Isolate LAN hosts

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
douglip
DD-WRT Novice


Joined: 01 Sep 2020
Posts: 6

PostPosted: Tue Sep 01, 2020 14:19    Post subject: Isolate LAN hosts Reply with quote
I have a NETGEAR r6700v3 that I flashed with DD-WRT v3.0-r44191 std (08/15/20).

My current setup is as follows:
- WAN port connected to ISP router with static address
- 4 ports connected with patch cables in 4 different rooms in the house
- Some of these ports have a switch with multiple devices connected to them
- Some other devices connect via Wifi

I have two computers that I would like to isolate from the rest of the network. Not completely isolatex - they should be able to connect to any other hosts, but other hosts should not connect to them.
These two computers are connected to separate ports in the router with static IPs (192.168.1.11-12).

I have tried specifying their static IP in iptables rules such as this:

Code:

iptables -N secure-input
iptables -A secure-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A secure-input -s 192.168.1.11,192.168.1.12 -j ACCEPT
iptables -A secure-input -d 192.168.1.11,192.168.1.12 -j DROP

iptables -I INPUT 1 -d 192.168.1.11,192.168.1.12 -j secure-input
iptables -I FORWARD 1 -d 192.168.1.11,192.168.1.12 -j secure-input
iptables -I OUTPUT 1 -d 192.168.1.11,192.168.1.12 -j secure-input


But I was unable to get it to work, other hosts were still able to connect to them even with those rules in place. I even added one very specific rule to block my phone to one of these computers, and the phone was still able to connect, so I'm not sure what is going on here.

What's the best way to achieve this?
If it makes things easier I can connect both hosts to the same router port with a switch, but ideally I would prefer not to, and do it only with IP addresses.
Sponsor
NetSonic
DD-WRT Novice


Joined: 31 Aug 2020
Posts: 8

PostPosted: Tue Sep 01, 2020 15:44    Post subject: Reply with quote
Hello friend,

I think you are having this problem, because of the way networks work. Are you familiar with the TCP/IP (or OSI) models for host-to-host communications?

When computers are on the same subnet (layer-2 segment of the network), they do not use the router to communicate. They communicate directly, so the firewall on your router does not apply. The firewall is (in this case) a layer 3 function.

You will need to use the firewall on your hosts to permit or deny traffic.

For more information, read this series on packet travelling from Practical Networking



Networking.png
 Description:
 Filesize:  125.76 KB
 Viewed:  3037 Time(s)

Networking.png


egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Tue Sep 01, 2020 16:24    Post subject: Reply with quote
Indeed as this is one subnet the firewall is not passed.

You can use vlans to separate the ports.
Set one port which connects your two computers on vlan3 which uses a different subnet in that way you can separate traffic

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
douglip
DD-WRT Novice


Joined: 01 Sep 2020
Posts: 6

PostPosted: Wed Sep 02, 2020 6:14    Post subject: Reply with quote
Thanks to both, you are obviously right and I feel ashamed as I studied that many years ago!

So now there’s no doubt I have to put both secure hosts in the same port, or at least in separate ports to which I will only connect other secure hosts.
Is there any benefit in using vlans since I already have to use different subnets for secure and insecure anyway?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Wed Sep 02, 2020 7:25    Post subject: Reply with quote
douglip wrote:
Thanks to both, you are obviously right and I feel ashamed as I studied that many years ago!

So now there’s no doubt I have to put both secure hosts in the same port, or at least in separate ports to which I will only connect other secure hosts.
Is there any benefit in using vlans since I already have to use different subnets for secure and insecure anyway?


What a VAP is for Wireless is VLAN for wired so yes you have to use a VLAN to separate the LAN ports
The LAN ports are already on VLAN2 you separate the LAN ports you want and put them on another VLAN (VLAN3)
This VLAN3 you can add to a bridge but you might be even be able to unbridge VLAN3 and use its interface to setup DHCPD.

https://wiki.dd-wrt.com/wiki/index.php/Switched_Ports

I am not a VLAN expert so can not help you with the details we have our now VLAN expert (PYB Smile )

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
NetSonic
DD-WRT Novice


Joined: 31 Aug 2020
Posts: 8

PostPosted: Wed Sep 02, 2020 15:14    Post subject: Reply with quote
douglip wrote:
Is there any benefit in using vlans since I already have to use different subnets for secure and insecure anyway?


I think so Smile , but there are some things you should think about. VLANs add some security and efficiency to your network, but they also can create problems for you to solve.

A simple example: DHCP. Broadcast traffic does not cross VLANs. DHCP works on broadcast, so you have to either: 1) setup each VLAN to forward DHCP broadcasts to ONE designated DHCP server (this is called "ip helper", "dhcp helper" or "dhcp forwarder), or you must 2) put a DHCP server on each VLAN.

This is an easy problem to solve in DD-WRT, but it's an example of an issue you might run into. If you try to expand your home network by adding a switch to accommodate more wired devices or adding more VLANs, you will have to do more work to make sure everything functions and perhaps spend a little more money on nicer hardware.

I'm not recommending against it, but just be aware of challenges you might face. I came to this forum, because I had trouble understanding how VLANS were implemented on DD-WRT. Smile
douglip
DD-WRT Novice


Joined: 01 Sep 2020
Posts: 6

PostPosted: Wed Sep 02, 2020 16:10    Post subject: Reply with quote
Thanks for the tips!

Actually it was quite easy, I just assigned one port to vlan3, connected the switch there, and enabled a dhcp server on vlan3 on 192.168.2.0/24 (the rest of the LAN is on 192.168.1.0/24).

Now how do I actually ensure that no traffic goes to vlan3 unless it's established one?

I tried the following:
Code:

iptables -N secure-input
iptables -A secure-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A secure-input -j DROP

iptables -I INPUT 1 -i vlan3 -j secure-input
iptables -I FORWARD 1 -i vlan3 -j secure-input


... but only suceeding in cutting vlan3 from the Internet, and 192.168.1.0/24 devices (the "insecure" network) could still access 192.168.2.0/24 devices (the "secure" network).
NetSonic
DD-WRT Novice


Joined: 31 Aug 2020
Posts: 8

PostPosted: Sat Sep 05, 2020 0:50    Post subject: Reply with quote
Hi Douglip,

You're getting much fancier with IPtables than I normally do, and I cannot competently advise you on how to do what you want to do, in the way that you are trying to do it.

Have you tried (I)nserting a new rule at the top of the default OUTPUT chain that forbids any packet with a source of vlans 1 or 2 and destination of vlan 3?

Almost, be mindful of your rule order -- the rules are processed from the top down, and once a match is found, that rule will apply.

Let us know how you do. Smile
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sat Sep 05, 2020 7:31    Post subject: Reply with quote
Normally on the Setup/Networking page where your unbridged VLAN3 interface is visible you can simply tick/enable Net Isolation

That will isolate VLAN3 from the rest of the network (actually form the router itself and from br0)

If you want to learn more about iptables see the wiki:
https://wiki.dd-wrt.com/wiki/index.php/Iptables_command

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Sun Sep 06, 2020 9:10    Post subject: Reply with quote
douglip wrote:
... but only suceeding in cutting vlan3 from the Internet, and 192.168.1.0/24 devices (the "insecure" network) could still access 192.168.2.0/24 devices (the "secure" network).


They communicate directly through the switch. See scenario 2.

It requires a managed switch to block at the switch.
douglip
DD-WRT Novice


Joined: 01 Sep 2020
Posts: 6

PostPosted: Tue Sep 08, 2020 11:46    Post subject: Reply with quote
Thanks for the help everyone. After trying a few more times, I found the right solution:

Code:

iptables -N vlan3-secure
iptables -A vlan3-secure -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A vlan3-secure -j DROP
iptables -I FORWARD 1 -o vlan3 -j vlan3-secure


Now devices in other vlans cannot talk to vlan3 devices, unless vlan3 devices initiate the connection. vlan3 devices can connect to everyone else, and have WAN access.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum