R7000 VLAN Detached Network One-Way Access to Device

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
TCB13
DD-WRT User


Joined: 06 Jun 2010
Posts: 260
Location: Portugal

PostPosted: Sat Jul 31, 2021 19:45    Post subject: R7000 VLAN Detached Network One-Way Access to Device Reply with quote
Hello,

By following the guides here and here I was able to isolate an "untrusted" part of my network in a VLAN with it's own DHCPd server and without access to the other VLANs. Here is what it looks like:

WAN: VLAN 2 (R7000 does this)
Main Router Network: VLAN 1 172.20.1.1/24
Untrusted Network: VLAN 10 172.20.10.1/24



As expected devices on VLAN 1 can't ping devices on VLAN 10 or vice versa.

Now I would like to be able to have machine 172.20.1.200 on VLAN 1 to be able to ping/communicate with machine 172.20.10.50 on VLAN 10.

Is it possible by using iptables to do this? I tried:

Code:
iptables -I FORWARD -i vlan1 -s 172.20.1.200 -o vlan10 -d 172.20.10.50 -j ACCEPT


But it doesn't work. I suspect this case needs some NATtting but I'm not sure how to do it.

Thank you.

_________________
1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
Sponsor
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Sat Jul 31, 2021 20:42    Post subject: Reply with quote
Is both VLAN1 and VLAN10 unbridged interfaces.

VLAN1 is default bridged to br0. If it still is, you have to use br0 instead of vlan1 in the iptables rules.


Do nodes on vlan10 have 172.20.10.1 as gateway?
TCB13
DD-WRT User


Joined: 06 Jun 2010
Posts: 260
Location: Portugal

PostPosted: Sat Jul 31, 2021 21:00    Post subject: Reply with quote
Per Yngve Berg wrote:
Is both VLAN1 and VLAN10 unbridged interfaces.

VLAN1 is default bridged to br0. If it still is, you have to use br0 instead of vlan1 in the iptables rules.


Do nodes on vlan10 have 172.20.10.1 as gateway?


"VLAN1 is default bridged to br0" > Yes
"Do nodes on vlan10 have 172.20.10.1 as gateway?" > Yes

Code:
iptables -I FORWARD -i br0 -s 172.20.1.200 -o vlan10 -d 172.20.10.50 -j ACCEPT


Doesn't work as well...

_________________
1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Sat Jul 31, 2021 21:07    Post subject: Reply with quote
Disable Net Isolation and NAT and see if it works them.
TCB13
DD-WRT User


Joined: 06 Jun 2010
Posts: 260
Location: Portugal

PostPosted: Sat Jul 31, 2021 21:11    Post subject: Reply with quote
Per Yngve Berg wrote:
Disable Net Isolation and NAT and see if it works them.


But I need Net Isolation in order to have those devices isolated from my main "trusted" network. I just want an exception where a specific device in my "trusted" network can talk to another in the other side.

_________________
1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Sun Aug 01, 2021 7:32    Post subject: Reply with quote
You have to have the basics work first. Them you can add restrictions.

Leave them off in the GUI and try this.

iptables -I FORWARD -i vlan10 -o br0 -m state --state NEW -j REJECT
iptables -I FORWARD -i br0 -o vlan10 -m state --state NEW -j REJECT
iptables -I FORWARD -i br0 -o vlan10 -s 172.20.1.200 -d 172.20.10.50 -m state --state NEW -j ACCEPT
iptables -I INPUT -i vlan10 -p tcp --dport 80 -m state --state NEW -j REJECT
iptables -t nat -A POSTROUTING -o `get_wanface` -j MASQUERADE


The forward lines prevent making connections to the other sub-net, except between the two nodes stated.
The input prevents nodes on vlan10 from acessing the GUI.
The last line NAT everything going out the WAN.

With a SPI firewall, this will allow return packets through.
TCB13
DD-WRT User


Joined: 06 Jun 2010
Posts: 260
Location: Portugal

PostPosted: Sun Aug 01, 2021 11:43    Post subject: Reply with quote
Per Yngve Berg wrote:
Disable Net Isolation and NAT and see if it works them.


Disabled Net Isolation and NAT. The VLAN is still unbridged.



After doing this I still can't ping the device on vlan10 from devices on my main network. I get a "Request timed out." from my computer.

The router itself (via SSH) can ping the device.

Quote:
Leave them off in the GUI and try this.

iptables -I FORWARD -i vlan10 -o br0 -m state --state NEW -j REJECT
iptables -I FORWARD -i br0 -o vlan10 -m state --state NEW -j REJECT
iptables -I FORWARD -i br0 -o vlan10 -s 172.20.1.200 -d 172.20.10.50 -m state --state NEW -j ACCEPT
iptables -I INPUT -i vlan10 -p tcp --dport 80 -m state --state NEW -j REJECT
iptables -t nat -A POSTROUTING -o `get_wanface` -j MASQUERADE


Router can still ping the device.

Now my computer gives me: "Destination port unreachable."

At this point I'm starting to think this is some kind or routing issue. There seems to be a route for the subnet:

172.20.10.0/24 dev vlan10 scope link src 172.20.10.1

I don't have other firewall rules active at the moment.

Thank you.

_________________
1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Sun Aug 01, 2021 12:13    Post subject: Reply with quote
From the router try:

ping 172.20.10.50 -I 172.20.1.1

That will ping with 172.20.1.1 as source address.

Does the device having it's own firewall blocking access from outside of 172.20.1.x?
TCB13
DD-WRT User


Joined: 06 Jun 2010
Posts: 260
Location: Portugal

PostPosted: Sun Aug 01, 2021 12:16    Post subject: Reply with quote
Per Yngve Berg wrote:
From the router try:

ping 172.20.10.50 -I 172.20.1.1

That will ping with 172.20.1.1 as source address.

Does the device having it's own firewall blocking access from outside of 172.20.1.x?


Firewall: No.

The ping works:

Code:
ping 172.20.10.50 -I 172.20.1.1
PING 172.20.10.50 (172.20.10.50) from 172.20.1.1: 56 data bytes
64 bytes from 172.20.10.50: seq=0 ttl=64 time=7.198 ms
64 bytes from 172.20.10.50: seq=1 ttl=64 time=6.967 ms

_________________
1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum