Posted: Wed Jul 06, 2022 7:25 Post subject: [SOLVED] Help needed with IPTABLE commands
Hello all I am configuring IP tables for my router , have two VLAN's VLAN3(192.168.0.x/24) and VLAN4(10.0.0.x/16).I have further associated them with br0 and br1 bridge interfaces.As VLAN's they work fine and issue IP address as per the configuration.I wanted entire traffic of br1(VLAN4) to be blocked entering br0(VLAN3) and used following commands as could search online but still the br1 network systems can comfortably ping the systems present in br0 network. Kindly guide the appropriate commands to fix the issue,also have attached my router page and ipatbles -vnL command output just for reference and running latest firmware build r49392.
#Internet Access(etho is virtual port having WAN)
iptables -I FORWARD -i br1 -o eth0 -m state --state NEW -j ACCEPT
#Incoming Network Access to br0 block
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
#Block Router Access
iptables -I INPUT -i br1 -m state --state NEW -j DROP
#Allow DHCP Access
iptables -I INPUT -i vlan3 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i vlan4 -p udp --dport 67 -j ACCEPT
Last edited by arunesh_dutta on Sun Jul 10, 2022 17:56; edited 3 times in total
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Wed Jul 06, 2022 10:26 Post subject:
If the VLANs are associated with their respective bridges (which is the usual way) you do not use the VLAN's directly in ip rules, you do it by addressing the Bridges
To see what you have done show a screenshot of Basic Setup page, Switch config and Networking page
Show output from the CLI (telnet/Putty) of:
iptables -vnL
Joined: 16 Nov 2015 Posts: 6440 Location: UK, London, just across the river..
Posted: Wed Jul 06, 2022 11:28 Post subject:
and i guess your issue is...you can ping those vlan's and they respond to the ping....??
How do you ping them, from the router side or from devices that are on those different vlans...?
If vlans are made as they should, especially on a bridge with net isolation..they should be isolated enough...the only troubles comes, when you did something wrong..or your router has a dumb switch...and doesn't do the real vlan isolation as it should...
-give us a pic of your set up form network page
-output of swconfig dev switch0 show before you add your start up swconfig rules and after you apply those...!!
-than we need to see the output of iptables -vnL
-as well to NAT the vlans you need this rule too
iptables -t nat -I POSTROUTING -o `get_wanface` -j MASQUERADE
or this one instead (a bit better syntax)
iptables -t nat -I POSTROUTING -o $(get_wanface) -j MASQUERADE
as i said before... doing vlans on tp-link 8xx series in OpenWRT and DDWRT could be different i didn't have a success in the past, but who knows...
Those who advised you that this is possible they should've helped you as i cannot go further.... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Wed Jul 06, 2022 12:31; edited 1 time in total
If the VLANs are associated with their respective bridges (which is the usual way) you do not use the VLAN's directly in ip rules, you do it by addressing the Bridges
To see what you have done show a screenshot of Basic Setup page, Switch config and Networking page
Show output from the CLI (telnet/Putty) of:
iptables -vnL
Joined: 08 May 2018 Posts: 14223 Location: Texas, USA
Posted: Wed Jul 06, 2022 12:31 Post subject:
You can't isolate bridges with iptables that I'm aware of. What is the output of swconfig dev xxxx show? By default, VLANs are not s'posed to be able to connect to one another, I thought... _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Joined: 15 Aug 2016 Posts: 223 Location: Melbourne, Australia
Posted: Wed Jul 06, 2022 22:28 Post subject:
Further to hints dropped by various posters above, here are my two cents.
May not be what you want to hear but TP-Link TL-WR841ND v11 does not have 802.1q (i.e. VLAN capable) in its specs by its maker for a start.
It's fair to say that its designer, fully aware of its hardware limitation of 32 Megabytes of RAM, simply removes VLAN as its standard feature. (Imagine its maker would be, otherwise, accused of misleading advertising).
To use a metaphor. A car's engine may be running, but it's unwise to expect it to run smoothly if it's loaded far more than its maximum payload. Just imagine it runs up a steep hill without stalling.
I understand that for VLANs to run smoothly on that device, it would need to have 4 times of its actual RAM, i.e. 128MB.
So, to think that it can somehow run VLANs is to kinda dismiss its designer's qualifications of the product's capability.
Cheers. (just don't shoot the messenger). _________________ Life is a journey; travel alone makes it less enjoyable and lonely.
then this device should be vlan capable. It is really difficult sometimes to sift through the repo for answers. But we still have no idea what the OP has done to configure the device or have any outputs of swconfig commands to work with. So, here we are. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
then this device should be vlan capable. It is really difficult sometimes to sift through the repo for answers. But we still have no idea what the OP has done to configure the device or have any outputs of swconfig commands to work with. So, here we are.
Thanks Responder, the router is running latest firmware build r49392 and I tried making changes using the command option present in the router interface vlans with respective IP ranges are working when connected on particular ports as configured like port1,2,3;vlan3 >>br0 port4;vlan4>>br1 and get respective ip addresses of 192.168.0.x and 10.0.0.x only what I also needed is complete network blockage from vlan4(br1) to vlan3(br0) as ping from br1 to br0 happens comfortably
You can't isolate bridges with iptables that I'm aware of. What is the output of swconfig dev xxxx show? By default, VLANs are not s'posed to be able to connect to one another, I thought...
kindly guide what should be the command I guess u mean swconfig dev switch0?vlans with respective IP ranges are working when connected on particular ports as configured like port1,2,3;vlan3 >>br0 port4;vlan4>>br1 and get respective ip addresses of 192.168.0.x and 10.0.0.x only what I also needed is complete network blockage from vlan4(br1) to vlan3(br0) as ping from br1 to br0 happens comfortably
This does not look like a router setup as normal gateway i.e. connected with its WAN port to the internet?
Without having enough information it is very difficult to help you
Thanks responder, I mentioned it's in the default state with latest firmware build r49392, the wan port is connected to internet.vlans with respective IP ranges are working when connected on particular ports as configured like port1,2,3;vlan3 >>br0 port4;vlan4>>br1 and get respective ip addresses of 192.168.0.x and 10.0.0.x only what I also needed is complete network blockage from vlan4(br1) to vlan3(br0) as ping from br1 to br0 happens comfortably