Posted: Tue Jun 22, 2021 2:11 Post subject: Struggling with Isolations
This past weekend I updated and renovated my DD-WRT router which was a Asus RT-N66U, Broadcom BCM5300 chip r1, but am struggling with AP and Net Isolations trying to get things working how in my mind I'd like them to be.
First of all I have the DD-WRT SSID remote access disabled, so I can only manage the admin interface while connected to that SSID.
Next I made 3 more SSIDs for my Private, IoT and Guest wireless networks. Each network was originally set up with:
SSID Broadcast: Enable
AP Isolation: Enable *
Network Configuration: Unbridged
Multicast Forwarding: Disable
Masquarade/NAT: Enable
Filter WAN NAT Redirection: Disable
Net Isolation: Disable
Forced DNS Redirection: Enable
Optional DNS Target/IP Address/Subnet: set unique for each network
*I ended up changing this for my IoT network so streaming devices could see and communicate with each other.
This completed step 1, reconfiguring my AP so these 3 types of systems had isolated environments. Next I moved into setting up a PiHole and that is where I'm lost. PiHole setup completed successfully and I wanted to put the traffic from Private and IoT through it.
I found putting it on the any individual SSID it was only accessible by that SSID due to what I thought was Net Isolation, even though I turned it off and still couldn't access it from outside of the SSID's network. I even tried making another Virtual Interface with a barebones config and I couldn't get anything other than test systems I also put on the subnet to talk to it.
Ideally, I would like to set it up in an accessible location for these 2 networks to direct their DNS to but I can't seem to figure out where or how to place it so I can do this. Any advice is greatly appreciated.
After I can figure this out, my final phase is to set up at least the Private SSID to use an always on VPN at the router level, but that is a post for another day.
I am far from an expert but sounds to me you need some firewall rules so from your LAN you can reach your IoT SSID etc and then allow them access to the pi.
Change the below ip to your pi and paste into commands and save firewall change to suite your bridges.
Code:
# Give br1 (or other bridges) access to pi-hole/allow access to br1 from br0 but not the other way.
iptables -I FORWARD -i br1 -o br0 -p tcp -d 192.168.x.x --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -p udp -d 192.168.x.x --dport 53 -j ACCEPT
iptables -I FORWARD -i br0 -o br+ -j ACCEPT # optional
iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# Stop guest router access UI
iptables -I INPUT -i br1 -p tcp --dport 80 -m state --state NEW -j REJECT
# Give guest network WAN
iptables -t nat -I POSTROUTING -o `get_wanface` -j MASQUERADE
hope this helps or gets you a little further. _________________ Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.
No one can build you the bridge on which you, and only you, must cross the river of life!