Vlans Security and DNS

wrt35245 · January 6, 2026, 8:39pm

Hey there!

I’m setting up my VLANs using the dsa mini tutorial from the wiki and wanted to make sure my configuration is secure especially since it mentions holes like VLAN hopping. I've put together a sample config based on what I saw and have a few questions.

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '100'
	list ports 'lan1:t'
    list ports 'lan3:u*'


config bridge-vlan
	option device 'br-lan'
	option vlan '200'
	list ports 'lan1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '300'
	list ports 'lan1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '400'
	list ports 'lan1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '500'
	list ports 'lan1:t'
        list ports 'lan2:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '600'
	list ports 'lan1:t'
        list ports 'lan2:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '993'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan4:u*'
	option local '0'

Is this VLAN setup secure and effective at preventing VLAN hopping/others? I really want a tight network with no leaks.

For each VLAN, I’ll have a DHCP/static interface and a firewall. I've got a managed switch connected to LAN1 for handling the VLANs, and I’m planning to set up VLANs on my router for Proxmox VMs. This way, I can control everything through the firewall. For instance, I was thinking of allowing VM1 (VLAN400) to access VM2 (VLAN300), but not the other way around. That should work, right?

One thing the tutorial didn’t cover is DNS. When I tested the security part, I noticed DNS wasn’t segmented, so I had to create a traffic rule for it. Are there any other obvious things I might need to block or reject that the tutorial doesn’t mention?

Also, how can I set up AdGuard Home on a Proxmox VM so that all VLANs (including LAN vlan) can use it for DNS? I guess I’d create a separate VLAN for AdGuard Home and give it firewall access to all other VLANs, then use DHCP option 6 on each interface? That would mean every VLAN and end device has to stick to that DNS, right? Just curious if that’s reliable. What happens if the Proxmox machine goes down?

psherman · January 6, 2026, 8:45pm

The bridge-vlans are properly formed, so no issues there. You didn't show the complete network config, nor did you share your firewall (which is where most of the security comes from), so we can't guarantee that there aren't issues, but at least the initial part is correct.

ncompact · January 6, 2026, 8:47pm

If this is the primary router that offers both DHCP for clients and acts as a firewall for all zones, fine.

If this is a secondary router, then it should only have one IP address on your trusted network (I assume VLAN 993). All other interfaces should have no IP address.

example:

config interface 'iot'
        option proto 'none'
        option device 'br-lan.300'

wrt35245 · January 6, 2026, 8:55pm

Yeah, it doesn't exist yet. I'm just gathering information before I put it into action. Most VLAN firewalls will typically look like this: reject, accept, reject, VLAN 400 -> WAN. But some VLANs can access others. For example, AdGuard Home will probably have access to all VLANs.

I forgot to mention that LAN2 will connect to a bridge access point, but that shouldn’t really change anything. For the bridge AP, I just need to follow the wiki and use the VLAN tags, if I'm correct.

wrt35245 · January 6, 2026, 8:56pm

Yeah, this is the main router. But I guess I should use 'none' on the bridge access point, right?

ncompact · January 6, 2026, 9:00pm

correct (ok)

You will then need the tags of all the vlans that will be served by the dump-ap (bridge access point)

example (assuming that VLAN 300 packet transfer is needed):

# on the main router
config bridge-vlan
	option device 'br-lan'
	option vlan '300'
	list ports 'lan1:t'
	list ports 'lan2:t'

wrt35245 · January 6, 2026, 9:04pm

Got it, that makes sense. Thanks! Do you know if my assumption about DNS with DHCP option 6 is correct?

ncompact · January 6, 2026, 9:07pm

It depends on your personal tastes

example (cat /etc/config/dhcp):

config dhcp 'iot'
        option interface 'iot'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,9.9.9.9'

documentation:

https://openwrt.org/docs/guide-user/base-system/dhcp_configuration#dhcp_options

wrt35245 · January 6, 2026, 9:11pm

Does that mean there are better options?

ncompact · January 6, 2026, 9:12pm

you can send dns traffic to your internal dns server

https://openwrt.org/docs/guide-user/firewall/fw3_configurations/intercept_dns

It depends on your personal tastes (as I already said)

PS: Be careful though, some clients may want to deliberately ignore the settings as well.

wrt35245 · January 6, 2026, 9:26pm

That's interesting! I'm not sure which options to choose from that wiki, but it seems to point in the right direction. I want to enforce that DNS on every device since I've heard some devices might override it and use their own DNS, which I want to avoid.

ncompact · January 6, 2026, 9:33pm

Even if you force DNS traffic redirection (TCP/UDP port 53), there is no definitive solution.
Some clients or applications deliberately ignore both the DNS provided via DHCP and the redirect, using DoH/DoT or embedded resolvers instead.
In these cases the router has no reliable way to intercept or modify name resolution without resorting to TLS MITM or selective endpoint blocking, with all the related limitations.

In short:

DHCP DNS assignment is the clean and correct approach “6,9.9.9.9”
DNS redirection is a more aggressive but limited workaround
Neither approach is definitive against modern applications

mk24 · January 6, 2026, 9:36pm

In a config dhcp block instead of option 6 you should use option dns '9.9.9.9' which will stop the router from also advertising itself as DNS.

ncompact · January 6, 2026, 10:05pm

I also tried

config dhcp 'iot'
        option interface 'iot'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dns '9.9.9.9'

, but in my tests the client continues to receive the router's DNS,

while list

config dhcp 'iot'
        option interface 'iot'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list dhcp_option '6,9.9.9.9'

works correctly.

I'm probably missing something: can you explain under which conditions option dns actually replaces DHCP option 6 or point me to the relevant documentation?

mk24 · January 7, 2026, 4:12pm

The documentation is here:

According to that, if a dns is specified, dns_service should be forced to 0 (don't advertise router as DNS) but maybe you also need to explicitly set option dns_service 0

ncompact · January 7, 2026, 9:43pm

Hi mk24, thanks for the suggestion!

I checked the OpenWrt documentation, and as it states, option dns works only for IPv6 addresses or for DNS announced via DHCPv6/RA.
For IPv4 clients, you need to use:

list dhcp_option '6,<DNS>'
option dns_service '0'

This way, clients correctly receive the desired DNS, and the router does not advertise itself as a DNS.

Thanks again for the tip—it really helped me understand the difference between IPv4 and IPv6!