1

I wanted to make a network with 3 separated VLANs

  • 10.140.1.0/24
  • 10.140.2.0/24
  • 10.140.3.0/24

So I hooked up two routers TL-WR740n with Openwrt installed, and started experiments.

First router(10.140.X.1) works as a DHCP server, second (10.140.X.2)just as a client with second set of ports.

I made three vlans - each is linked to coresponding port number.

On port 4 all VLANs are tagged - it's used to connect two devices.

I want to completely separate VLANs. But when I'm on VLAN1(subnet 10.140.1.X) I can open a panel of router(10.140.2.1) from VLAN2(subnet 10.140.2.X).

Why? How can I block a interVLAN traffic?

I made a separate zones for each VLAN - and blocked forwarding from VLAN1 to VLAN2(just to try).

It doesn't help me - i still can open a router site 10.140.2.1(VLAN2) having address 10.140.1.140, and being on VLAN1.

Thank You in advance!

Swisstone
  • 6,725
  • 7
  • 22
  • 32
Sink
  • 11
  • 2

1 Answers1

0

Your addresses are in different subnets. That means that when 10.140.1.X has a packet for 10.140.2.1, it will consult its routing table and see a couple of routes, one stating that 10.140.1.0/24 is directly connected and another for 0.0.0.0/0 via 10.140.1.1. Since 10.140.2.1 isn't in 10.140.1.0/24, it's the second route that matches, so the packet goes to 10.140.1.1. That's in the same VLAN.

Then 10.140.1.1, which is connected to both VLANs, forwards it to 10.140.2.1. This is the expected behavior. If you want to prevent it, you add some firewall rules on 10.140.1.1 to prohibit the communication, e.g. with iptables:

iptables -A FORWARD -s 10.140.1.0/24 -d 10.140.2.0/24 -j REJECT
iptables -A FORWARD -s 10.140.2.0/24 -d 10.140.1.0/24 -j REJECT

But wait, we still haven't even tested if your VLANs work. Sending from 10.140.1.0/24 to 10.140.2.0/24 tests if routing between subnets works. The way to test if your VLANs are actually isolated from each other is to configure a device with a static address in 10.140.2.0/24, plug it into the VLAN for 10.140.1.0/24 and see if it can reach devices in the other VLAN with addresses in 10.140.2.0/24. It shouldn't be able to if the VLANs are properly isolated.

zrm
  • 636
  • 6
  • 6
  • Thank You, i set these rules, and it worked - vlans are isolated... But there's another problem, when I surf internet on one of vlans, in hour-two, i have a DNS problem on computer - no one website works, but when i enter an IP address of one webpage - it loads a site. When i unplug ethernet patchcord, and plug again, problem is gone, but till next "hangup". What can I do now? – Sink Aug 11 '19 at 21:59
  • What does that client have configured as a DNS server? – zrm Aug 11 '19 at 22:08