R7000: Subnet/Net Isolation Ineffective

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2
Author Message
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sun May 29, 2022 10:03    Post subject: Reply with quote
As far as I know it is like this:

Net Isolation is designed for a guest network.

The guest network is isolated from the main network.

So when connected to the VAP/Guest Network with Net isolation enabled you should not be able to connect to clients on the main network and you should not be able to connect to the router itself (FORWARD and INPUT chain).

From the main network you can connect to the VAP (as -m state --state NEW is used)

Other VAPS can connect to other VAPS

I have not tested if that is really working on recent builds but it was on older builds.

You should be able to see the rules in action with:
iptables -vnL FORWARD
iptables -vnL INPUT

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Sponsor
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Sun May 29, 2022 11:47    Post subject: Reply with quote
VAPS connecting to other VAPS and communicating with each other is not possible with ap/net isolation enabled with unbridged setups plus additional independent subnets set under Multiple DHCP Server on Networking tab.

Other setups is a different thing. the VAPs then may be able to communicate with each other if on same subnet without ap isolation enabled.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon May 30, 2022 7:58    Post subject: Reply with quote
on my router (this is the travel router EA6900 running 48954) it does seem possible.

Main network is 192.168.1.1
VAP wl0.1 on 192.168.21.0/24
VAP wl1.1 on 192.168.22.0/24


Net isolation and AP isolation enabled, these are the firewall rules which are set because net isolation is enabled:
Code:
root@EA6900:~# iptables -vnL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  wl0.1  *       0.0.0.0/0            192.168.1.0/24       state NEW
    0     0 DROP       all  --  wl1.1  *       0.0.0.0/0            192.168.1.0/24       state NEW
  635  186K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED


I can happily ping from clients connected to wl0.1 to clients on wl1.1 and the other way around

Not surprising as the the firewall rules only isolate the VAPS from the main network and not from each other and AP isolation isolates wifi clients from each other on the same interface.

Of course the clients are on different subnets and might have their own firewall not allowing other subnets but this is not something you can rely on

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Mon May 30, 2022 8:18    Post subject: Reply with quote
@egc

On my R7800, the VAPs are not isolated from each other either, as I have already written here >

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1263136#1263136

Also interesting if you bridge the VAP's then even the router is reachable >

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1263652#1263652
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon May 30, 2022 8:33    Post subject: Reply with quote
Thanks for confirming.

About the bridged VAPs being able to reach the router is interesting, the bridge should isolate the attached VAPs from the router if net isolation is enabled on the bridge, not sure why this is not working.

Unbridged VAPs not being isolated from each other is by design but should perhaps be known to the general public

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Mon May 30, 2022 8:37    Post subject: Reply with quote
There is a third point in the first link.
The network isolation only works when the WAN connection is activated.
If the WAN is inactive because the ISP may have a network fault, then no network isolation will work at all.

Quote:
works for me only with active PPPoE WAN connection.
If I disable the WAN interface no network isolation works at all.
Same if I set to "automatic DHCP" (no DHCP server on WAN side - so no WAN connection) = all subnets are fully reachable


I also tested it by simply unplugging my modem from the telephone socket Smile

https://svn.dd-wrt.com/ticket/5240
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon May 30, 2022 8:44    Post subject: Reply with quote
Hmm that could perhaps be classified as a bug.

When I am back from travelling I will look a little deeper in the code.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Mon May 30, 2022 8:50    Post subject: Reply with quote
Because of the bridged VAP, I just remembered that I probably made a mistake.

I'll have to check that quickly - it was definitely a user error on my part.
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Mon May 30, 2022 9:14    Post subject: Reply with quote
No, it was not because of my own firewall rules.
I have deleted all my rules.

br1 = 192.168.3.1

Code:
ifconfig wlp3s0 | grep inet
        inet 192.168.3.144  netmask 255.255.255.0  broadcast 192.168.3.255

ssh root@192.168.1.1

root@DD-WRT:~# iptables -vnL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  wlan0.1 *       0.0.0.0/0            192.168.1.0/24       state NEW
    0     0 DROP       all  --  wlan1.1 *       0.0.0.0/0            192.168.1.0/24       state NEW
   12  1008 DROP       all  --  br1    *       0.0.0.0/0            192.168.1.0/24       state NEW
 1625  605K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
  184 25929 upnp       all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   22  5565 lan2wan    all  --  br1    *       0.0.0.0/0            0.0.0.0/0           
  184 25929 lan2wan    all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0           
  162 20364 ACCEPT     all  --  br0    ppp0    0.0.0.0/0            0.0.0.0/0           
   22  5565 ACCEPT     all  --  br1    ppp0    0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      ppp0    192.168.1.0/24       0.0.0.0/0            tcp dpt:1723
    0     0 ACCEPT     47   --  *      ppp0    192.168.1.0/24       0.0.0.0/0           
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            192.168.1.100        tcp spts:49152:65530
    0     0 DROP       udp  --  *      *       0.0.0.0/0            192.168.1.100        udp dpts:49152:65530
    0     0 TRIGGER    all  --  ppp0   br0     0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  all  --  br0    *       0.0.0.0/0            0.0.0.0/0           
    0     0 TRIGGER    all  --  ppp0   eth0    0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 TRIGGER    all  --  ppp0   eth1    0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 TRIGGER    all  --  ppp0   wlan0   0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 DROP       all  --  br0    wlan0.1  0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 TRIGGER    all  --  ppp0   wlan0.1  0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  all  --  wlan0.1 *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  wlan0.1 *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 TRIGGER    all  --  ppp0   wlan1   0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  all  --  wlan1  *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  wlan1  *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 DROP       all  --  br0    wlan1.1  0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 TRIGGER    all  --  ppp0   wlan1.1  0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  all  --  wlan1.1 *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  wlan1.1 *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 DROP       all  --  br0    br1     0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 TRIGGER    all  --  ppp0   br1     0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
    0     0 trigger_out  all  --  br1    *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br1    *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0   


Code:
ping 192.168.1.1 -c 3
PING 192.168.1.1 (192.168.1.1) 56(84) Bytes Daten.
64 Bytes von 192.168.1.1: icmp_seq=1 ttl=64 Zeit=4.70 ms
64 Bytes von 192.168.1.1: icmp_seq=2 ttl=64 Zeit=2.65 ms
64 Bytes von 192.168.1.1: icmp_seq=3 ttl=64 Zeit=2.87 ms

--- 192.168.1.1 ping-Statistik ---
3 Pakete übertragen, 3 empfangen, 0% Paketverlust, Zeit 2003ms
rtt min/avg/max/mdev = 2.648/3.406/4.704/0.922 ms

ping 192.168.1.110 -c 3
PING 192.168.1.110 (192.168.1.110) 56(84) Bytes Daten.

--- 192.168.1.110 ping-Statistik ---
3 Pakete übertragen, 0 empfangen, 100% Paketverlust, Zeit 2042ms


then no idea...

the router is still accessible but all other devices are not (110 is my pi hole)
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Mon May 30, 2022 9:52    Post subject: Reply with quote
egc wrote:
on my router (this is the travel router EA6900 running 48954) it does seem possible.

Main network is 192.168.1.1
VAP wl0.1 on 192.168.21.0/24
VAP wl1.1 on 192.168.22.0/24

Net isolation and AP isolation enabled, these are the firewall rules which are set because net isolation is enabled:
Code:
root@EA6900:~# iptables -vnL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  wl0.1  *       0.0.0.0/0            192.168.1.0/24       state NEW
    0     0 DROP       all  --  wl1.1  *       0.0.0.0/0            192.168.1.0/24       state NEW
  635  186K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED


I can happily ping from clients connected to wl0.1 to clients on wl1.1 and the other way around

Not surprising as the the firewall rules only isolate the VAPS from the main network and not from each other and AP isolation isolates wifi clients from each other on the same interface.

Of course the clients are on different subnets and might have their own firewall not allowing other subnets but this is not something you can rely on


I would consider that a bug of sorts, Net isolation is suppose to isolate one subnet from another, end of story, if it only isolates VAP clients from wired LAN, then the design is incomplete and not accounting for the other possibilities.

That is not surprising, given some implementations are simplest possible at time of inception. Clearly in 2022 the relevant code needs to account for more situations. This code is likely last been touched in 80 BC.

You cannot rely on any clients having any firewalls like you mentioned Wink most user mobile devices if not all dont have any a user can access or any at all. These ACLS are configured router level on any sane networks, either main gateway or any other routers within route depends on the complexity of network.

I would expect DD-WRT to be able to do this by default when enabling Net Isolation.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Tue May 31, 2022 7:00    Post subject: Reply with quote
Small addition, Net isolation isolates not only VAP clients from wired LAN but also from Wireless clients on the main network.

For now I propose to alter the text in the setting to reflect this behavior so something like:
Quote:
Net Isolation (from main network)


Of course it is possible to automatically isolate VAPs from other VAPs but how to determine what is a VAP?
You do not want to isolate the VAP automatically from e.g. an WG or VPN interface.

So maybe make a pick list like the one I did for Avahi, but much work, much code and you can simply add your own iptable rules to isolate the VAP's from each other

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Tue May 31, 2022 10:51    Post subject: Reply with quote
Well, the interface identifiers determine what is a VAP or dont they?

Im sure there are firewall rules that can be used and input manually, but should be nice that enabling Net isolation on the VAPS would do this automatically also when subnets are different between VAPS. Again different subnets being a key determination weather Net isolation should apply.

But those are my brain farts. I've no idea about the code changes necessary.

And also when WAN is down, Net isolation should still work (apparently it does not), in fact there are quite a few issues that affect the UI when WAN is down, e.g. Reboot.asp either loads the HTML and no CSS, or doesn't load ANY HTML at all and then there is no such page displayed even if address bar shows the Reboot.asp.

Perhaps other issues affect other functions when WAN is down, no idea what the true extent is of what is affected or not. This should have its own topic.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Tue May 31, 2022 10:57    Post subject: Reply with quote
So at least on atheros you can read VAP's from the nvram

Code:
nvram show | grep vif

wlan1_vifs=wlan1.1
wlan0_vifs=wlan0.1


Code:
nvram show | grep vif

wlan1_vifs=wlan1.1 wlan1.2
wlan0_vifs=wlan0.1


or there are certainly other possibilities if you search for "vifs" in the code
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Tue May 31, 2022 11:21    Post subject: Reply with quote
But what if you make br1 and add those vifs to br1?
You cannot use the vifs but have to use br1.

Just an example that it probably is more complicated.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Tue May 31, 2022 11:36    Post subject: Reply with quote
mhm well .....

If you bridge the VAPs (via brX) then you have to enable the network isolation on the bridge anyway.

(the network isolation is then not available on the individual VAPs).

The bridge then also has the IP address etc...

So an additional bridge (e.g. br1) should only be isolated from the main network anyway?
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum