Asus RT-AC68U Bridging for IoT Management Question

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
YaddaMinski
DD-WRT User


Joined: 24 Oct 2010
Posts: 294

PostPosted: Fri Feb 28, 2020 18:05    Post subject: Asus RT-AC68U Bridging for IoT Management Question Reply with quote
I am setting up said router to isolate IoT. My trusted VLAN is vlan1, Untrusted is vlan2. I want to allow, for example, trusted smartphone on vlan1 to be able to connect to Iot device on vlan2 but not allow vlan2 devices to initiate connections to vlan1. Can I set up this restricted bridging in the GUI or do I have enter a set of commands to achieve this functionality? What would the commands be if so?
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Fri Feb 28, 2020 18:13    Post subject: Reply with quote
First hurdle would be to use vlan numbers that are not being used by default in the firmware for WAN port and LAN bridge. Second, not sure if the GUI tab works on that router, so you may have to do it via command line over telnet/ssh:

https://wiki.dd-wrt.com/wiki/index.php/Switched_Ports

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
YaddaMinski
DD-WRT User


Joined: 24 Oct 2010
Posts: 294

PostPosted: Fri Feb 28, 2020 18:54    Post subject: Reply with quote
kernel-panic69 wrote:
First hurdle would be to use vlan numbers that are not being used by default in the firmware for WAN port and LAN bridge. Second, not sure if the GUI tab works on that router, so you may have to do it via command line over telnet/ssh:

https://wiki.dd-wrt.com/wiki/index.php/Switched_Ports


Thank you for pointing out that reference page!
YaddaMinski
DD-WRT User


Joined: 24 Oct 2010
Posts: 294

PostPosted: Tue Mar 03, 2020 17:15    Post subject: Reply with quote
To ban traffic originating from IoT VLAN would I use the DROP rule in iptables? My question is that with this rule will IoT traffic still be allowed to reply to TRUSTED VLAN traffic to IoT VLAN that is initiated from Trusted VLAN?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Tue Mar 03, 2020 17:30    Post subject: Reply with quote
GUEST_IF="br1" # <-- must match guest network interface (br1, wl0.1, etc.)

PORT_DHCP="67"
PORT_DNS="53"

# limit guests to essential router services (icmp, dns, dhcp)
iptables -I INPUT -i $GUEST_IF -j REJECT
iptables -I INPUT -p icmp -i $GUEST_IF -j ACCEPT
iptables -I INPUT -p udp -i $GUEST_IF --dport $PORT_DHCP -j ACCEPT
iptables -I INPUT -p tcp -i $GUEST_IF --dport $PORT_DNS -j ACCEPT
iptables -I INPUT -p udp -i $GUEST_IF --dport $PORT_DNS -j ACCEPT

# deny access to private network by guests (internet only)
iptables -I FORWARD -i $GUEST_IF -o br0 -m state --state NEW -j REJECT

state NEW will let you access your iot network from your main network (br0)

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum