[spacemancw]

I have and Asus RT-AC68U C1
Firmware: DD-WRT v3.0-r33006 std (08/03/17)

I created a 2 new networks for IoT and guest, but I cannot connect to one of them from the main network. I cannot ping devices in br2 from br0. I have no iptables commands in the Administration > Commands

I can ping from br0 to br1.

I put eth4 into VLAN7, I added 2.4 and 5ghz virtual interfaces for IoT network, wl0.1 and wl1.1 with WAP2 security and new SSID. Created bridge br1 and then assigned to bridge br1, VLAN7 and the 2 wifi interfaces. Assigned an IP to br1, 192.168.107.250 and a dhcp range.

For br2, I did similar, create guest virtual interfaces wl0.2 and wl1.2, guest SSID created bridge br2 and assigned the 2 interfaces to br2, assigned IP 192.168.200.250 and dhcp range.

I deleted all IPtables rules, I can ping from a laptop on bro which is 192.168.10.0/24, to the br2 network, tried two iphones that get 192.168.200.x addresses on the br2 wifi, I can ping them both from br0. When I put the phones on the br1 wifi network, they get 192.168.107.x addresses but i cannot ping them from the laptop which is on the main network, br0.

I want to be able to ping devices on both of those networks from br0, the main network, but I don't want br1 or br2 to be able to ping the main network, br0.

I have tried a number of rules where I was able to prevent traffic from br1/br2 to br0.
But I can't get past why I can only ping br2 and not br1 from br0. Both new networks are setup the same way

Im segmenting the network, main (br0), IoT (br1) and Guest (br2). Main needs to be able to get to both br1 and br2, but not vice versa.

Any help would be appreciated.
thanks

[Alozaros]

scary old build you are using, you should update to the last build 50176,
consider lots of security holes in your build, as well some better handling on
br, vlans and net isolation….on the newer builds
so, i guess in your case net isolation could be the issue turn it off and use vlans on bridge
with br to br isolation rules via iptables commands instead of netisolation, so only selected br to br will communicate

[egc]

Your build is seriously old and outdated with known security vulnerabilities.

Upgrading to a recent build e.g. 50176 is highly recommended.

*After* upgrade reset to defaults and put settings in manually, do not restore from a backup (to a different build).

After that report back to discuss the necessary firewall rules.

[egc]

Moved this thread to the appropriate forum see:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

[spacemancw]

Updated to Firmware: DD-WRT v3.0-r50176 std (09/15/22)


Net Isolation was not enabled. Actually tried it enabled, but it is disabled again.

So I built the config from scratch all the same settings. And now I get no internet access with the the IoT or the guest network. I can only get internet access from the main network.

ipconfig shows now IP assigned from either IoT or guest. I have Multiple DHCP Servers set up just like before.

[egc]

See attached doc how I do it

[spacemancw]

Well looks like I have it mostly working.
I had to add this to my firewall commands:

sleep 20; stopservice nas; wlconf eth1 down; wlconf eth2 down; wlconf eth1 up; wlconf eth2 up; startservice nas

My initial config was fine, it's just a bug it seen with Broadcom devices and the commands are a workaround - Thanks egc for the doc.

So now both br1 and br2 have internet access.
for the most part br1 and br2 cannot ping br0, but they can both ping the IP of br0, 192.168.8.250 ( and curiously one single IP that belongs to a Dell). I ran Angry IP Scanner and it only found that dell IP (142) and the gateway (250). I will investigate the 142 later.
I do have rules to deny http, https, ssh, telnet to br1 and br2 ,,, they work.

not great with iptables, tried to add rules to deny ping from br1 and br2 to br0, didnt work.

[egc]

Those commands are only necessary on outdated builds.

So instead of using those commands I would highly recommend updating to a recent build, as of today 50274.

[Per Yngve Berg]

These rules in the FORWARD chain will prevent pinging node on the other bridge, but will not preventing ping of the router itself. That must be done in the INPUT chaining.

[egc]

In addition, a recent build (e.g. 50274) when NET isolation is enabled it will isolate the router itself from br1 and br2 (there was a bug in earlier builds).

You still have to isolate br1 and br2 from each other and allow your phone from the main network to connect.

To isolate br1 and br2 from each other:
iptables -I FORWARD -i br1 -o br2 -m state --state NEW -j DROP
iptables -I FORWARD -i br2 -o br1 -m state --state NEW -j DROP

To be able to administer from the main network:
iptables -I FORWARD -i br0 -o br+ -j ACCEPT

This rule should be added as last one.
Instead of -i br0 you can use the -s with IP address of your phone (if it has a static IP)

Some other examples: https://pastebin.com/r4u62P0B

Test rules from the CLI (telnet/Putty) and if they work add to Administration/Commands Save as Firewall

[spacemancw]

Thanks vey much everyone.
I updated to 50274.
I had previously tried 50176 but had trouble.

50274 seems to be doing what I want without extra shut/no-shut commands on the interfaces.

With iptables rules in place, br1 and br2 cannot ping the br0 gateway or br0 devices. Thanks egc.


Now to migrate devices to the IoT network.

I read that one school of thought is to put Phones and tablets on the IoT network, as phones consider all networks as hostile. I wouldn't object to that but I have a dilemma with a printer. I can put the printer on the main network, and we can print to it from laptops. But then that makes it a problem to print to it from the phone on the IoT network

any thoughts?

thanks again.

[egc]

I trust my phones and tablet (they still receive updates) so I have those on my main network but if you have old phones without any security updates you might set them on a separate network

You can make your printer on the main network accessible form IoT e.g. with: