Hello dear community,
Before setting up my openwrt router, I gave some thought to network security in the context of multiple WLANs.
My goal is to offer several WLANs whose clients are isolated from those of the other WLANs, unless explicitly defined otherwise:
- wifi1 for my personal devices
- wifi2 for my iot devices that should not have access to the internet
- wifi3 for guests
- wifi4 for all other devices in the family
I have come up with the following configurations:
/etc/network/config
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fde2:0de5:5d28::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'lan5'
config device
option name 'lan1'
option macaddr '94:83:c4:a3:34:6a'
config device
option name 'lan2'
option macaddr '94:83:c4:a3:34:6a'
config device
option name 'lan3'
option macaddr '94:83:c4:a3:34:6a'
config device
option name 'lan4'
option macaddr '94:83:c4:a3:34:6a'
config device
option name 'lan5'
option macaddr '94:83:c4:a3:34:6a'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'eth1'
option macaddr '94:83:c4:a3:34:68'
config interface 'wan'
option device 'eth1'
option proto 'dhcp'
config interface 'wan6'
option device 'eth1'
option proto 'dhcpv6'
config device 'lan2_dev'
option type 'bridge'
option name 'br-lan2'
config interface 'lan2'
option proto 'static'
option device 'br-lan2'
option ipaddr '10.0.2.1/24'
config device 'lan3_dev'
option type 'bridge'
option name 'br-lan3'
config interface 'lan3'
option proto 'static'
option device 'br-lan3'
option ipaddr '10.0.3.1/24'
config device 'lan4_dev'
option type 'bridge'
option name 'br-lan4'
config interface 'lan4'
option proto 'static'
option device 'br-lan4'
option ipaddr '10.0.4.1/24'
/etc/network/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/18000000.wifi'
option channel '6'
option band '2g'
option htmode 'HE40'
option country 'DE'
option cell_density '0'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc/18000000.wifi+1'
option channel '48'
option band '5g'
option htmode 'HE160'
option country 'DE'
option cell_density '0'
config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'ap'
option ssid 'wifi1'
option encryption 'sae'
option key 'mysupersecretpassword'
option network 'lan'
config wifi-iface 'wifinet1'
option device 'radio1'
option mode 'ap'
option ssid 'wifi1'
option encryption 'sae'
option key 'mysupersecretpassword'
option network 'lan'
config wifi-iface 'wifinet2'
option device 'radio0'
option mode 'ap'
option ssid 'wifi2'
option encryption 'sae-mixed'
option isolate '1'
option key 'mysupersecretpassword'
option network 'lan2'
config wifi-iface 'wifinet3'
option device 'radio0'
option mode 'ap'
option ssid 'wifi3'
option encryption 'sae'
option isolate '1'
option key 'mysupersecretpassword'
option network 'lan3'
config wifi-iface 'wifinet4'
option device 'radio0'
option mode 'ap'
option ssid 'wifi4'
option encryption 'sae-mixed'
option key 'mysupersecretpassword'
option network 'lan4'
config wifi-iface 'wifinet5'
option device 'radio1'
option mode 'ap'
option ssid 'wifi4'
option encryption 'sae-mixed'
option key 'mysupersecretpassword'
option network 'lan4'
/etc/config/firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone 'lan'
option name 'lan'
list network 'lan'
list network 'vpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone 'wan'
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone 'lan2'
option name 'lan2'
option network 'lan2'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config forwarding 'lan_lan2'
option src 'lan'
option dest 'lan2'
config rule 'lan2_dhcp'
option name 'Allow-DHCP-lan2'
option src 'lan2'
option dest_port '67'
option proto 'udp'
option family 'ipv4'
option target 'ACCEPT'
config zone 'lan3'
option name 'lan3'
option network 'lan3'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config forwarding 'lan3_wan'
option src 'lan3'
option dest 'wan'
config rule 'lan3_dns'
option name 'Allow-DNS-lan3'
option src 'lan3'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
config rule 'lan3_dhcp'
option name 'Allow-DHCP-lan3'
option src 'lan3'
option dest_port '67'
option proto 'udp'
option family 'ipv4'
option target 'ACCEPT'
config zone 'lan4'
option name 'lan4'
option network 'lan4'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config forwarding 'lan4_wan'
option src 'lan4'
option dest 'wan'
config rule 'lan4_dns'
option name 'Allow-DNS-lan4'
option src 'lan4'
option dest_port '53'
option proto 'tcp udp'
option target 'ACCEPT'
config rule 'lan4_dhcp'
option name 'Allow-DHCP-lan4'
option src 'lan4'
option dest_port '67'
option proto 'udp'
option family 'ipv4'
option target 'ACCEPT'
Is this a secure configuration in itself?
I have of course read about VLANs beforehand, but to be honest I only halfway understood the basic principle. The implementation in a concrete setup is far beyond my abilities.
I am therefore wondering whether VLANs could provide me with decisive added value at this point and whether the implementation would be worthwhile.
What is your opinion on this?
Thanks in advance.
Kind regards