Posted: Mon Sep 26, 2022 8:49 Post subject: [SOLVED] Connect to IoT network from Main Network
I have and Asus RT-AC68U C1
Firmware: DD-WRT v3.0-r33006 std (08/03/17)
I created a 2 new networks for IoT and guest, but I cannot connect to one of them from the main network. I cannot ping devices in br2 from br0. I have no iptables commands in the Administration > Commands
I can ping from br0 to br1.
I put eth4 into VLAN7, I added 2.4 and 5ghz virtual interfaces for IoT network, wl0.1 and wl1.1 with WAP2 security and new SSID. Created bridge br1 and then assigned to bridge br1, VLAN7 and the 2 wifi interfaces. Assigned an IP to br1, 192.168.107.250 and a dhcp range.
For br2, I did similar, create guest virtual interfaces wl0.2 and wl1.2, guest SSID created bridge br2 and assigned the 2 interfaces to br2, assigned IP 192.168.200.250 and dhcp range.
I deleted all IPtables rules, I can ping from a laptop on bro which is 192.168.10.0/24, to the br2 network, tried two iphones that get 192.168.200.x addresses on the br2 wifi, I can ping them both from br0. When I put the phones on the br1 wifi network, they get 192.168.107.x addresses but i cannot ping them from the laptop which is on the main network, br0.
I want to be able to ping devices on both of those networks from br0, the main network, but I don't want br1 or br2 to be able to ping the main network, br0.
I have tried a number of rules where I was able to prevent traffic from br1/br2 to br0.
But I can't get past why I can only ping br2 and not br1 from br0. Both new networks are setup the same way
Im segmenting the network, main (br0), IoT (br1) and Guest (br2). Main needs to be able to get to both br1 and br2, but not vice versa.
Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
Posted: Mon Sep 26, 2022 9:08 Post subject:
scary old build you are using, you should update to the last build 50176,
consider lots of security holes in your build, as well some better handling on
br, vlans and net isolation….on the newer builds
so, i guess in your case net isolation could be the issue turn it off and use vlans on bridge
with br to br isolation rules via iptables commands instead of netisolation, so only selected br to br will communicate _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Mon Sep 26, 2022 9:10; edited 1 time in total
Updated to Firmware: DD-WRT v3.0-r50176 std (09/15/22)
Net Isolation was not enabled. Actually tried it enabled, but it is disabled again.
So I built the config from scratch all the same settings. And now I get no internet access with the the IoT or the guest network. I can only get internet access from the main network.
ipconfig shows now IP assigned from either IoT or guest. I have Multiple DHCP Servers set up just like before.
My initial config was fine, it's just a bug it seen with Broadcom devices and the commands are a workaround - Thanks egc for the doc.
So now both br1 and br2 have internet access.
for the most part br1 and br2 cannot ping br0, but they can both ping the IP of br0, 192.168.8.250 ( and curiously one single IP that belongs to a Dell). I ran Angry IP Scanner and it only found that dell IP (142) and the gateway (250). I will investigate the 142 later.
I do have rules to deny http, https, ssh, telnet to br1 and br2 ,,, they work.
not great with iptables, tried to add rules to deny ping from br1 and br2 to br0, didnt work.
Also tried a few different builds, thought I had bricked my device at one point. I settled on Firmware: DD-WRT v3.0-r44048 std (08/02/20)
Now that I have the commands to shut/no-shut the interfaces, I may try the latest firmware later.
Next I have to move all my IoT devices, Alexa, TVs etc to the IoT network, and figure out how to connect to them from phone which I think will be on the main wifi network.
If you have ideas on how to stop the pinging, that would be great.
Joined: 13 Aug 2013 Posts: 6868 Location: Romerike, Norway
Posted: Tue Sep 27, 2022 11:45 Post subject:
These rules in the FORWARD chain will prevent pinging node on the other bridge, but will not preventing ping of the router itself. That must be done in the INPUT chaining.
Joined: 18 Mar 2014 Posts: 12887 Location: Netherlands
Posted: Tue Sep 27, 2022 12:09 Post subject:
In addition, a recent build (e.g. 50274) when NET isolation is enabled it will isolate the router itself from br1 and br2 (there was a bug in earlier builds).
You still have to isolate br1 and br2 from each other and allow your phone from the main network to connect.
To isolate br1 and br2 from each other:
iptables -I FORWARD -i br1 -o br2 -m state --state NEW -j DROP
iptables -I FORWARD -i br2 -o br1 -m state --state NEW -j DROP
To be able to administer from the main network:
iptables -I FORWARD -i br0 -o br+ -j ACCEPT
This rule should be added as last one.
Instead of -i br0 you can use the -s with IP address of your phone (if it has a static IP)
Thanks vey much everyone.
I updated to 50274.
I had previously tried 50176 but had trouble.
50274 seems to be doing what I want without extra shut/no-shut commands on the interfaces.
With iptables rules in place, br1 and br2 cannot ping the br0 gateway or br0 devices. Thanks egc.
Now to migrate devices to the IoT network.
I read that one school of thought is to put Phones and tablets on the IoT network, as phones consider all networks as hostile. I wouldn't object to that but I have a dilemma with a printer. I can put the printer on the main network, and we can print to it from laptops. But then that makes it a problem to print to it from the phone on the IoT network
Joined: 18 Mar 2014 Posts: 12887 Location: Netherlands
Posted: Wed Sep 28, 2022 6:29 Post subject:
I trust my phones and tablet (they still receive updates) so I have those on my main network but if you have old phones without any security updates you might set them on a separate network
You can make your printer on the main network accessible form IoT e.g. with:
Code:
iptables -I FORWARD -i br1 -o br0 -p tcp -d 192.168.1.100 --dport 9100 -m state --state NEW -j ACCEPT