Why can I access the Internet from a VLAN zone?

aloner · February 3, 2025, 12:27pm

Hello! I don't understand why i have internet access from VLAN zone.

OpenWrt 23.05.5
No Firewall rules for VLAN zone
Default Firewall rules for wan zone

Zones

wan
Zone Forwardings - REJECT
Input - reject
Output - accept
Forward - reject
Masquerading - Yes

vlan_zone
Zone Forwardings - REJECT
Input - accept
Output - accept
Forward - reject
Masquerading - No

As far as I understand packets go to router, because Input - accept. Than packets must transfer only between vlan_zone interface and neighbor devices inside zone. I don't understand how packets go to the internet.

lleachii · February 3, 2025, 12:40pm

Those parameters are for the zone itself, not for forwarding between vlan_zone and wan.

Let's see the entire /etc/config/firewall file.

aloner · February 3, 2025, 12:50pm

I should not have access to the internet from the printer's VLAN zone.

package firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'lan'

config zone
        option name 'mgmt_lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'mgmt_lan'

config zone
        option name 'mgmt_ap'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'ap'

config zone
        option name 'user'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'users'

config zone
        option name 'guest'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'guest'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option src 'guest'
        option dest 'wan'
        option target 'REJECT'
        option name 'Guest_WAN_IP'
        list proto 'all'

config rule
        option name 'Guest_DNS_and_DHCP'
        option src 'guest'
        option dest_port '53 67 68'
        option target 'ACCEPT'

config forwarding
        option src 'guest'
        option dest 'wan'

config rule
        option name 'Guest_v2Ray'
        option src 'guest'
        option dest_port '52345'
        option target 'ACCEPT'

config forwarding
        option src 'user'
        option dest 'wan'

config rule
        option name 'User_WAN_IP'
        option src 'user'
        option dest 'wan'
        option target 'REJECT'
        list proto 'tcp'
        list proto 'udp'
        list proto 'igmp'
        list proto 'esp'

config rule
        option name 'User_DNS_and_DHCP'
        option src 'user'
        option dest_port '53 67 68'
        option target 'ACCEPT'

config rule
        option name 'User_SIP'
        option src 'user'
        option dest_port '5060 5061'
        option target 'ACCEPT'

config rule
        option name 'User_v2Ray'
        option src 'user'
        option dest_port '52345'
        option target 'ACCEPT'

config rule
        option name 'User_ICMP'
        list proto 'icmp'
        option src 'user'
        option target 'ACCEPT'

config forwarding
        option src 'mgmt_lan'
        option dest 'mgmt_ap'

config forwarding
        option src 'mgmt_lan'
        option dest 'user'

config forwarding
        option src 'mgmt_lan'
        option dest 'wan'

config rule
        option name 'User_NTP'
        option src 'user'
        option dest_port '123'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'

config rule
        option name 'MGMT_AP_WAN_IP'
        option src 'mgmt_ap'
        option dest 'wan'
        option target 'REJECT'
        list proto 'all'

config rule
        option name 'MGMT_AP_ICMP'
        list proto 'icmp'
        option src 'mgmt_ap'
        option target 'ACCEPT'

config rule
        option name 'MGMT_AP_NTP'
        list proto 'udp'
        option src 'mgmt_ap'
        option dest_port '123'
        option target 'ACCEPT'

config zone
        option name 'cctv'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'cctv'

config forwarding
        option src 'mgmt_lan'
        option dest 'cctv'

config rule
        option name 'CCTV_DNS_and_DHCP'
        list proto 'udp'
        option src 'cctv'
        option dest_port '53 67 68'
        option target 'ACCEPT'

config forwarding
        option src 'cctv'
        option dest 'wan'

config rule
        option name 'CCTV_NTP'
        option src 'cctv'
        option dest_port '123'
        option target 'ACCEPT'

config zone
        option name 'printer'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'printer'

config rule
        option name 'Printer_DHCP'
        option src 'printer'
        option dest_port '67 68'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'User_to_Printer'
        option src 'user'
        option dest 'printer'
        option dest_port '427'
        option target 'ACCEPT'
        list proto 'tcp'
        list proto 'udp'
        list proto 'icmp'
        option enabled '0'

lleachii · February 3, 2025, 1:04pm

Also lets see you /etc/config/network

I didn't notice anything odd in the firewall config.

aloner · February 3, 2025, 1:17pm

MAC addresses are manually hidden just in case.

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth3'
        list ports 'eth4'

config device
        option name 'eth1'
        option macaddr 'hidden'

config device
        option name 'eth2'
        option macaddr 'hidden'

config device
        option name 'eth3'
        option macaddr 'hidden'

config device
        option name 'eth4'
        option macaddr 'hidden'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option delegate '0'
        option ipv6 '0'
        list ipaddr '192.168.1.1/29'

config device
        option name 'eth0'
        option macaddr 'hidden'

config interface 'wan'
        option device 'eth0'
        option proto 'static'
        option gateway '192.168.0.1'
        option ipv6 '0'
        list dns '192.168.0.1'
        list ipaddr '192.168.0.2/30'

config interface 'guest'
        option proto 'static'
        option device 'vlans.11'
        option defaultroute '0'
        list ipaddr '192.168.101.1/26'

config device
        option type 'bridge'
        option name 'vlans'
        option ipv6 '0'
        list ports 'eth1'
        list ports 'eth2'

config bridge-vlan
        option device 'vlans'
        option vlan '10'
        list ports 'eth1:t'

config interface 'users'
        option proto 'static'
        option device 'vlans.10'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'vlans'
        option vlan '2'
        list ports 'eth1:t'

config bridge-vlan
        option device 'vlans'
        option vlan '11'
        list ports 'eth1:t'

config bridge-vlan
        option device 'vlans'
        option vlan '50'
        list ports 'eth1:t'
        list ports 'eth2'

config interface 'mgmt_lan'
        option proto 'static'
        option device 'vlans.50'
        list ipaddr '192.168.50.1/29'

config bridge-vlan
        option device 'vlans'
        option vlan '3'
        list ports 'eth1:t'

config interface 'cctv'
        option proto 'static'
        option device 'vlans.3'
        list ipaddr '192.168.3.1/30'

config bridge-vlan
        option device 'vlans'
        option vlan '4'
        list ports 'eth1:t'

config interface 'ap'
        option proto 'static'
        option device 'vlans.2'
        list ipaddr '192.168.2.1/27'

config interface 'printer'
        option proto 'static'
        option device 'vlans.4'
        list ipaddr '192.168.4.1/28'

wilsonyan · February 3, 2025, 1:41pm

Seems like you know what you're doing, nothing jumps out to me. Perhaps your switch is misconfigured ?

Also just to mention, there's the possibility of not using bridge filtering for the vlan (ie don't have a 'vlans', make a bridge for each 'interface' and directly use ethx.x)

lleachii · February 3, 2025, 1:42pm

Yeah, on mine - it's configured e.g. "br-lan.1" and so on. I didn't split in 2 bridges.

But, I don't see anything wrong either.

wilsonyan · February 3, 2025, 1:44pm

Yeah, what i'm saying is there's the possibility to try of instead of making the vlan interfaces off the filtering bridge, just use the eth interfaces directly in separate bridges

mk24 · February 3, 2025, 2:05pm

A DSA switch requires bridge-vlans inside a single bridge to set up hardware switching properly. A machine that has each Ethernet port directly and separately connected to the CPU (most x86 boxes) can use separate bridges.

wilsonyan · February 3, 2025, 9:56pm

What hardware is this actually relevant for though ? Most of the hardware Openwrt supports has unaccelerated drivers where the performance can actually be better not having a bridge on a bridge (not relevant in this case admittedly)

Not trying to start an argument, i'm just saying that when it comes to this it's not always clear cut.

aloner · February 4, 2025, 9:13am

Thank you for your answers! I have experimented with different firewall settings, and sometimes the router behaved as expected, sometimes not.
I don't fully understand what the problem is. Could someone tell me the minimum amount of settings needed to completely isolate the printer's VLAN from others? Based on this information, I might be able to find the cause.

lleachii · February 4, 2025, 10:15am

What make moddel router is this?

aloner · February 4, 2025, 11:48am

https://openwrt.org/toh/tp-link/er605_v2

aloner · February 13, 2025, 2:08pm

I found with tcpdump that the packets are going through eth0 from the isolated vlan.

I guess it's because all 5 ports are connected to the same switch (shown in figure).

For example, in AX3000T there is 1 wan and 1 bridge with 3 lans by default, but in ER605 all 5 ports are the same from eth0 to eth4.

In my configuration I have 2 bridges. The first one has no vlan filtering and consists of only
the eth4 device. It is needed in case I misconfigure the VLAN and I can connect to the router lan directly.
The second one has a vlan filtering and consists of eth1, eth2 and eth3.
The remaining eth0 which is connected to the ISP does not belong to any bridge.

I can ping eth0 (WAN zone) ip from eth1 (isolated VLAN), but in AX3000T with the same configuration I can't.
From the isolated vlan I can only ping eth0 and the ip of the devices in the isolated vlan.

What should I do to isolate eth0 from eth1 - eth4?

egc · February 13, 2025, 3:25pm

I am not a VLAN expert but perhaps the answer is already given?

aloner · February 13, 2025, 5:20pm

I reread your answer several times and finally understood the meaning of the previous answers. I will try to do as written above, there is no need to receive new answers yet. I will write as soon as there is some result.