Posted: Sun Mar 28, 2021 4:11 Post subject: trouble with VLANs and iptables on Netgear r7000
I am trying to do something nearly identical as cbmAlt describes at https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=325986. Like cbmAlt, I'm also using an r7000, but with no success. Can someone please let me know what I'm doing wrong?
Here's my set up. I'm running firmware v3.0-r46177 std (03/26/21) on a new Netgear r7000.
Main network: 192.168.10.0/24 [ports 1, 2, 3 on the LAN]
IP camera network: 192.168.100.0/24 [port 4 on the LAN]
My plan is to connect an old computer running Blue Iris to the IP camera network at port 4--it will dual nic with the second nic connecting to a PoE+ switch that connects to the ip cameras. Once I get it working, I will active dd-wrt's WireGuard VPN and to connect to the main network remotely to see the camera footage.
I want devices on the main network to be able to talk to the IP camera network, but not the other way around. However, I can't get any devices on either network to communicate with devices on the other network. Specifically, I've got a laptop connected wirelessly at 192.168.10.127 and another laptop wired into port 4 at 192.168.100.142. Because each laptop is getting an IP in the designated range, I think I must have done something right. But I can't get either laptop to ping the other. However, each can ping 192.168.10.1 and 192.168.100.1.
Here's what I have in Setup -> Switch Config:
vlan0: no ports selected
vlan1: ports 1, 2, 3 and assinged to "LAN"
vlan2: port W and assigned to "LAN"
vlan3: port 4 and assigned to "None"
Then in Setup -> Config, I created a bridge and did the collowing assignments:
I've also used the DHCPd to assign an ip range for each bridge.
Importantly, I have disabled "Net Isolation" for br1.
Otherwise, I have all the default settings. So there are no filtering rules in iptables that could be blocking the communications.
Even when I save the following rules using "Save Firewall" in Administration -> Commands, I still can't get my laptop on 192.168.10.127 to successfully ping the one on 192.168.100.142.
Code:
# block anything that falls through (just a precaution)
iptables -I FORWARD -i br+ -o br+ -j DROP
# deny iot network access to any other networks
iptables -I FORWARD -i br1 -o br+ -j DROP
# allow private network access to any other networks
iptables -I FORWARD -i br0 -o br+ -j ACCEPT
# push RELATED/ESTABLISHED rule back to top of chain
iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
Can someone please help me? I've spent the entire day reading the forums and trying various things out but nothing works.
In the YouTube video, DevbaseMedia is using a Linksys E4200 and an earlier version of dd-wrt, v3.0-r45229 std (01/01/21). So I flashed my r7000 with the same version. But I still get the same issue with and without implementing the iptables filters.
The comments at the bottom of the YouTube page indicate that others are experiencing the same difficulty as me.
Is there something in the dd-wrt build for the r7000 (as opposed to the E4200) that is causing this issue? How can I get my r7000 to function the way his E4200 does in the YouTube video?
I'm running Blue Iris (the ip camera software) on an HP Elitedesk that has a webserver so that camerafeeds can be viewed live through a web browser. When I connect the HP elitedesk to port 4 and my laptop to another port or wifi connection, I can view Blue Iris. However, if I connect my laptop to port 4 and the HP Elitedesk to another port, then I cannot see Blue Iris. So I'm sure the iptables rules have stopped anything on port 4 from communicating with other devices connected to the router.
Now I just need to figure out why my Windows 10 computers are dropping pings, but can still ping the router's IP address. Does anyone have any suggestions?
Configure the Windows firewall. By default only the connected sub-net is set ad lokal and the Others are filtered.
Thank you Per Yngve Berg. Your suggestion has helped narrow the problem.
Here's my problem now. Please note that my setup has changed slightly to make it simpler and to isolate the issue.
I'm running DD-WRT v3.0-r46177 std (03/26/21) on a Netgear r7000. I have a server running Ubuntu 20.04 LTS that I want to put on its own subnet, apart from the router's. All settings are default except for the following:
The router's ip address is 192.168.2.1.
The ubuntu server's ip address is 192.168.10.1.
In the router, I've gone to "Setup -> Basic Setup" and set the local ip address to 192.168.2.1. Also, I've assigned 192.168.10.1 to the ubuntu server by going to "Services -> Services" and associating the MAC address of the server's NIC with this ip address.
The ubuntu server is connected via ethernet cable to the router's port 4. For completeness, here is the ubuntu server's netplan config file (/etc/netplan/00-installer-config.yaml):
When I boot everything up and log into my ubuntu server, I cannot ping 8.8.8.8 from the ubuntu server. Also, my windows laptop cannot ping 192.168.10.1 or connect to it via ssh.
However, if I change my netplan config file and give the ubuntu server the ip address 192.168.2.10 (and make the corresponding change in the router), then I can ping 8.8.8.8 from the ubuntu server and, also, ping/connect to it from my laptop.
I am puzzled why the router is preventing the ubuntu server from getting connected when it is on a different subnet from the router itself (i.e., 192.168.10.x versus 192.168.2.x).
Can someone please help me? Please excuse my ignorance. I'm a newbie when it comes to networking.
The ubuntu server's ip address is 192.168.10.1.
addresses: [192.168.2.10/24]
These two addresses don't match.
Thanks for the sharp eye--that's the netplan file after I change the ubuntu server's ip address from 192.168.10.1 to 192.168.2.10.
As I explained above, everything works when this file is set 192.168.2.10 (as shown above), but does not work if I set it to 192.168.10.1. There's no typo--I just posted the netplan file contents for 192.168.2.10. Sorry if that created confusion.
To be clear, the problem occurs when the netplan config file reads:
Uhm, where's the route to 192.168.2.x? Shouldn't your gateway be 192.168.10.x?
That's a great question--I think I am starting to understand. When the router and the ubuntu server share the same subnet (i.e., 192.168.2.x), then the packets travel through Layer 2 and can communicate with each other directly. But when they don't share the same subnet (i.e., router on 192.168.2.x and ubuntu server on 192.168.10.x), then the packets travel through Layer 3 which requires that a route be set on the router. Is that right? At least, that's what I gather from reading this other thread: https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1215902
kernel-panic69, how do I set up a route from 192.168.10.x to 192.168.2.x? There are no other devices on 192.168.10.x other than the ubuntu server at 192.168.10.1.
You need an interface (VLAN) with an address of 192.168.10.x on the router. All clients conntected to this VLAN must have this address as gateway.
Per--your feedback is very helpful. Thank you. Being a newbie, I had thought that the "gateway" had to be the ip address of the router because the router is connected to the WAN.
I have edited my /etc/netplan/00-installer-config.yaml file to specify the gateway that matches the address and have applied the change:
Next, I entered my router and created a vlan for port 4 (which is where my ubuntu server is connected). Specifically, I went to "Setup -> Switch Config" and moved the checkmark for port 4 from vlan1 to vlan3. Then I went to "Setup -> Networking" and created a bridge called br1 and associated it with vlan3. Finally, under the heading "Network Configuration br1", I specified 192.168.10.1/24 as the ip address. All of the radial button are set to "Disable" except for "Masquerade / NAT" which is "Enable".
I've rebooted my router and ubuntu server, but I still cannot ping 8.8.8.8 from my ubuntu server. However, I am able to ping 192.168.10.1 from my laptop which is on 192.168.2.x. So I think I've made some progress.
My question is how do I get my ubuntu server with ip address 192.168.10.1 access to the internet so that it can, for example, ping 8.8.8.8? I feel like I am missing one last piece.
The Ubuntu server cannot have the same IP address as the router. Pick another i.e 192.168.10.2
Perfect! THANK YOU! Per, you are the best. I greatly appreciate your help.
I can ping 8.8.8.8 from my ubuntu server now. I can also ping my laptop on the 192.168.2.x subnet. And I can use ssh to reach my ubuntu server from my laptop. This is awesome.
Many, many thanks!
Now I will now explore using iptables to restrict access to the ubuntu server.