VLANs and firewall zones across two OpenWrt devices

Installing and Using OpenWrt Network and Wireless Configuration
1

I'm redoing my home network as I'm about to add a few IoT devices (WiFi/ESP8266 light switches and the like). Currently I'm running the usual out of the box LAN/WAN setup, all my devices coexisting in LAN. This of course is no longer optimal as I'd like to isolate the IoT stuff while not providing any Internet access to it.

I'll be implementing VLANs to do this, in addition to going all in with network segmentation (management, home, work, IoT, guest networks) while we're at it.

Current setup:

I have two devices which are TP-Link Archer C7 v4s, running OpenWrt 19.07.7. One is currently doing all the heavy lifting (PPPoE WAN, SQM on a symmetric 50Mbps fiber link, firewalling) while the other is mostly used as a dumb AP that provides further wireless coverage and more wired connectivity off the main router.

Both devices are connected with Cat5e at opposite ends of the house.

There is a Raspberry Pi 3B that runs Pihole as DNS, a Wireguard server, and a SMB server for some quick and easy small file sharing across my devices. I'll be integrating this later in the new setup, I'm not concerned with these features at the moment.

New setup:

I just have both routers side by side at the moment on my desk, doing the initial new setup.

Switches and VLANs:

As you can see I'm using port 4 of the main router as a trunk port, and the WAN port in the secondary router as the other trunk port. I'll assign untagged ports to each VLAN as required later. All are management for ease of use at the moment.

Interfaces are defined in the main router as:

  • VLAN 1 - LAN/management - static address - 192.168.10.1/24 - firewall zone LAN
  • VLAN 10 - WAN - PPPoE - firewall zone WAN
  • VLAN 20 - Home - static address - 192.168.20.1/24 - firewall zone HOME
  • VLAN 30 - IoT - static address - 192.168.30.1/24 - firewall zone IOT
  • VLAN 40 - Work - static address - 192.168.40.1/24 - firewall zone WORK
  • VLAN 50 - Guest - static address - 192.168.50.1/24 - firewall zone GUEST

Interfaces in the secondary router:

  • VLAN 1 - LAN/management - static address - 192.168.10.2/24 - firewall zone LAN
  • VLAN 20 - Home - unmanaged - firewall zone HOME
  • VLAN 30 - IoT - unmanaged - firewall zone IOT
  • VLAN 40 - Work - unmanaged - firewall zone WORK
  • VLAN 50 - Guest - unmanaged - firewall zone GUEST

Details:

  • The ISP's all in one HGU box uses VLAN 10 for the PPPoE Internet service, so I'm using it too for the WAN.
  • Home (VLAN 20) in both routers is bridged with the 11bgn and 11ac radios as the main SSIDs.
  • LAN (VLAN 1), Home (VLAN 20), IoT (VLAN 30), Work (VLAN 40) and Guest (VLAN 50) all have their DHCP servers configured.
  • I'll setup SSIDs for each VLAN as required later.
  • Firewall zones have the same color in LuCI in both routers, for what it's worth.

This is currently working as expected: If I assign untagged ports to each VLAN on either the primary or secondary router, whatever I plug in there gets assigned an IP in the correct range through DHCP. As far as I can see, VLANs are correctly setup and the secondary router is properly "extending" the VLANs defined in the main router as static addresses with the unmanaged interfaces.

My concern is with the firewall setup.

This is how things are at the moment:

General settings are input accept, output accept, forward reject.

So... looking at the main device. This is what I need:

  • LAN/management shouldn't have any connectivity to any other zone, it is isolated.
  • WAN is setup just as it is out of the box, no changes.
  • HOME should have access to both WAN and IOT zones, nothing else.
  • IOT shouldn't have WAN conectivity and it should only accept traffic from HOME, nothing else.
  • WORK should have WAN connectivity, nothing else.
  • GUEST should have WAN connectivity, nothing else.

I'm not quite so sure how to configure input/output and forwarding on each zone in the main device to achieve this (apart from reading the guest guide for the general steps), so what's in the screenshot is most likely completely wrong.

I'm also not sure how to replicate this configuration and rules in the secondary router. For example I have no WAN interface/zone in the secondary device as it is a glorified dumb AP. Just having them defined in the main router and having the VLANs extended in the secondary router is enough?

How would you set this up? Is there anything that you would change in the rest of my setup?

Thank you.

2 Likes
2

Well, managed to get this working.

Decided to simplify things a bit:

  • Merged back home + management to LAN as it is out of the box.
  • Ditched the guest VLAN. I´ll just use the work network for unknown devices as it is basically the same thing on both cases, or I'll just make a copy and name it guest.when needed.

So:

Primary router - Archer C7 v4

Interfaces + switch config:

  • VLAN 1 - LAN - management + home - 192.168.10.1/24
  • VLAN 10 - WAN
  • VLAN 20 - IoT - 192.168.20.1/24
  • VLAN 30 - Work - 192.168.30.1/24

Port 4 is the trunk port used to connect with the secondary router.

Firewall rules:

General
Input accept, output accept, forward reject

Traffic rules - Allow:
DNS, DHCP for IOT and WORK.

Traffic rules - Blocked (drop):
LAN -> WORK
IOT -> LAN
IOT -> WORK
IOT -> WAN
WORK -> LAN
WORK -> IOT

With this configuration, tried pinging a device in the IoT network from LAN, this was successful.

All unwanted traffic between interfaces is explicitly blocked, just to be careful.

With the input reject settings, IOT and WORK can't access LuCI nor do anything else other than DNS requests and DHCP as allowed, I'm pleased with the result.

I'll open up IOT more as needed according to the devices' requirements in the future.

Raspberry Pi 3B - Pihole

I've integrated the Raspberry Pi 3B running Pihole back into this. It resides in the LAN network, providing DNS for all clients there as their DNS through dhcp-options.

For both IOT and WORK, I just configured its address as the interface's DNS custom address. All requests from these appear as if they'd originated from the router itself, which is fine.

Secondary router - Archer C7 v4

Interfaces + switch config:

  • VLAN 1 - LAN - management + home - 192.168.10.2/24
  • VLAN 20 - IoT - unmanaged
  • VLAN 30 - Work - unmanaged

WAN port is the trunk port used to connect with the primary router.
LAN 1 port is the trunk port used to connect with the third router.

Firewall + DHCP + DNS

Firewall, dnsmasq, odhcpd disabled.

Third router - TL-WR1043ND v1.8 - 64MB RAM mod

Interfaces + switch config:

  • VLAN 1 - LAN - management + home - 192.168.10.3/24
  • VLAN 20 - IoT - unmanaged
  • VLAN 30 - Work - unmanaged

WAN port is the trunk port used to connect with the secondary router.

Firewall + DHCP + DNS

Firewall, dnsmasq, odhcpd disabled.

Why?

This is not really needed, but why not use the included 5 port gigabit switch in this device for extra wired connectivity at my desk?

Wireless:

I have the same SSID for my home network on both the primary and secondary routers, both 2.4GHz radios on channels 1 and 11, both 5GHz radios on channel 36 and 149, with lowered output power.

I'm waiting for OpenWrt 21.02 to be released so I can put DAWN + 802.11k,v to work for proper roaming and band steering. I've already enabled 802.11r as it requires just a tick in LuCI.

On the secondary router, there are SSIDs for the IOT and WORK networks.

The third router is there just for some extra wired connectivity.

This was quite the learning experience :slight_smile:

3 Likes
3

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.