write the configuration files for openwrt for 4 virtual networks on the 4 ports of the internal switch. use port 6 for the cpu. use nftables as firewall. allow only traffic to port 1 for vlan 1. allow only traffic to port 2 for vlan 2. allow only traffic

To set up your OpenWRT router with 4 virtual networks on the internal switch, you'll need to configure the switch settings, VLAN interfaces, and nftables for your specific firewall rules. Here is an example of how to configure these settings in your OpenWRT environment:

### 1. Switch Configuration

First, you need to configure the switch to set up VLANs. This can be done in the `/etc/config/network` file.

#### `/etc/config/network`

```plaintext
config switch 'switch0'
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan 'vlan1'
    option device 'switch0'
    option vlan '1'
    option ports '6 1'       # Port 6 is CPU and port 1 is for VLAN 1 traffic

config switch_vlan 'vlan2'
    option device 'switch0'
    option vlan '2'
    option ports '6 2'       # Port 6 is CPU and port 2 is for VLAN 2 traffic

config switch_vlan 'vlan3'
    option device 'switch0'
    option vlan '3'
    option ports '6 3'       # Port 6 is CPU and port 3 is for VLAN 3 traffic

config switch_vlan 'vlan4'
    option device 'switch0'
    option vlan '4'
    option ports '6 4'       # Port 6 is CPU and port 4 is for VLAN 4 traffic
```

### 2. Network Interfaces

Next, you need to define network interfaces for each VLAN.

#### `/etc/config/network`

```plaintext
config interface 'vlan1'
    option proto 'static'
    option ipaddr '192.168.1.1' # Set appropriate IP address for VLAN 1
    option netmask '255.255.255.0'
    option type 'bridge'
    option ifname 'eth0.1' # Replace eth0 with the real interface name if needed
    
config interface 'vlan2'
    option proto 'static'
    option ipaddr '192.168.2.1' # IP for VLAN 2
    option netmask '255.255.255.0'
    option type 'bridge'
    option ifname 'eth0.2'
    
config interface 'vlan3'
    option proto 'static'
    option ipaddr '192.168.3.1' # IP for VLAN 3
    option netmask '255.255.255.0'
    option type 'bridge'
    option ifname 'eth0.3'
    
config interface 'vlan4'
    option proto 'static'
    option ipaddr '192.168.4.1' # IP for VLAN 4
    option netmask '255.255.255.0'
    option type 'bridge'
    option ifname 'eth0.4'
```

### 3. Firewall Configuration

Now, set up firewall rules using nftables to restrict the traffic as specified.

#### `/etc/config/firewall`

```plaintext
config rule
    option name 'Allow Vlan1'
    option src 'vlan1'
    option dest 'lan'
    option target 'ACCEPT'

config rule
    option name 'Allow Vlan2'
    option src 'vlan2'
    option dest 'lan'
    option target 'ACCEPT'

config rule
    option name 'Allow Vlan4'
    option src 'vlan4'
    option dest 'lan'
    option target 'ACCEPT'

# Block all other inter-VLAN communication.
config rule
    option name 'Drop Vlan3'
    option src 'vlan3'
    option target 'DROP'
```

### 4. Nftables

To set up nftables (if not done yet), you might need to customize the configuration. Place the allowed rules into an appropriate `nftables.script`.

#### `/etc/nftables.conf`

Here is a basic example of how to set this up with nftables:

```plaintext
#!/usr/sbin/nft -f

table inet filter {
    chain input {
        type filter hook input priority 0; policy accept;

        # Allow VLAN 1
        iifname "vlan1" accept

        # Allow VLAN 2
        iifname "vlan2" accept

        # Allow VLAN 4
        iifname "vlan4" accept

        # Drop all other packets specifically from vlan3
        iifname "vlan3" drop
    }
}
```

### 5. Enable Nftables

Run the following command to enable nftables:

```bash
nft -f /etc/nftables.conf
```

### 6. Restart Networking

After completing all configurations, restart the network to apply changes:

```bash
/etc/init.d/network restart
```

### 7. Verifying Configuration

You can verify your configuration with:

```bash
swconfig dev switch0 show
ip a show  # to display your interfaces and IPs
nft list ruleset  # to display nftables rules
```

### Final Notes

- Make sure you adjust the IP addresses according to your network design.
- Ensure that `nftables` is installed and properly configured in your OpenWRT setup if you do not have it by default.
- It’s recommended to check the OpenWRT documentation for any specific version-related configurations as some settings might vary.

Update (2024-11-13):
To configure OpenWRT with 4 virtual networks (VLANs) on the four ports of the internal switch using `nftables` as the firewall, we will create the necessary configuration files. Below is an example of how to set this up.

### Step 1: Edit Network Configuration

Edit the `/etc/config/network` file to define the VLANs and assign them to their respective switch ports. Assuming that the internal switch is a generic switch with the hardware identifier `switch0`, you might have something like this:

```plaintext
config switch
    option name 'switch0'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'switch0'
    option vlan '1'
    option ports '0t 1'
    
config switch_vlan
    option device 'switch0'
    option vlan '2'
    option ports '0t 2'
    
config switch_vlan
    option device 'switch0'
    option vlan '3'
    option ports '0t 3'
    
config switch_vlan
    option device 'switch0'
    option vlan '4'
    option ports '0t 4'

config interface 'vlan1'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'
    
config interface 'vlan2'
    option proto 'static'
    option ipaddr '192.168.2.1'
    option netmask '255.255.255.0'

config interface 'vlan3'
    option proto 'static'
    option ipaddr '192.168.3.1'
    option netmask '255.255.255.0'

config interface 'vlan4'
    option proto 'static'
    option ipaddr '192.168.4.1'
    option netmask '255.255.255.0'
```

### Step 2: Edit Firewall Configuration

Edit `/etc/config/firewall` to set up rules to allow only traffic for specific VLANs to specific ports:

```plaintext
config rule
    option name 'allow VLAN1 to port1'
    option src 'vlan1'
    option dest '*'
    option target 'ACCEPT'
   
config rule
    option name 'allow VLAN2 to port2'
    option src 'vlan2'
    option dest '*'
    option target 'ACCEPT'

config rule
    option name 'allow VLAN3 to port3'
    option src 'vlan3'
    option dest '*'
    option target 'ACCEPT'

config rule
    option name 'allow VLAN4 to port4'
    option src 'vlan4'
    option dest '*'
    option target 'ACCEPT'

config rule
    option name 'drop everything else'
    option src '*'
    option dest '*'
    option target 'DROP'    
```

### Step 3: Configure nftables

You can set up `nftables` rules in the `/etc/nftables.conf` or `/etc/config/nftables` files:

```bash
table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;
        iif "vlan1" accept
        iif "vlan2" accept
        iif "vlan3" accept
        iif "vlan4" accept
    }
  
    chain forward {
        type filter hook forward priority 0; policy drop;
        iif "vlan1" oif "eth0.1" accept
        iif "vlan2" oif "eth0.2" accept
        iif "vlan3" oif "eth0.3" accept
        iif "vlan4" oif "eth0.4" accept
    }
  
    chain output {
        type filter hook output priority 0; policy accept;
    }
}
```

### Step 4: Apply Settings

After saving these configuration files, restart the network and firewall services to apply the settings:

```bash
/etc/init.d/network restart
/etc/init.d/firewall restart
```

Note: The exact port numbers may vary depending on your specific OpenWRT hardware, and you may need to adjust accordingly. Always ensure that your settings align with your device's specifications and capabilities.