Cannot block the 'camera' VLAN to access router management UI with OpenVPN enabled
I would like to seek help on the blocking issues I have with ER605. I hope that I have just missed something simple.
Requirements:
I am setting up ER605 in standalone mode. I want to use it at my house with two VLANs and OpenVPN. One VLAN is for home devices and the other is for security cameras. I want the cameras VLAN to have no outbound access whatsoever, not even to the router's management Web UI. On the other hand, I want to access the cameras from the 'home devices' VLAN and from outside the house when I tunnel into the network using OpenVPN. I believe this is a common setup for homes with security cameras.
I have no Wi-Fi setup at this point. So, my setup includes only the ER605, test laptops connected to the VLANs ports using LAN cables, and a Comcast modem connected to the WAN port.
The Issue:
If I have OpenVPN enabled, I cannot block devices in the camera VLAN to access the router management Web UI. I have achieved all other blockages per my requirements above.
I regard this as a potential attack surface as the only thing gating someone from the camera subnet is the username/passwod to the router UI. If someone can get through the login page, he/she can delete all ACL rules and then have access to everything.
Steps to Repro:
1. Set the IP for the default 'vlan1' to 10.1.1.0/24, with DHCP for the same subnet. I'd refer to this VLAN as 'home devices' VLAN.
2. Create a new 'vlan2' for security cameras. Set the IP to 10.2.2.0/24 and DHCP for the same subnet.
3. Assign physical LAN ports:
- WAN is on port 1
- vlan1 has port 2-4 (UNTAG)
- vlan2 has port 5 (UNTAG)
4. Now the ER605 router itself has two internal IPs: 10.1.1.1 and 10.2.2.1. Clients in either VLAN can access the Web management page by browsing to 10.1.1.1 or 10.2.2.1.
5. Add a firewall ACL rules to block clients in vlan2 (cameras):
5.1 Block access from vlan2 to vlan1 (camera > home devices) using the LAN>LAN block.
5.2 Block access from vlan2 to WAN using the LAN>WAN block and appropriate vlan2 IPGROUP as the source and IPGROUP_ANY as the desnitation.
5.3 Block access from vlan2 to the router using LAN>LAN block and the destination = Me.
6. Then I test using a PC plugged into vlan2 (port 5) to browse to the ER605 router using 10.2.2.1 or 10.1.1.1. The management UI page does not show up. This is expected. The vlan2 PC also can't access the Internet or any other devices in vlan1.
7. Set up an OpenVPN server in full mode with IP pool = 10.3.3.0/24. The router now has a third internal IP of 10.3.3.1.
I then tested using an OpenVPN client to tunnel into the network. It gets an IP from the OpenVPN IP pool (10.3.3.6.) As expected, the OpenVPN client can talk to devices within both the 'home' VLAN and the 'cameras' VLAN. Devices in the cameras VLAN CANNOT talk to the OpenVPN client (I tried pinging from the camera VLAN to the VPN client at 10.3.3.6.) I tested turning ACL rules on/off and concluded that the router regards the OpenVPN clients as WAN and as such the camera devices cannot get to them due to the ACL rule #5.2 above (LAN>WAN with destination = IPGROUP_ANY.)
So far so good.
8. The issue: Any device in vlan2 (cameras) can still access the router management UI by browsing to the router's OpenVPN internal IP (10.3.3.1.) This can be done whether or not there is an active VPN tunnel. The only way for me to block it is to disable the OpenVPN server, rendering the OpenVPN service unusable.
The other two internal IPs of the router (10.1.1.1 and 10.2.2.1) are still correctly blocked by ACL.
I even tried adding a redundant LAN>WAN block and explicitly specify the router's internal IP of 10.3.3.1 as the destination. As expected, this new ACL rule is of no use as it is redundant to the ACL rule #5.2 above (LAN>WAN with destination = IPGROUP_ANY.)
I can't use the LAN>LAN block here as the OpenVPN subnet (10.3.3.0/24) is not regarded as LAN and is not selectable in the LAN>LAN rule.
What did I miss? Thanks for reading this far and thanks in advance for any tips. If the solution would be for me to use another VPN flavor beside OpenVPN, I can consider that. I can also consider upgrading to the newer ER7206 router if this issue is not present there.
