I wanted to make a network with 3 separated VLANs
- 10.140.1.0/24
- 10.140.2.0/24
- 10.140.3.0/24
So I hooked up two routers TL-WR740n with Openwrt installed, and started experiments.
First router(10.140.X.1) works as a DHCP server, second (10.140.X.2)just as a client with second set of ports.
I made three vlans – each is linked to coresponding port number.
On port 4 all VLANs are tagged – it's used to connect two devices.
I want to completely separate VLANs. But when I'm on VLAN1(subnet 10.140.1.X)
I can open a panel of router(10.140.2.1) from VLAN2(subnet 10.140.2.X).
Why? How can I block a interVLAN traffic?
I made a separate zones for each VLAN – and blocked forwarding from VLAN1 to VLAN2(just to try).
It doesn't help me – i still can open a router site 10.140.2.1(VLAN2) having address 10.140.1.140, and being on VLAN1.
Thank You in advance!
Best Answer
Your addresses are in different subnets. That means that when 10.140.1.X has a packet for 10.140.2.1, it will consult its routing table and see a couple of routes, one stating that 10.140.1.0/24 is directly connected and another for 0.0.0.0/0 via 10.140.1.1. Since 10.140.2.1 isn't in 10.140.1.0/24, it's the second route that matches, so the packet goes to 10.140.1.1. That's in the same VLAN.
Then 10.140.1.1, which is connected to both VLANs, forwards it to 10.140.2.1. This is the expected behavior. If you want to prevent it, you add some firewall rules on 10.140.1.1 to prohibit the communication, e.g. with iptables:
But wait, we still haven't even tested if your VLANs work. Sending from 10.140.1.0/24 to 10.140.2.0/24 tests if routing between subnets works. The way to test if your VLANs are actually isolated from each other is to configure a device with a static address in 10.140.2.0/24, plug it into the VLAN for 10.140.1.0/24 and see if it can reach devices in the other VLAN with addresses in 10.140.2.0/24. It shouldn't be able to if the VLANs are properly isolated.