Brume / Firewall zones across VLAN/Subnets not working?

Hi there, I’m trying to add a simple guest network to my Brume on separate VLAN and keep internal VLAN1 untouched but I can’t get the firewall zones working on the Brume. I’ve been able to successfully set up a guest interface on the lan0.30 using VLAN30 for my Guest network and when I connect to my Guest SSID I obtain an IP from the guest range (192.168.30.x). Firewall zones are set up correctly and I tried to add additional firewall rules to make sure Guest traffic is not allowed to access other subnets / my main lan. See configs below.

However, when I connect to my Guest network with an ip address from the guest range, I still can access the Brume router interface, my switch, etc. on the 192.168.8.x subnet. How is this possible?

Setup

  • ONT from the FTTH provider → connected WAN port on Brume
    • Brume MV1000 with PPPOE setup and act as DHCP server.
      • 8-ports managed PoE switch (L2/L3) (TP Link TL-SG2008P) → to Brume LAN0 with ports:
        • Port 1: Uplink to Brume
        • Port 2: Access point #1 (Ruckus r510) with Main SSID on VLAN1 and Guest SSID at VLAN30
        • Port 4: Apple TV
        • Port 5-7: IoT Devices…
        • Port 8: Access point #2 (Ruckus r320) with Main SSID on VLAN1 and Guest SSID at VLAN30

Managed switch port setup

Port Device PVID Tagged VLAN Untagged VLAN
1 Brume 1 1,30
2 Ruckus AP 1 1,30
3-7 IoT Devices… 1 1
8 Ruckus AP 1 1,30

I’ve also tried to leave ports 2,8 Untagged on VLAN 1 but it doesn’t make a difference.

VLANs

My internal network is on 192.168.8.x and for a starter I created one extra VLAN:

  • VLAN 1 - internal LAN - 192.168.8.1/24
  • VLAN 30 - guest - 192.168.30.1/24

Again, the problem is that if I’m on the guest network, while firewall zones are correctly configured, I can still access my internal network / other subnets. I’ve read quite a few topics on setting up port tagging and openwrt firewall zones and I can’t see what is going wrong here. Before adding more VLANs I really would like to fix this first. Any help is appreciated. :slightly_smiling_face:

Configs (latest stock firmware 3.212)

network
config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'dd8a:b9e8:0ccb::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option hostname 'GL-MV1000-d03'
	option ipaddr '192.168.8.1'
	option ip6assign '64'
	option ip6hint '0000'
	option ip6ifaceid '::1'
	option ifname 'lan0.1 lan1 usb0'

config interface 'wan'
	option hostname 'GL-MV1000-d03'
	option metric '10'
	option proto 'pppoe'
	option username 'XXXX@vodafone'
	option password 'XXXXX'
	option disabled '0'
	option peerdns '1'
	option ifname 'wan.100'
	option ipv6 '0'

config interface 'wan6'
	option proto 'dhcpv6'
	option ifname '@wan'
	option disabled '1'

config interface 'lan0'
	option ifname 'lan0'
	option macaddr '94:83XXXX'

config interface 'lan1'
	option ifname 'lan1'
	option macaddr '94:83:XXXX'

config interface 'guest'
	option proto 'static'
	option netmask '255.255.255.0'
	option ifname 'lan0.30'
	option ipaddr '192.168.30.1'
	option type 'bridge'
firewall
package firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6'
	option masq6 '1'
	option input 'DROP'

config forwarding
	option src 'lan'
	option dest 'wan'
	option enabled '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'
	option enabled '0'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'
	option reload '1'

config include 'glfw'
	option type 'script'
	option path '/usr/bin/glfw.sh'
	option reload '1'

config rule 'sambasharewan'
	option src 'wan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'DROP'

config rule 'sambasharelan'
	option src 'lan'
	option dest_port '137 138 139 445'
	option dest_proto 'tcpudp'
	option target 'ACCEPT'

config include 'gls2s'
	option type 'script'
	option path '/var/etc/gls2s.include'
	option reload '1'

config include 'glqos'
	option type 'script'
	option path '/usr/sbin/glqos.sh'
	option reload '1'

config zone
	option name 'guestzone'
	option input 'REJECT'
	option forward 'REJECT'
	list network 'guest'
	option output 'ACCEPT'

config forwarding
	option dest 'wan'
	option src 'guestzone'

config rule
	option src 'guestzone'
	option name 'Block-Guest-to-Internal'
	option target 'REJECT'
	option dest '*'
	list dest_ip '192.168.8.1/24'

config rule
	option dest_port '53 67 68'
	option src 'guestzone'
	option name 'Allow-Guest-DNS-DHCP'
	option target 'ACCEPT'

config rule
	option src 'guestzone'
	option name 'Block-Guest-to-LAN-Traffic'
	option target 'DROP'
DHCP config (AdGuard is enabled)
package dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option localservice '1'
	option noresolv '1'
	list server '127.0.0.1#3053'
	option resolvfile '/tmp/resolv.conf.auto'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option force '1'
	list dns 'dd8a:b9e8:0ccb:0000:0000:0000:0000:0001'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config domain 'localhost'
	option name 'console.gl-inet.com'
	option ip '192.168.8.1'

config host
	option mac 'C8:08:XXXX'
	option dns '1'
	option ip '192.168.8.20'
	option name 'Ruckus-AP-R520'

config host
	option mac 'AC:XXX'
	option name 'Apple-TV'
	option dns '1'
	option ip '192.168.8.30'

config host
	option mac '84:D8:XXX'
	option name 'TP-Link-Switch'
	option dns '1'
	option ip '192.168.8.10'

config host
	option mac 'EC:XXX'
	option name 'Philips-Hue-Bridge'
	option dns '1'
	option ip '192.168.8.31'

config host
	option mac '80:XXX'
	option name 'Ruckus-AP-R320'
	option dns '1'
	option ip '192.168.8.21'

config dhcp 'guest'
	option start '100'
	option leasetime '12h'
	option limit '150'
	option interface 'guest'
	option dhcpv6 'disabled'
	option ra 'disabled'

package network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'dd8a:b9e8:0ccb::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option hostname 'GL-MV1000-d03'
	option ipaddr '192.168.8.1'
	option ip6assign '64'
	option ip6hint '0000'
	option ip6ifaceid '::1'
	option ifname 'lan0.1 lan1 usb0'

config interface 'wan'
	option hostname 'GL-MV1000-d03'
	option metric '10'
	option proto 'pppoe'
	option username 'ONH0000966654@vodafone'
	option password 'E82FV7WM'
	option disabled '0'
	option peerdns '1'
	option ifname 'wan.100'
	option ipv6 '0'

config interface 'wan6'
	option proto 'dhcpv6'
	option ifname '@wan'
	option disabled '1'

config interface 'lan0'
	option ifname 'lan0'
	option macaddr '94:83:c4:09:dd:04'

config interface 'lan1'
	option ifname 'lan1'
	option macaddr '94:83:c4:09:dd:04'

config interface 'guest'
	option proto 'static'
	option netmask '255.255.255.0'
	option ifname 'lan0.30'
	option ipaddr '192.168.30.1'
	option type 'bridge'

I tried multiple setups on the switch and can’t get the firewall zones to work. Can someone confirm if lan0.1 would be the same as lan0 as inside the LAN bridge anything that is untagged with be tagged as VLAN1 by default?

You need to add a Vlan network interface:

config interface 'lan0_1'
	option ifname 'lan0.1'
	option macaddr '94:83XXXX'

Thanks, I did have configured main lan on lan0.1 and guest on lan0.30 and they also get assigned the right IP ranges. However with the firewall zones in place I can still access the main lan (except the Brume itself) from guest lan which should in theory not happen