Hi there, I’m trying to add a simple guest network to my Brume on separate VLAN and keep internal VLAN1 untouched but I can’t get the firewall zones working on the Brume. I’ve been able to successfully set up a guest interface on the lan0.30 using VLAN30 for my Guest network and when I connect to my Guest SSID I obtain an IP from the guest range (192.168.30.x). Firewall zones are set up correctly and I tried to add additional firewall rules to make sure Guest traffic is not allowed to access other subnets / my main lan. See configs below.
However, when I connect to my Guest network with an ip address from the guest range, I still can access the Brume router interface, my switch, etc. on the 192.168.8.x subnet. How is this possible?
Setup
-
ONT from the FTTH provider → connected WAN port on Brume
-
Brume MV1000 with PPPOE setup and act as DHCP server.
-
8-ports managed PoE switch (L2/L3) (TP Link TL-SG2008P) → to Brume LAN0 with ports:
- Port 1: Uplink to Brume
- Port 2: Access point #1 (Ruckus r510) with Main SSID on VLAN1 and Guest SSID at VLAN30
- Port 4: Apple TV
- Port 5-7: IoT Devices…
- Port 8: Access point #2 (Ruckus r320) with Main SSID on VLAN1 and Guest SSID at VLAN30
-
8-ports managed PoE switch (L2/L3) (TP Link TL-SG2008P) → to Brume LAN0 with ports:
-
Brume MV1000 with PPPOE setup and act as DHCP server.
Managed switch port setup
Port | Device | PVID | Tagged VLAN | Untagged VLAN |
---|---|---|---|---|
1 | Brume | 1 | 1,30 | |
2 | Ruckus AP | 1 | 1,30 | |
3-7 | IoT Devices… | 1 | 1 | |
8 | Ruckus AP | 1 | 1,30 |
I’ve also tried to leave ports 2,8 Untagged on VLAN 1 but it doesn’t make a difference.
VLANs
My internal network is on 192.168.8.x and for a starter I created one extra VLAN:
- VLAN 1 - internal LAN - 192.168.8.1/24
- VLAN 30 - guest - 192.168.30.1/24
Again, the problem is that if I’m on the guest network, while firewall zones are correctly configured, I can still access my internal network / other subnets. I’ve read quite a few topics on setting up port tagging and openwrt firewall zones and I can’t see what is going wrong here. Before adding more VLANs I really would like to fix this first. Any help is appreciated.
Configs (latest stock firmware 3.212)
network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'dd8a:b9e8:0ccb::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option hostname 'GL-MV1000-d03'
option ipaddr '192.168.8.1'
option ip6assign '64'
option ip6hint '0000'
option ip6ifaceid '::1'
option ifname 'lan0.1 lan1 usb0'
config interface 'wan'
option hostname 'GL-MV1000-d03'
option metric '10'
option proto 'pppoe'
option username 'XXXX@vodafone'
option password 'XXXXX'
option disabled '0'
option peerdns '1'
option ifname 'wan.100'
option ipv6 '0'
config interface 'wan6'
option proto 'dhcpv6'
option ifname '@wan'
option disabled '1'
config interface 'lan0'
option ifname 'lan0'
option macaddr '94:83XXXX'
config interface 'lan1'
option ifname 'lan1'
option macaddr '94:83:XXXX'
config interface 'guest'
option proto 'static'
option netmask '255.255.255.0'
option ifname 'lan0.30'
option ipaddr '192.168.30.1'
option type 'bridge'
firewall
package firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan wan6'
option masq6 '1'
option input 'DROP'
config forwarding
option src 'lan'
option dest 'wan'
option enabled '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
option enabled '0'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
option reload '1'
config include 'glfw'
option type 'script'
option path '/usr/bin/glfw.sh'
option reload '1'
config rule 'sambasharewan'
option src 'wan'
option dest_port '137 138 139 445'
option dest_proto 'tcpudp'
option target 'DROP'
config rule 'sambasharelan'
option src 'lan'
option dest_port '137 138 139 445'
option dest_proto 'tcpudp'
option target 'ACCEPT'
config include 'gls2s'
option type 'script'
option path '/var/etc/gls2s.include'
option reload '1'
config include 'glqos'
option type 'script'
option path '/usr/sbin/glqos.sh'
option reload '1'
config zone
option name 'guestzone'
option input 'REJECT'
option forward 'REJECT'
list network 'guest'
option output 'ACCEPT'
config forwarding
option dest 'wan'
option src 'guestzone'
config rule
option src 'guestzone'
option name 'Block-Guest-to-Internal'
option target 'REJECT'
option dest '*'
list dest_ip '192.168.8.1/24'
config rule
option dest_port '53 67 68'
option src 'guestzone'
option name 'Allow-Guest-DNS-DHCP'
option target 'ACCEPT'
config rule
option src 'guestzone'
option name 'Block-Guest-to-LAN-Traffic'
option target 'DROP'
DHCP config (AdGuard is enabled)
package dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option localservice '1'
option noresolv '1'
list server '127.0.0.1#3053'
option resolvfile '/tmp/resolv.conf.auto'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option force '1'
list dns 'dd8a:b9e8:0ccb:0000:0000:0000:0000:0001'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config domain 'localhost'
option name 'console.gl-inet.com'
option ip '192.168.8.1'
config host
option mac 'C8:08:XXXX'
option dns '1'
option ip '192.168.8.20'
option name 'Ruckus-AP-R520'
config host
option mac 'AC:XXX'
option name 'Apple-TV'
option dns '1'
option ip '192.168.8.30'
config host
option mac '84:D8:XXX'
option name 'TP-Link-Switch'
option dns '1'
option ip '192.168.8.10'
config host
option mac 'EC:XXX'
option name 'Philips-Hue-Bridge'
option dns '1'
option ip '192.168.8.31'
config host
option mac '80:XXX'
option name 'Ruckus-AP-R320'
option dns '1'
option ip '192.168.8.21'
config dhcp 'guest'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'guest'
option dhcpv6 'disabled'
option ra 'disabled'
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'dd8a:b9e8:0ccb::/48'
config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option hostname 'GL-MV1000-d03'
option ipaddr '192.168.8.1'
option ip6assign '64'
option ip6hint '0000'
option ip6ifaceid '::1'
option ifname 'lan0.1 lan1 usb0'
config interface 'wan'
option hostname 'GL-MV1000-d03'
option metric '10'
option proto 'pppoe'
option username 'ONH0000966654@vodafone'
option password 'E82FV7WM'
option disabled '0'
option peerdns '1'
option ifname 'wan.100'
option ipv6 '0'
config interface 'wan6'
option proto 'dhcpv6'
option ifname '@wan'
option disabled '1'
config interface 'lan0'
option ifname 'lan0'
option macaddr '94:83:c4:09:dd:04'
config interface 'lan1'
option ifname 'lan1'
option macaddr '94:83:c4:09:dd:04'
config interface 'guest'
option proto 'static'
option netmask '255.255.255.0'
option ifname 'lan0.30'
option ipaddr '192.168.30.1'
option type 'bridge'