VLAN isolation and virtualisation.

[paulca]

Wow.  Minefield.

All my VLANs terminate at the LinksysWRT router.  The PPP VLAN from the ISP, the LAN, GUEST, etc. etc.  So obviously the firewall lives there too, all access switch if's are untagged 1 VLAN only and everyone lived happily ever after.

I "upgraded" to a virtualisation environment host (VE) and recently added a "publicly accessible service" (PAS).  Initial testing has been done with this PAS running in a container on a LAN subnet address on the VE host.

I don't like this.  While the main router is responsibly for firewalling the inbound traffic absolutely fine, the issue lies with the worst case of a red guy gaining shell on that container giving them unfirewalled access to the LAN... possibly.

Firewalling between subnets/VLANs can be bypassed entirely by inter subnet, cross VLAN traffic accepted between bridges on the VE.  Usually they are set up to forward between all possibly VLANs and networks, so you can create random environments.  So  it is also therefore essential you treat such hosts which "share" or "materialise" more than one VLAN into an IP stack are considered routers and/or firewalls.

[paulca]

If there is a better way... please don't click past.... let me know!

[bingo600]

Make a DMZ Vlan on the Linksys
Connect the Public thingy to the DMZ , and firewal the sh... out of DMZ on linksys.
That way any compromise on the Public thing can't do much anywhere if the Linksys DMZ rules  doesn't allow it.

/Bingo

Ps:
May i suggest pfSense as the fwall ..... 

[paulca]

Yea.  So the mistake I made was to give the VE node an IP address on the DMZ VLAN.

With that removed the VE node is invisible and nor can it route between the subnets/vlans.

When I got to thinking.  I believe a virtual pfSense might be handy as a single link point into/out of the DMZ and I can do the more complicated LAN<->DMZ rules in that rather than in OpenWRT.

[paulca]

Well that escalated rapidly.  I now have a pfSense controlled DMZ.  I am also being brave enough to add a further split horizon DNS so that pfSense can manage the DMZ hosts with it's own DHCP and DynDNS and leave mine alone.

3 IFs.  WAN, LAN, DMZ.

WAN VLAN 66 direct from router with forwarded ports.
LAN direct to LAN bridge.
DMZ a fully virtual bridge.

Technically I could just drop the LAN interface out and setup firewalling rules to allow the LAN in through the WAN side, but...  I want to retain both access paths.  I can test the WAN access by going through the default route to the DMZ, via the firewall, or I can add the direct route via the pfSense LAN gateway and get direct full open access.