Hello dear Community!
I am configuring VLANs on GL.iNET GL-MT6000. My goal at this point:
- VLAN 10: home network
- VLAN 20: IoT devices
- No access from IoT to home
- Limited access from home to IoT (watch cameras cast to TV)
- IoT can access internet
- home can access internet
Which I believe is fairly typical setup. I am following this tutorial under section 3. Mostly I achieved my goals, but I have a few questions in order to better understand OpenWrt principles.
My current configs:
network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd6d:67f:d976::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
config bridge-vlan
option device 'br-lan'
option vlan '10'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
config bridge-vlan
option device 'br-lan'
option vlan '20'
list ports 'lan4'
list ports 'lan5'
config interface 'lan'
option device 'br-lan.10'
option proto 'static'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'iot'
option proto 'static'
option device 'br-lan.20'
option ipaddr '192.168.20.1'
option netmask '255.255.255.0'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
option type 'bridge'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/18000000.wifi'
option band '2g'
option channel 'auto'
option htmode 'HE20'
option country 'CA'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'REDACTED'
option encryption 'psk2'
option key 'REDACTED'
config wifi-iface 'iot_radio0'
option device 'radio0'
option network 'iot'
option mode 'ap'
option ssid 'REDACTED-IoT'
option encryption 'psk2'
option key 'REDACTED'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/18000000.wifi+1'
option band '5g'
option channel '36'
option htmode 'HE80'
option disabled '1'
5Ghz interface is not in use yet, that's fine.
firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'iot'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'iot'
config forwarding
option src 'iot'
option dest 'wan'
dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'iot'
option interface 'iot'
option start '100'
option limit '150'
option leasetime '12h'
1. Is firewall rule required to make VLAN 20 working?
VLAN 10 worked right away after following the setup from the above mentioned tutorial, however I spent hours trying to figure out what's wrong with VLAN 20. The symptoms were like if you connect the cord to live but "empty" switch: it fails to obtain IP and nothing works. After some searching and talking to ChatGpt, I added a firewall zone configuration like so:
config zone
option name 'iot'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'iot'
(originally it was option input 'REJECT'
, after network creation and adding "iot" firewall zone, my change was only to make it 'ACCEPT'). This made VLAN 20 working perfectly, but I don't think I fully understand it. Fitting the solution to the answer, it might make sense – the firewall was denying all communication including DHCP, making the behavior I observed – but what worries me is that the tutorial says nothing about adding a firewall rule, which makes me doubt if this is expected.
So, should creation of every VLAN be followed by a firewall adjustment like above to make it usable? Should the tutorial be updated?
2. Why can I access LuCi cross-VLAN?
This is a really puzzling one...
After making the second VLAN working, I started validating that routing works as expected. I connected devices to both VLANs and ensured that traffic flows freely within a VLAN and does not pass cross-VLAN (I have not added lan->iot allow rules yet). This all worked as expected, but I found one interesting exception.
I discovered that I can access LuCi from each VLAN: in my case, on 192.168.10.1 from VLAN 10, and on 192.168.20.1 from VLAN 20. This fact on its own is not as surprising, because 192.168.*.1 in both cases is the router itself and
config uhttpd 'main'
list listen_http '0.0.0.0:80'
list listen_http '[::]:80'
list listen_https '0.0.0.0:443'
list listen_https '[::]:443'
so it binds to all local addresses. But what's interesting is that I can access LuCi cross-VLAN, meaning on 192.168.10.1 from VLAN 20, and on 192.168.20.1 from VLAN 10! This is a bit mind-bending, because I expect that such traffic should be cut just based on the address, as the destination is in the unreachable network.
What the heck is going on here and what's the best way to prevent this? Apparently I don't want LuCi (and other router management services, like SSH) to be accessible from IoT network at all (on neither address), but this cross-VLAN access thing makes me fear that some of my setup is just wrong. How to do that right?
Many thanks to all who read my post!