Trouble isolating ath0.1 for iptables

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Atheros WiSOC based Hardware
Author Message
bvideo
DD-WRT Novice


Joined: 04 Mar 2014
Posts: 47

PostPosted: Mon Feb 11, 2019 21:08    Post subject: Trouble isolating ath0.1 for iptables Reply with quote
This is all about wanting to set iptables rules for a subset of wireless devices on a dd-wrt router like a tp-link wdr3600 that's being used as an AP.

My main router is a dumb-but-fast one from comcast. I have all my wired machines running through it to take advantage of high speeds. I don't use its wireless at all, because I can't be sure it is secure. And there is no usable routing configuration available.

I'm trying to use the wdr3600 with dd-wrt for all my wireless devices, privileged and guest. I also want some of my guest devices to be reachable when a certain connection is initiated from the privileged side of my network.

An AP router by default in dd-wrt bridges everything into br0: ath0, ath0.1, vlan1, vlan2. A GUI setting and maybe some special hooks in dd-wrt make it possible to isolate ath0.1 as a guest when the router is used with NAT, but I don't think this covers my needs.

Iptables on dd-wrt can't address individual interfaces of a bridge (no physdev module?). Supposedly, I can unbridge ath0.1 in the gui. That does indeed show ath0.1 is no longer in br0. And I can configure a network address on the ath0.1 interface. But...

Signing on first to the ath0.1 SSID does not exhibit any traffic on ath0.1 in iptables (iptables counts and logs for -i ath0.1 show no traffic), even though ifconfig for ath0.1 shows some traffic. But the crazy thing is if I first sign on to the SSID of ath0 and then switch to the SSID of ath0.1, iptables does start to work for ath0.1 as expected until the next reboot or reconfig. Once iptables starts working, I'm able to make things work as I wish: separate address space, separate DHCP, isolation rules, privileged cross connection rules, etc. I'm sure I could set up a separate radio to do the isolation I want, but there are too many radios around here already.

But it isn't quite usable this way, having to address ath0 first. What is the missing step? What would make it unnecessary to hit ath0 first to get ath0.1 going?

_________________
dd-wrt on Netgear wndr3700v4
Sponsor
jxm
DD-WRT Guru


Joined: 23 Jul 2017
Posts: 625
Location: Brisbane, Australia

PostPosted: Tue Feb 12, 2019 2:55    Post subject: Reply with quote
Post your iptables rules. Could be a problem with the order of your rules... remember only the first rule that tests true is acted upon, and you may be adding rules to the end instead of inserting them at the top.

Cheers.
bvideo
DD-WRT Novice


Joined: 04 Mar 2014
Posts: 47

PostPosted: Tue Feb 12, 2019 4:59    Post subject: Reply with quote
Afterthought: after having written all the below, I am finding my scenario has worked correctly right away after the last two reboots, no need to address ath0 first. Is this going to be consistent or not?

There is one small unrelated problem: the firewall rules are not re-run after [Apply Settings] is done on the wireless config pages. That would be fine because iptables are not flushed. But my firewall rules include three echoes to configure proxy arp, and those settings disappear. I wonder if there are some other scenarios where those config settings are wiped out. I will work on some way not to need those. It would be easier if my main router could have routing rules.

I'd say no need to read further unless you're curious.

The firewall commands:
[code]
#!/bin/sh
iptables -I FORWARD -i ath0.1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i ath0.1 -d 10.0.0.0/16 -m state --state NEW -j logdrop
iptables -I FORWARD -i ath0.1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br0 -o ath0.1 -p udp --dport 68 -j logdrop
iptables -I INPUT -i ath0.1 -d 10.0.0.0/16 -m state --state NEW -j logdrop
iptables -I INPUT -i ath0.1 -p udp --dport 67 -j logaccept
iptables -I INPUT -i ath0.1 -d 10.0.0.0/24 -m state --state NEW -j logdrop
iptables -I INPUT -i ath0.1 -p udp --dport 53 -j logaccept
iptables -I INPUT -i ath0.1 -p tcp --dport 53 -j logaccept
echo 1 >/proc/sys/net/ipv4/conf/br0/medium_id
echo 2 >/proc/sys/net/ipv4/conf/ath0.1/medium_id
echo 1 >/proc/sys/net/ipv4/conf/br0/proxy_arp
[\code]

Logs and extra entries are there for documentation.

The rules start to work after first connecting to ath0 and then connecting to ath0.l:

[code]
root@Myrtle09:~# iptables -nvL
Chain INPUT (policy ACCEPT 1438 packets, 143K bytes)
pkts bytes target prot opt in out source destination
0 0 logaccept tcp -- ath0.1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
0 0 logaccept udp -- ath0.1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 logdrop 0 -- ath0.1 * 0.0.0.0/0 10.0.0.0/24 state NEW
4 1324 logaccept udp -- ath0.1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
3 4500 logdrop 0 -- ath0.1 * 0.0.0.0/0 10.0.0.0/16 state NEW

Chain FORWARD (policy ACCEPT 33 packets, 2593 bytes)
pkts bytes target prot opt in out source destination
12 806 ACCEPT udp -- ath0.1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 logdrop 0 -- ath0.1 * 0.0.0.0/0 10.0.0.0/16 state NEW
10 600 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
5 300 ACCEPT 0 -- ath0.1 * 0.0.0.0/0 0.0.0.0/0 state NEW

Chain OUTPUT (policy ACCEPT 1678 packets, 765K bytes)
pkts bytes target prot opt in out source destination

...

Chain logaccept (3 references)
pkts bytes target prot opt in out source destination
4 1324 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `ACCEPT '
4 1324 ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0

Chain logdrop (3 references)
pkts bytes target prot opt in out source destination
3 4500 LOG 0 -- * * 0.0.0.0/0 0.0.0.0/0 state NEW LOG flags 7 level 4 prefix `DROP '
3 4500 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
[/code]

The log entries:

[code]<4>[ 374.530000] ACCEPT IN=ath0.1 OUT= MAC=ff:ff:ff:ff:ff:ff:2c:0e:3d:65:d3:dd:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=68 DPT=67 LEN=308
<4>[ 375.580000] ACCEPT IN=ath0.1 OUT= MAC=ff:ff:ff:ff:ff:ff:2c:0e:3d:65:d3:dd:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=68 DPT=67 LEN=308
<4>[ 377.650000] ACCEPT IN=ath0.1 OUT= MAC=ff:ff:ff:ff:ff:ff:2c:0e:3d:65:d3:dd:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=68 DPT=67 LEN=308
<4>[ 377.870000] ACCEPT IN=ath0.1 OUT= MAC=ff:ff:ff:ff:ff:ff:2c:0e:3d:65:d3:dd:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=340 TOS=0x10 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=68 DPT=67 LEN=320
<4>[ 381.620000] DROP IN=ath0.1 OUT= MAC=c2:4a:00:b6:b0:d3:2c:0e:3d:65:d3:dd:08:00 SRC=10.0.1.136 DST=10.0.1.1 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=12610 DF PROTO=ICMP TYPE=8 CODE=0 ID=10318 SEQ=1
<4>[ 383.550000] DROP IN=ath0.1 OUT= MAC=c2:4a:00:b6:b0:d3:2c:0e:3d:65:d3:dd:08:00 SRC=10.0.1.136 DST=10.0.1.1 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=33956 DF PROTO=ICMP TYPE=8 CODE=0 ID=12776 SEQ=1
<4>[ 407.110000] DROP IN=ath0.1 OUT= MAC=c2:4a:00:b6:b0:d3:2c:0e:3d:65:d3:dd:08:00 SRC=10.0.1.136 DST=10.0.1.1 LEN=1500 TOS=0x00 PREC=0x00 TTL=64 ID=65180 DF PROTO=ICMP TYPE=8 CODE=0 ID=41593 SEQ=1
[/code]

The device (currently a phone) is then able to access the internet but not the two routers or other devices on the routers (10.0.x.x), just as I prefer. Other devices can ping this device , and I assume could connect to it if it were listening.

So my only trouble seems to be that ath0.1 usually does not engage in iptables after a reboot/reload until after ath0 is first addressed. (afterthought: or maybe does usually engage?)

_________________
dd-wrt on Netgear wndr3700v4
bvideo
DD-WRT Novice


Joined: 04 Mar 2014
Posts: 47

PostPosted: Tue Feb 12, 2019 5:40    Post subject: Reply with quote
Why I *think* I need proxy arp.

First, I made ath0.1 unbridged from the dd-wrt AP router's main bridge, br0. That's because iptables could not address ath0.1 in a bridge. So now, ath0.1 does not see ARPs on br0.

Second, my main router does not provide any configuration for a simple static route. No route and no ARP. So no way for it to find ath0.1.

Proxy ARP on br0 of the DD-WRT router allows it to answer ARP from the main router, and thus accept packets for ath0.1 and forward them. Not elegant.

Alternate ideas gladly considered!

_________________
dd-wrt on Netgear wndr3700v4
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 2507
Location: UK, London, just across the river..

PostPosted: Tue Feb 12, 2019 10:28    Post subject: Reply with quote
i know its an off topic but to save my ass...i decided to cut the struggle with guest networks VAP... and use WAP witch of course, needs another router in DDWRT-WAP mode
the end line is.... it always works...!!!

_________________
Atheros
TP-Link WR740Nv4 --------DD-WRT 33986 BS (AP,NAT,AD Blocking,Firewall)
TP-Link WR1043NDv2 ------DD-WRT 38535 BS (AP,PPPoE,NAT,AD Blocking,AP Isolation,Firewall,Forced DNS)
TP-Link WR1043NDv2 ------DD-WRT 38581 BS (AP,NAT,AD Blocking,Firewall,Wi-Fi OFF)
TP-Link WR1043NDv2.......... Gargoyle OS 1.10 (AP,NAT,QoS,Quotas)
Qualcomm/IPQ8065
Netgear R7800 ------------DD-WRT 38835M 4.9 Kong (AP,NAT,AD-Blocking,AP Isolation,Firewall,DNSCrypt x2)
Broadcom
Netgear R7000 ---------DD-WRT 38580M Kong (AP,NAT,AD-Blocking,Firewall,Forced DNS)
Others
Netgear ProSAFE-GS105Ev2 ----(LAN Switch)
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum