Firewall to block traffic from select networks only

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
flyboy20
DD-WRT Novice


Joined: 28 Jan 2020
Posts: 3

PostPosted: Tue Feb 11, 2020 13:42    Post subject: Firewall to block traffic from select networks only Reply with quote
Hi all

I’m still very green when it comes to using iptables commands/syntax, I have a firewall question that I hope someone can assist with that I have not found a solution to online. Your help is much appreciated!

In short, I would like to configure a rule or have a setup whereby I can request ddwrt block all packets going to network 192.168.1.0/24 (it’s behind the ddwrt WAN port) coming from ddwrt router networks 192.168.203.0/24 & 192.168.202.0/24 but allowing 192.168.200.0/24 network traffic

The router in question with DD-WRT is an Asus RT-AC68U C1 using v3.0 R31980M Kongac (5-11-17)

The situation in more detail is this:

The AC68U has a VAP un-bridged network (wl0.3 called Cells) of 192.168.203.0/24, also a br1 bridge called IOT with 192.168.202.0/24 (VAP wl0.2 + VLAN5). Both the routers physical wl0 2.4Ghz radio + the wl1 5Ghz radio have a network of 192.168.200.0/24 called TrustedWIFI. AP isolation is ON, network isolation is ON wherever I can set these preferences for all the networks.

The AC68U is in gateway mode, it’s WAN port has a static IP of 192.168.4.2 connecting to a Draytek router that provides internet connectivity with IP 192.168.4.1 – this is VLAN4 on the draytek. The DrayTek also has a VLAN1 192.168.1.0/24 wired network

After enabling draytek InterVLAN routing between VLAN1,4 & static routes to find 192.168.200.0/24, I wish to prevent the AC68U networks of 192.168.203.0/24 & 192.168.202.0/24 from communicating to the 192.168.1.0/24 networks however continue to allow 192.168.200.0/24 to communicate with 192.168.1.0/24. Seems having net isolation ON doesn’t do the trick.

In essence it makes the IOT, Cells networks work like guest networks so they can only access internet and no other local networks. Only trusted and secure devices go on the TrustedWIFI such as laptops or devices with their own security app.

I have read ddwrt examples to block subnets, IP ranges, block br1 from accessing br0 etc however these examples will apply to all the AC68U networks whereas I wish to only block two networks (Cells, IOT) from accessing 192.168.1.0/24

On the Draytek side I have not figured out how to block 192.168.203.0/24 or 192.168.202.0/24 traffic entering 192.168.1.0/24 because they are both coming through 192.168.4.0/24. Hopefully something can be done on the ddwrt firewall side?

I have tried this on the ddwrt router but doesn’t block the traffic from the IOT network to 192.168.1.0/24
#Block access between private and guest
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP

Hope this makes sense and appreciate your help Smile
Sponsor
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Tue Feb 11, 2020 18:29    Post subject: Reply with quote
I'm not sufficiently clear-headed today to tackle your big picture, but I will say that it looks entirely do-able.

One important thing to understand though: checking Network Isolation for network X blocks traffic between X and br0, in both directions, but it does not restrict traffic between network X and networks Y or Z. I you want them all isolated, you need iptables rules for that as well. What I do is leave Network Isolation unchecked everywhere and just do this in the Firewall section of GUI>Administration>Commands:
Code:
for i in ath0.2 ath0.1 br0; do
   iptables -I FORWARD -i $i -d 192.168.0.0/16 -m state --state NEW -j DROP
done

The firewall doesn't come into play for intra-interface traffic, so all my br0 devices can see each other just fine. (I use AP isolation at the wifi level for ath0.2 and ath0.1. This particular router is in client mode, so ath1 is its WAN link.) This scheme is for keeping all interfaces from talking to each other. If you wanted an exception for certain interfaces, you'd have to rethink the strategy, as this basically prohibits packets from each interface X from reaching anything in your network that is not on interface X. (Notably, since your wan and vpn-client interfaces are not in 192.168.0.0/16, they are not hampered here.)

I use the same scheme on all six of my routers, two of which have five interfaces, including a second bridge, rather than three like here. The Firewall code is just shell script, so you are free to use whatever shell commands you need.

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum