Leaving wireless interface unbridged?

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
taggg
DD-WRT Novice


Joined: 22 Jun 2018
Posts: 11

PostPosted: Sun Feb 16, 2020 10:05    Post subject: Leaving wireless interface unbridged? Reply with quote
When separating WLAN from LAN, what is the purpose of setting up another bridge for the wireless interface(s)? Net Isolation seems to provide the appropriate rules to protect the wired subnet without the need for any other iptables commands. Are there other benefits of setting up a second bridge that I'm missing?
Sponsor
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 5809
Location: Romerike, Norway

PostPosted: Sun Feb 16, 2020 16:51    Post subject: Reply with quote
No benefit unless you have a build where unbridged interfaces are broken.
taggg
DD-WRT Novice


Joined: 22 Jun 2018
Posts: 11

PostPosted: Sun Feb 16, 2020 17:35    Post subject: Reply with quote
Thanks for confirming. Is it common for unbridged interfaces to be broken? If not, I'd like to update that wiki. It's too complicated as it stands, and an unnecessary bridge is part of the problem.
taggg
DD-WRT Novice


Joined: 22 Jun 2018
Posts: 11

PostPosted: Mon Feb 17, 2020 0:27    Post subject: Reply with quote
Updated: https://forum.dd-wrt.com/wiki/index.php/Separate_LAN_and_WLAN

How do I delete some outdated versions of that page?
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 5341
Location: Texas

PostPosted: Mon Feb 17, 2020 0:47    Post subject: Re: Leaving wireless interface unbridged? Reply with quote
taggg wrote:
what is the purpose of setting up another bridge for the wireless interface


if you wanted two VAPs on same bridge
OR
if you have any wired ports that are setup as a VLAN that you want together with a VAP or other wireless interface.

you would create a br1 and assign what you wanted to it
Twisted Evil
taggg
DD-WRT Novice


Joined: 22 Jun 2018
Posts: 11

PostPosted: Mon Feb 17, 2020 1:02    Post subject: Re: Leaving wireless interface unbridged? Reply with quote
mrjcd wrote:
if you wanted two VAPs on same bridge
OR
if you have any wired ports that are setup as a VLAN that you want together with a VAP or other wireless interface.

Sure, I guess in either of those cases you'd need fewer DHCP servers if you put them on a bridge. But the same connectivity is achievable with a few iptables commands in the FORWARD chain, right? The reason I prefer unbridged is that Net Isolation takes care of protecting the router which gets messy when you have to do it by hand (poking holes for DHCP and DNS). Just compare the old instructions with the new ones!
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 3882
Location: UK, London, just across the river..

PostPosted: Mon Feb 17, 2020 13:12    Post subject: Reply with quote
yep, i always unbridge both, its a touch better in terms of security....
_________________
Atheros
TP-Link WR740Nv1 -----DD-WRT 44538 BS AP,NAT
TP-Link WR740Nv4 -----DD-WRT 44251 BS WAP/Switch
TP-Link WR1043NDv2 ---DD-WRT 44627 BS AP,NAT,AP Isolation,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---DD-WRT 44538 BS AP,NAT,AD Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Qualcomm/IPQ8065
Netgear R7800 -----DD-WRT 44538 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT
Broadcom
Netgear R7000 -----DD-WRT 44538 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,DoT,VPN
-----------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 949
Location: Appalachian mountains, USA

PostPosted: Mon Feb 17, 2020 16:51    Post subject: Reply with quote
Great suggestions above re use of an extra bridge! Newcomers to dd-wrt are often baffled by the flexibility offered, however, and have little idea how to set things up to get the security they want. So let me try to both give an example of the use of a second bridge and suggest a possible general strategy for setting up the home networks. Keep in mind that setting up VLANs is a bit of an advanced topic and is probably not something to try and deal with on day one. Get the guest-network setup going first. Likewise, some of the details here, like static leases and firewall holes for printers, are enhancements to add later on. But it's good to have in mind where you'd like to end up, even if you wisely choose to get there in small increments over time. So, here's more or less what I do.

I split my LAN ports into two VLANs, two ports on each. Then one VLAN shares bridge br0 with ath1 and ath0, the two wifi interfaces in my router. That bridge is then used for my high-security devices, like work computers, work NAS, and my personal laptops, which are locked down to a ridiculous degree. Windows is not permitted on br0 in my system, as Windows users in the household do not have the wifi passwords and are a touch too clueless to deal with ethernet ports.

The other VLAN shares bridge br1 with VAPs ath0.1 and ath1.1 (OK, not really, but this is an example) to create a low-security network for Windows users, printers (which are low-security devices when wild click-on-everything users are at the controls!), AirPlay speakers, any TV streaming devices and IoT devices that need to share a network with phones, and a cheapo NAS box those Windows users can back up to. The point of combining all these on a bridge is that all users can see and communicate with each other. The devices on this network that don't need internet access (or need it only on special occasions, like update day), like printers and some IoT things (the ones that, mercifully, do not need accounts with Mama), are given static DHCP leases and blocked from the internet in the Firewall. (Access control in the GUI didn't seem to work on the day I set all this up, way back when.)

Of course I also have an unbridged wifi VAP for devices, whether high security or low security, that don't need to see anything else in the household. They only need the internet. This includes guests and some IoT devices, but it's also where we connect our phones, nonwork laptops, etc. most of the time, only moving to the shared networks when needed. Users on this "guest" network do occasionally need a printer, so I poke small, printer-shaped firewall holes from the guest network through to the printers on br1, which are given static DHCP leases there. These printers are not visible in "network" on computers on the guest network, but they can be accessed for printing by IP address. I don't permit connections through the hole to be initiated by the printers.

Note that network isolation only isolates subnets from br0, not from each other. If you have more than two subnets and want devices on them to not see from one subnet to another, the easiest way is to disable Net Isolation for each and just add iptables rules in the Firewall in GUI>Administrative>Commands to keep them separate. I can isolate the two bridges and VAP ath0.2 from each other with this:
Code:

#net isolation isolates br0 only, so disable and do here
  for i in br0 br1 ath0.2 ; do
    iptables -I FORWARD -i $i -d 192.168.0.0/16 -m state --state NEW -j DROP
  done
Of course modify the list of interfaces in the for loop and the system's IP address -- here 192.168.0.0/16 designates all IP addresses beginning with 192.168 -- as appropriate for your system. This doesn't keep devices on a bridge from talking to each other, as intra-bridge communication doesn't go through the firewall. Also, the idea is to separately use AP Isolation (wifi section of GUI) on VAP ath0.2 to keep those devices from interacting with each other.
_________________
Five WRT1900ACSv2's on 42926, 44048.
VLANs, multiple VAPs, NAS, client-mode travel router, OpenVPN client (AirVPN), DDNS, wireguard server, two wireguard clients (AzireVPN), use of two DNSCrypt DNS providers (inc Quad9) through OpenVPN and wireguard clients.
taggg
DD-WRT Novice


Joined: 22 Jun 2018
Posts: 11

PostPosted: Mon Feb 17, 2020 19:06    Post subject: Reply with quote
@SurprisedItWorks, thanks for that use case! Indeed, an additional bridge seems to serve you well since you are writing somewhat complicated rules, e.g. printer access, that you would like to avoid repeating for multiple interfaces. Once those rules get more complex than the DNS and DHCP rules that Net Isolation saves you from, I agree that a second bridge makes sense. I've linked to this thread from the wiki. If you're so inclined, a separate wiki on bridging would probably help a lot of users Cool
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 949
Location: Appalachian mountains, USA

PostPosted: Mon Feb 17, 2020 20:34    Post subject: Reply with quote
taggg wrote:
@SurprisedItWorks, thanks for that use case! Indeed, an additional bridge seems to serve you well since you are writing somewhat complicated rules, e.g. printer access, that you would like to avoid repeating for multiple interfaces. Once those rules get more complex than the DNS and DHCP rules that Net Isolation saves you from, I agree that a second bridge makes sense. I've linked to this thread from the wiki. If you're so inclined, a separate wiki on bridging would probably help a lot of users Cool

I'm afraid I'm wiki-ignorant, so will leave that to others, at least for now.

Re Net Isolation, I don't believe it has any DHCP or DNS effects at all. As far as I know, all it does is create two firewall rules for each non-br0 interface. The first rule prohibits packets from br0 reaching the other interface, and the second rule does the reverse. That's perfectly fine if you only have br0 plus a single guest network, i.e. only two interfaces (counting bridges as interfaces here) to deal with, but as soon as you have more than two, a different approach is needed, or you'll have interfaces A and B each isolated from br0 but - worst case - malware on A snooping around in B's subnet and vice versa.

_________________
Five WRT1900ACSv2's on 42926, 44048.
VLANs, multiple VAPs, NAS, client-mode travel router, OpenVPN client (AirVPN), DDNS, wireguard server, two wireguard clients (AzireVPN), use of two DNSCrypt DNS providers (inc Quad9) through OpenVPN and wireguard clients.
taggg
DD-WRT Novice


Joined: 22 Jun 2018
Posts: 11

PostPosted: Mon Feb 17, 2020 22:06    Post subject: Reply with quote
SurprisedItWorks wrote:
Re Net Isolation, I don't believe it has any DHCP or DNS effects at all.

firewall.c is very difficult to read, but I don't think that's correct. Both filter_input and filter_table contain the conditional
Code:

if (nvram_nmatch("1", "%s_isolation", var)) {
   save2file_A_input("-i %s -p udp --dport 67 -j %s", var, log_accept);
   save2file_A_input("-i %s -p udp --dport 53 -j %s", var, log_accept);
   save2file_A_input("-i %s -p tcp --dport 53 -j %s", var, log_accept);
   save2file_A_input("-i %s -m state --state NEW -j %s", var, log_drop);
}

I don't understand the division of labor between the two functions as they're both modifying the INPUT and FORWARD chains, or why the code is duplicated, but there's clearly a link between isolation and those rules to poke holes for DHCP and DNS.

SurprisedItWorks wrote:
As far as I know, all it does is create two firewall rules for each non-br0 interface. The first rule prohibits packets from br0 reaching the other interface, and the second rule does the reverse.

It does that too:
Code:

if (nvram_nmatch("1", "%s_isolation", var)) {
   save2file_I_forward("-i %s -d %s/%s -m state --state NEW -j %s", var, nvram_safe_get("lan_ipaddr"), nvram_safe_get("lan_netmask"), log_drop);
   save2file_A_forward("-i br0 -o %s -m state --state NEW -j %s", var, log_drop);
   if (nvram_matchi("privoxy_transp_enable", 1)) {
      save2file("-I INPUT -i %s -d %s/%s -p tcp --dport 8118 -j %s", var, nvram_safe_get("lan_ipaddr"), nvram_safe_get("lan_netmask"), log_accept);
   }
}


SurprisedItWorks wrote:
That's perfectly fine if you only have br0 plus a single guest network, i.e. only two interfaces (counting bridges as interfaces here) to deal with, but as soon as you have more than two, a different approach is needed, or you'll have interfaces A and B each isolated from br0 but - worst case - malware on A snooping around in B's subnet and vice versa.

Yup! I addressed that in the Controlling Access section Cool If I can figure out how to build for myself, I might put up a PR to automatically isolate from all other interfaces instead of just 192.168.1.0/24. The last time I tried to build I gave up after I hit a cross-compilation error Sad
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 3882
Location: UK, London, just across the river..

PostPosted: Tue Feb 18, 2020 5:25    Post subject: Reply with quote
hmmm... i used to bother with this net isolation option, than realized, its much better to add those rules manually, as well do in mind VLAN come with net isolation by default, as they are VLAN's, while using a bridge has more flexibility regarding adding permit/blocking rules

my set up contains br0 Wi-Fi (ath1) with AP isolation
and br1 eth1 (lan ports), both br on diff subnet with own DHCP and DNSmasq (interface=br0 and br1) as well few blocking firewall rules regarding FORWARD and INPUT chains... I dont use STP in between

_________________
Atheros
TP-Link WR740Nv1 -----DD-WRT 44538 BS AP,NAT
TP-Link WR740Nv4 -----DD-WRT 44251 BS WAP/Switch
TP-Link WR1043NDv2 ---DD-WRT 44627 BS AP,NAT,AP Isolation,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---DD-WRT 44538 BS AP,NAT,AD Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Qualcomm/IPQ8065
Netgear R7800 -----DD-WRT 44538 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT
Broadcom
Netgear R7000 -----DD-WRT 44538 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,DoT,VPN
-----------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 949
Location: Appalachian mountains, USA

PostPosted: Tue Feb 18, 2020 15:43    Post subject: Reply with quote
taggg wrote:
SurprisedItWorks wrote:
Re Net Isolation, I don't believe it has any DHCP or DNS effects at all.

firewall.c is very difficult to read, but I don't think that's correct. Both filter_input and filter_table contain the conditional
Code:

if (nvram_nmatch("1", "%s_isolation", var)) {
   save2file_A_input("-i %s -p udp --dport 67 -j %s", var, log_accept);
   save2file_A_input("-i %s -p udp --dport 53 -j %s", var, log_accept);
   save2file_A_input("-i %s -p tcp --dport 53 -j %s", var, log_accept);
   save2file_A_input("-i %s -m state --state NEW -j %s", var, log_drop);
}

I don't understand the division of labor between the two functions as they're both modifying the INPUT and FORWARD chains, or why the code is duplicated, but there's clearly a link between isolation and those rules to poke holes for DHCP and DNS.

Yes, the code above seems to allow DNS and DHCP access to the router itself, via the INPUT chain, at least if (-A) no other INPUT rule supercedes. Because I don't have Net Isolation enabled anywhere though, I don't have those rules in my firewall and so can't easily explore further. I'm realizing that my impression of Net Isolation was formed a couple of years ago when my understanding of the firewall was (even) more limited. Most likely I only looked then at the FORWARD chain and so missed a lot.
Quote:
SurprisedItWorks wrote:
As far as I know, all it does is create two firewall rules for each non-br0 interface. The first rule prohibits packets from br0 reaching the other interface, and the second rule does the reverse.

It does that too:
Code:

if (nvram_nmatch("1", "%s_isolation", var)) {
   save2file_I_forward("-i %s -d %s/%s -m state --state NEW -j %s", var, nvram_safe_get("lan_ipaddr"), nvram_safe_get("lan_netmask"), log_drop);
   save2file_A_forward("-i br0 -o %s -m state --state NEW -j %s", var, log_drop);
   if (nvram_matchi("privoxy_transp_enable", 1)) {
      save2file("-I INPUT -i %s -d %s/%s -p tcp --dport 8118 -j %s", var, nvram_safe_get("lan_ipaddr"), nvram_safe_get("lan_netmask"), log_accept);
   }
}

Yes, the first two seem to be what I was remembering. I've never used privoxy so have no clue how the last one figures into things.
Quote:
SurprisedItWorks wrote:
That's perfectly fine if you only have br0 plus a single guest network, i.e. only two interfaces (counting bridges as interfaces here) to deal with, but as soon as you have more than two, a different approach is needed, or you'll have interfaces A and B each isolated from br0 but - worst case - malware on A snooping around in B's subnet and vice versa.

Yup! I addressed that in the Controlling Access section Cool If I can figure out how to build for myself, I might put up a PR to automatically isolate from all other interfaces instead of just 192.168.1.0/24. The last time I tried to build I gave up after I hit a cross-compilation error Sad

You're very ambitious to try an actual build! The rest of us just look at what we can do with Firewall and Startup sections in GUI>Administration>Commands.

It's interesting that I've muddled along with my own version of Net Isolation without any need to poke special holes for DNS and DHCP, which work fine on my routers. It looks like DNAT rules in the nat table's PREROUTING chain get DNS queries for my guest networks to the IP addresses of the interfaces themselves, where dnsmasq grabs them (interface= in /tmp/dnsmasq.conf), as far as my limited understanding of all this takes me. (I'm not a networking person.) Maybe all this works only because I have Forced DNS Redirection checked? In any case, this discussion makes what to do to isolate multiple networks much less clear than I thought it was.

_________________
Five WRT1900ACSv2's on 42926, 44048.
VLANs, multiple VAPs, NAS, client-mode travel router, OpenVPN client (AirVPN), DDNS, wireguard server, two wireguard clients (AzireVPN), use of two DNSCrypt DNS providers (inc Quad9) through OpenVPN and wireguard clients.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum