Isolate traffic from wireless extender on second subnet?

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2
Author Message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Sun Jan 02, 2022 10:34    Post subject: Reply with quote
The GUI has the Net Isolation option (as described in my notes) which when enabled isolate the VAP from the main network.

It is possible to work with iptables to allow traffic from main (the whole main or only certain clients) to VAP but not the other way around.
All combinations are possible Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Sponsor
veekay
DD-WRT User


Joined: 09 Mar 2009
Posts: 77

PostPosted: Sun Jan 02, 2022 10:53    Post subject: Reply with quote
Whole main to VAP is exactly what I'm after.
veekay
DD-WRT User


Joined: 09 Mar 2009
Posts: 77

PostPosted: Wed Jan 05, 2022 17:13    Post subject: Reply with quote
egc wrote:
The GUI has the Net Isolation option (as described in my notes) which when enabled isolate the VAP from the main network.

It is possible to work with iptables to allow traffic from main (the whole main or only certain clients) to VAP but not the other way around.
All combinations are possible Smile


Ok, got things working so easily with your guide. Pretty sure the problem is most places have you setup the new network under the bridged settings when it is already setup that way when it is created.

Isolation is working, just have to get the rules going so the main can access the vap. Seems to not be as simple as

Code:
iptables --append FORWARD --protocol all --src 192.168.0.1/24 --dst 192.168.10.1/24 --jump ACCEPT
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Wed Jan 05, 2022 20:48    Post subject: Reply with quote
Use insert instead of append. It may be appended after the reject rules.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Thu Jan 06, 2022 9:17    Post subject: Reply with quote
If @PYB suggestion does not work you better do it manually so disable Net isolation and use @ eibgrad's rules:
https://pastebin.com/r4u62P0B

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
veekay
DD-WRT User


Joined: 09 Mar 2009
Posts: 77

PostPosted: Sun Jan 09, 2022 7:09    Post subject: Reply with quote
Ok, getting closer, but having an issue since one of the routers is a secondary. I followed the VAP on WAP instructions, but cannot get everything correct.

Code:
Suggested name - internet works, net isolation doesn't work - iptables -I FORWARD -i wl1.1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT
My actual shown device name - ip address, no internet - iptables -I FORWARD -i wlan1.1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT


Essentially, it doesn't seem to like me using wlan1.1, but using wl1.1 doesn't seem to add the rules.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Sun Jan 09, 2022 7:39    Post subject: Reply with quote
I lost track how you set up in the end.

Please describe your current setup

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
veekay
DD-WRT User


Joined: 09 Mar 2009
Posts: 77

PostPosted: Sun Jan 09, 2022 8:35    Post subject: Reply with quote
egc wrote:
I lost track how you set up in the end.

Please describe your current setup


Currently, I am setting this up on a WRT1900ACSV2 (DHCP disabled, set as DHCP Forwarder) that is used as the downstairs router. Main router is a WRT1900AC (DHCP enabled). Hardwired between the two.

VAP enabled on the router is wlan1.1
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Sun Jan 09, 2022 10:00    Post subject: Reply with quote
veekay wrote:
egc wrote:
I lost track how you set up in the end.

Please describe your current setup


Currently, I am setting this up on a WRT1900ACSV2 (DHCP disabled, set as DHCP Forwarder) that is used as the downstairs router. Main router is a WRT1900AC (DHCP enabled). Hardwired between the two.

VAP enabled on the router is wlan1.1


If the VAP is on the main router and you want to access the VAP from main subnet but not the other way around than disable Net isolation and try with the following iptables rules:
Code:
GUEST_IF="wlan1.1"
PORT_DHCP="67"
PORT_DNS="53"

# limit guests to essential router services (icmp, dns, dhcp)
iptables -I INPUT -i $GUEST_IF -j REJECT
iptables -I INPUT -p icmp -i $GUEST_IF -j ACCEPT
iptables -I INPUT -p udp  -i $GUEST_IF --dport $PORT_DHCP -j ACCEPT
iptables -I INPUT -p tcp  -i $GUEST_IF --dport $PORT_DNS  -j ACCEPT
iptables -I INPUT -p udp  -i $GUEST_IF --dport $PORT_DNS  -j ACCEPT
 
# deny access to main network by guests (internet only)
iptables -I FORWARD -i $GUEST_IF -o br0 -m state --state NEW -j REJECT


Test from CLI and if working Administration Commands/Save Firewall

You can see the rules in action with:
iptables -vnL FORWARD
iptables -vnL INPUT

for some light reading: https://wiki.dd-wrt.com/wiki/index.php/Iptables_command

As a not related side note, setting DHCP forwarder is wrong, DHCP should be OFF on a WAP ( https://wiki.dd-wrt.com/wiki/index.php/Wireless_Access_Point )

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
veekay
DD-WRT User


Joined: 09 Mar 2009
Posts: 77

PostPosted: Sun Jan 09, 2022 10:29    Post subject: Reply with quote
VAP is on the secondary router. Main router will have one as well, but I'm not messing with that until I get it working on a less important one.

Currently, I am using this code from what you linked to before, with net isolation off

Code:
#!/bin/sh
GUEST_NET="192.168.10.0/24" # <-- must match guest ip network
GUEST_IF="wlan1.1" # <-- must match guest network interface (br1, wl0.1, etc.)

WAN_IF="$(ip route | awk '/^default/{print $NF}')"

PORT_DHCP="67"
PORT_DNS="53"

# limit guests to essential router services (icmp, dns, dhcp)
iptables -I INPUT -i $GUEST_IF -j REJECT
iptables -I INPUT -p icmp -i $GUEST_IF -j ACCEPT
iptables -I INPUT -p udp  -i $GUEST_IF --dport $PORT_DHCP -j ACCEPT
iptables -I INPUT -p tcp  -i $GUEST_IF --dport $PORT_DNS  -j ACCEPT
iptables -I INPUT -p udp  -i $GUEST_IF --dport $PORT_DNS  -j ACCEPT

# deny access to private network by guests (internet only)
iptables -I FORWARD -i $GUEST_IF -o br0 -m state --state NEW -j REJECT

# deny access to guests by private network (optional)
iptables -I FORWARD -i br0 -o $GUEST_IF -m state --state NEW -j REJECT

# nat guest network over WAN (internet)
iptables -t nat -I POSTROUTING -s $GUEST_NET -o $WAN_IF -j MASQUERADE


With that code, this is what the rules in action gives me

Code:
iptables: No chain/target/match by that name.
Chain INPUT (policy ACCEPT 31 packets, 7022 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  wlan1.1 *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  wlan1.1 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  wlan1.1 *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     icmp --  wlan1.1 *       0.0.0.0/0            0.0.0.0/0           
    0     0 REJECT     all  --  wlan1.1 *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable


Same results with your code. DHCP is working, net is isolated, but no internet access.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Sun Jan 09, 2022 11:09    Post subject: Reply with quote
The rules I posted are for isolating a VAP on the main router.

If you want to isolate a VAP on a WAP then these rules should do it, if not you should check your setup:

In the web-interface of the router (the WAP): Administration/Commands save Firewall:
Code:
#Always necessary (alternatively set static route on main router):
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)

#Replace with the appropriate interface e.g. wl0.1, wlan0.1 etc:
GUEST_IF="wlan1.1"
#Net Isolation does not work on a WAP so just keep it disabled and add the following line to the firewall:
iptables -I FORWARD -i $GUEST_IF -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT

#For isolating the WAP itself from the guest network:
iptables -I INPUT -i $GUEST_IF -m state --state NEW -j REJECT
iptables -I INPUT -i $GUEST_IF -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i $GUEST_IF -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i $GUEST_IF -p tcp --dport 53 -j ACCEPT



N.B. delete all the other rules

To be perfectly clear those rules should be set on the WAP and not on the main router, the main router should not have any extra rules.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
veekay
DD-WRT User


Joined: 09 Mar 2009
Posts: 77

PostPosted: Sun Jan 09, 2022 18:40    Post subject: Reply with quote
Same thing as with all other attempts, when connecting to the VAP all I get is an ip address without internet access. No other rules are in place except what you posted.

Is it normal for the source and destination to still have 0.0.0.0/0 in all of the rules?

Also just to verify, if the rules box is empty, does that mean all rules are deleted or has everything I have been adding during these tests been put into the iptables? Reading through that iptables link I see mention of --flush -F [chain], so do I need to run that command for each of the 5 chains?
veekay
DD-WRT User


Joined: 09 Mar 2009
Posts: 77

PostPosted: Mon Jan 10, 2022 22:17    Post subject: Reply with quote
Tried one more thing using the same rules I use on another DD-WRT router at my office, which works just fine.

Still no internet. Oddly enough, the wifi icon shows as it having internet, but cannot ping or connect to anything.

In another post I saw it mentioned about the switch config part - https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=330391

While wan is disabled, I do have all 5 ports populated on my router. Could the internet issue come down to something related to that? I tried switching the connection from the wan port to the lan, but the same thing.

On the Switch Config page I have 0 1 2. 0 has nothing checked. 1 has 1-4 and 2 has wan checked.

Edit - to make things even more strange - I took another router running stock firmware and flashed dd-wrt. Setup the vap and everything worked perfectly right away. Reset the ACSv2 I have been using and started over. All is fine until the firewall rules where I still get the same results. Reset again, flashed the firmware again, all the same. I'm out of ideas on this.
veekay
DD-WRT User


Joined: 09 Mar 2009
Posts: 77

PostPosted: Tue Jan 11, 2022 19:27    Post subject: Reply with quote
Still trying, still stuck without internet.

Followed this page https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=326297

I get the same results where I get internet on VAP, but it can still access the main router. I add the final rule, but the rule changes nothing.

So no matter what I try I lose access to the internet on the VAP when I try to isolate it. Connection still thinks it has internet, but doesn't.
veekay
DD-WRT User


Joined: 09 Mar 2009
Posts: 77

PostPosted: Thu Jan 13, 2022 6:23    Post subject: Reply with quote
So, finally have it working. After seeing this work on every other router I tested, I went through to see what was different. The only thing I saw was that I didn't setup wireless security when testing, just kept the VAP open. Disabled security on my 1900 and boom, everything worked. After that I turned WPA back on and it still worked. No idea why that would matter, but whatever.

So now I'm running

Code:
#Always necessary (alternatively set static route on main router):
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)

#Replace with the appropriate interface e.g. wl0.1, wlan0.1 etc:
GUEST_IF="wlan1.1"
#Net Isolation does not work on a WAP so just keep it disabled and add the following line to the firewall:
iptables -I FORWARD -i $GUEST_IF -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT

#For isolating the WAP itself from the guest network:
iptables -I INPUT -i $GUEST_IF -m state --state NEW -j REJECT
iptables -I INPUT -i $GUEST_IF -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i $GUEST_IF -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i $GUEST_IF -p tcp --dport 53 -j ACCEPT


Everything is working as it should. I really wanted to use the rules from the eibgrad post, but they always failed.

Currently, I cannot get any rules working correctly that allow me to access the VAP clients from my main subnet.

Code:
iptables -I FORWARD -i br0 -o $GUEST_IF -m state --state NEW -j ACCEPT


In regards to going from my main subnet to the VAP, I have tried multiple variations of rules I have come across.
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum