Posted: Sat Jul 31, 2021 19:45 Post subject: R7000 VLAN Detached Network One-Way Access to Device
Hello,
By following the guides here and here I was able to isolate an "untrusted" part of my network in a VLAN with it's own DHCPd server and without access to the other VLANs. Here is what it looks like:
WAN: VLAN 2 (R7000 does this)
Main Router Network: VLAN 1 172.20.1.1/24
Untrusted Network: VLAN 10 172.20.10.1/24
As expected devices on VLAN 1 can't ping devices on VLAN 10 or vice versa.
Now I would like to be able to have machine 172.20.1.200 on VLAN 1 to be able to ping/communicate with machine 172.20.10.50 on VLAN 10.
Is it possible by using iptables to do this? I tried:
Disable Net Isolation and NAT and see if it works them.
But I need Net Isolation in order to have those devices isolated from my main "trusted" network. I just want an exception where a specific device in my "trusted" network can talk to another in the other side. _________________ 1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
Joined: 13 Aug 2013 Posts: 6858 Location: Romerike, Norway
Posted: Sun Aug 01, 2021 7:32 Post subject:
You have to have the basics work first. Them you can add restrictions.
Leave them off in the GUI and try this.
iptables -I FORWARD -i vlan10 -o br0 -m state --state NEW -j REJECT
iptables -I FORWARD -i br0 -o vlan10 -m state --state NEW -j REJECT
iptables -I FORWARD -i br0 -o vlan10 -s 172.20.1.200 -d 172.20.10.50 -m state --state NEW -j ACCEPT
iptables -I INPUT -i vlan10 -p tcp --dport 80 -m state --state NEW -j REJECT
iptables -t nat -A POSTROUTING -o `get_wanface` -j MASQUERADE
The forward lines prevent making connections to the other sub-net, except between the two nodes stated.
The input prevents nodes on vlan10 from acessing the GUI.
The last line NAT everything going out the WAN.
With a SPI firewall, this will allow return packets through.
Does the device having it's own firewall blocking access from outside of 172.20.1.x?
Firewall: No.
The ping works:
Code:
ping 172.20.10.50 -I 172.20.1.1
PING 172.20.10.50 (172.20.10.50) from 172.20.1.1: 56 data bytes
64 bytes from 172.20.10.50: seq=0 ttl=64 time=7.198 ms
64 bytes from 172.20.10.50: seq=1 ttl=64 time=6.967 ms