[SOLVED]Access to resources from specific VLANs/Bridges

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
DWCruiser
DD-WRT User


Joined: 15 Aug 2016
Posts: 223
Location: Melbourne, Australia

PostPosted: Tue Aug 16, 2022 23:47    Post subject: [SOLVED]Access to resources from specific VLANs/Bridges Reply with quote
Dear gurus,

My R9000 has several VLANs. Due to its dual switches, these VLANS are placed on their own bridges so they can work without conflict. Each in a separate network. At present, no traffic crossing VLAN and/or bridge boundaries.

Port 4 of R9000 is connected to a second router. On R9000, Port 4 is designated as VLAN14 and placed on bridge br14.

Behind the second router, are a shared printer and a NAS with IPs 192.168.14.5 & 192.168.14.10 respectively.

I need to allow devices from br0 (172.20.0.X) and brHLAN (172.20.10.X) to access the printer and NAS (behind br14).

I would appreciate some help, please.


Additional info:
GUI Current settings:

(See image for details)


Startup CLI
sleep 4
# Setup VLANS
# Switch0 Config
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "0t 4t 6t"
swconfig dev switch0 vlan 2 set ports "3 5t"
swconfig dev switch0 vlan 8 set ports "0t 1 2 4t 6t"
swconfig dev switch0 vlan 10 set ports "0t 4t 6t"
swconfig dev switch0 vlan 12 set ports "0t 4t 6t"
swconfig dev switch0 vlan 14 set ports "0t 4t 6t"
swconfig dev switch0 set apply
# Switch1 Config
swconfig dev switch1 set enable_vlan 1
swconfig dev switch1 vlan 1 set ports "0t 2 5t"
swconfig dev switch1 vlan 8 set ports "0t 5t"
swconfig dev switch1 vlan 10 set ports "0t 1 5t"
swconfig dev switch1 vlan 12 set ports "0t 3 5t"
swconfig dev switch1 vlan 14 set ports "0t 4 5t"
swconfig dev switch1 set apply
# adding vlan link
vconfig add eth1 8
vconfig add eth1 10
vconfig add eth1 12
vconfig add eth1 14
# give vlans a kick into life
ifconfig vlan8 up
ifconfig vlan10 up
ifconfig vlan12 up
ifconfig vlan14 up
# Bridging vlans for connection in recalcitrant R9000
brctl addif br8 vlan8
brctl addif br10 vlan10
brctl addif br12 vlan12
brctl addif br14 vlan14

_________________
Life is a journey; travel alone makes it less enjoyable and lonely.
Sponsor
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6409
Location: UK, London, just across the river..

PostPosted: Wed Aug 17, 2022 7:19    Post subject: Reply with quote
i guess you have to set a br crossing rules...
I don't know if you will be able to set only specific clients to do that instead...

--------------------------------------------------------------------
Life is a journey, travel alone makes it less enjoyable and lonely. -- yea i got my router with me Razz

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Wed Aug 17, 2022 7:31    Post subject: Reply with quote
Bridges themselves are not isolated by default (also not with Net Isolation enabled they are not isolated from each other, at least not on builds you are using)

So do you have Net isolation enabled? Are you using rules to isolate the bridges from each other?

If not you should be able to reach other bridges, but you are talking about a secondary router that can have its own firewall depending on how it is setup.

In that case you have to open up the firewall of the secondary router and set a static route on the main router and do not isolate the connecting bridge (as it is isolated form br0 if you have Net isolation enabled)

So food for thought Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
DWCruiser
DD-WRT User


Joined: 15 Aug 2016
Posts: 223
Location: Melbourne, Australia

PostPosted: Wed Aug 17, 2022 21:57    Post subject: Reply with quote
Hi,

Alozaros wrote:
i guess you have to set a br crossing rules...
I don't know if you will be able to set only specific clients to do that instead...


I wanted network separation. So, access by selected devices across VLAN/bridge boundary becomes an exception in my case.

Alozaros wrote:
----
Life is a journey, travel alone makes it less enjoyable and lonely.
-- yea i got my router with me Razz


Good to hear you finally got your R9000 (if my assumption is correct). Recent releases of DDWRT versions seem to have ironed out many recalcitrant issues with my R9000. Version updating runs more smoothly without a reset, manual or otherwise, in my case as earlier.


egc wrote:
Bridges themselves are not isolated by default (also not with Net Isolation enabled they are not isolated from each other, at least not on builds you are using)

So do you have Net isolation enabled? Are you using rules to isolate the bridges from each other?

If not you should be able to reach other bridges...


Right, i did enable 'Net Isolation' so all bridges, except br0, are isolated from one another.

egc wrote:

...but you are talking about a secondary router that can have its own firewall depending on how it is setup. In that case you have to open up the firewall of the secondary router and set a static route on the main router and do not isolate the connecting bridge (as it is isolated form br0 if you have Net isolation enabled)

So food for thought Smile


Thank you, i am aware of this requirement. It's a MikroTik router, actually.

Let me go off line and re-arrange settings for br14. Will be back. One way or another.

---------------------
Thank you again, Alozaros and egc.

_________________
Life is a journey; travel alone makes it less enjoyable and lonely.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12836
Location: Netherlands

PostPosted: Thu Aug 18, 2022 9:28    Post subject: Reply with quote
Note there is a bug in the firewall rule where the net isolation does not isolate the router form the Bridge, this has been corrected in the last build
https://svn.dd-wrt.com/changeset/49695

Furthermore Bridges are not isolated form each other even not if you have enabled Net Isolation, that only isolates the bridge form br0 and form the router.

so to isolate bridges form each other you have to do that manually
e.g.
Code:
iptables -I FORWARD -i br1 -o br+ -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br+ -m state --state NEW -j REJECT

etc.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
DWCruiser
DD-WRT User


Joined: 15 Aug 2016
Posts: 223
Location: Melbourne, Australia

PostPosted: Thu Aug 18, 2022 21:19    Post subject: Reply with quote
egc wrote:
Note there is a bug in the firewall rule where the net isolation does not isolate the router form the Bridge, this has been corrected in the last build
https://svn.dd-wrt.com/changeset/49695

Furthermore Bridges are not isolated form each other even not if you have enabled Net Isolation, that only isolates the bridge form br0 and form the router.

so to isolate bridges form each other you have to do that manually
e.g.
Code:
iptables -I FORWARD -i br1 -o br+ -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br+ -m state --state NEW -j REJECT

etc.


Thanks for your help, egc. It was confusing to me when i first set up with my limited understanding of CLI. Your explanation certainly makes a lot of sense now regarding the 'inconsistency' of Net Isolation feature relating to bridge settings. Glad to know that.

I am still working through the firewalls on the second router. But will write a final post for completeness, once resolved.

Thanks again.

_________________
Life is a journey; travel alone makes it less enjoyable and lonely.
DWCruiser
DD-WRT User


Joined: 15 Aug 2016
Posts: 223
Location: Melbourne, Australia

PostPosted: Sat Aug 20, 2022 14:16    Post subject: Reply with quote
Having spent several hours on learning/resolving the firewall issue on the second router (a MikroTik), i was able to, from a PC behind DDWRT router (R1), send a print to the printer behind R2.

On the R1:
In short, i set up a static route to the printer's IP (with /32 being destination), and the (WAN) IP of R2 being gateway. (Setup/Advanced Routing)

On the R2:
MikroTik's settings can be very granular but they are also highly complex. It goes with the territory. So to speak. (Steps not given here due to different platform).

End note:
I have had a dual network setup at home for a long time but this is the first time i setup a connection for printing across networks. My next attempt will be a replication to gain access to my NAS from another separate network.

P.S. I noticed that someone else already marked this issue as SOLVED earlier. Smile

Thanks again.

_________________
Life is a journey; travel alone makes it less enjoyable and lonely.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum