that I can access LuCi cross-VLAN, meaning on 192.168.10.1 from VLAN 20, and on 192.168.20.1 from VLAN 10! This is a bit mind-bending, because I expect that such traffic should be cut just based on the address, as the destination is in the unreachable network.

What the heck is going on here and what's the best way to prevent this? Apparently I don't want LuCi (and other router management services, like SSH) to be accessible from IoT network at all (on neither address), but this cross-VLAN access thing makes me fear that some of my setup is just wrong. How to do that right?

Many thanks to all who read my post!

All local addresses are allowed by zone input accept, even if you bind luci to normal lan ip.

3 Likes

iot correct `option input 'REJECT'

but add dhcp / dns firewall rules

config zone
	option name 'iot'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'iot'

config forwarding
	option dest 'wan'
	option src 'iot'

config rule
	option dest_port '53'
	option src 'iot'
	option name 'Allow-DNS-iot'
	option target 'ACCEPT'

config rule
	option dest_port '67'
	option src 'iot'
	option name 'Allow-DHCP-iot'
	option target 'ACCEPT'

Thank you for a quick response @ncompact! The page you linked explains everything well. The only thing is that this info is missing in the DSA VLAN guide, and just following the steps will be not enough. Can we add this info to the guide or at least link the page you referenced?

the idea is correct feel free to propose a change to the documentation

There is however a reference to the firewall:

There is a guest network guide which explains how to set up an untrusted network and the firewall settings involved. In OpenWrt, the term "VLAN" rather strictly means the implementation of 802.3q tagged packets on an Ethernet cable or Ethernet-like virtual interface, and not the concept of separate networks in general. So discussion of firewall topics would be out of place in the DSA VLAN guide.

1 Like

Yes, but my use case is exactly 802.1q VLAN, not "guest" network, and the DSA VLAN guide seems insufficient – that's my user feedback. Perhaps for advanced users the similarity with guest network setup will be obvious, but for new users like me this omission can give a few hours of troubleshooting. Moreover, you can brick the device, because if you assign all ports of the router to VLANs (including the one you a re configuring from), like in this guide, you will cut off yourself from the device.

I think mentioning about the firewall adjustments is a must. At least that page must be linked with words "allow DHCP and DNS like with guest networks".