Main network talk to VLAN for IoT device.

Post new topic   Reply to topic    DD-WRT Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.)
Author Message
klacourciere@gmail.com
DD-WRT Novice


Joined: 26 Jun 2022
Posts: 3

PostPosted: Mon Oct 10, 2022 18:37    Post subject: Main network talk to VLAN for IoT device. Reply with quote
I have a Linksys WRT3200ACM router. I recently went through the steps to create a VLAN for my IoT devices (VLAN 3), as well as changing ethernet port 4 on the back to be on this VLAN as well. I set up my virtual APs / multiple DHCP so I have WiFi too on this VLAN.

My network is fairly simple. I just wanted my main network (192.168.1.1) and a IoT/Guest network (192.168.99.1) -- which is on VLAN3. My startup script is below, and aside from that I had to so some bridge work in the GUI, and my current bridge table looks like this:

Code:

Name   STP   Interface
br0   no   eth1 wlan0 wlan1 wlan2
br1   no   vlan3 wlan0.1 wlan1.1


I have attempted this about 10 different times, finally this last time it working properly. My success was only after following the additional tips found in the later posts of this thread:

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=317199&postdays=0&postorder=asc&start=0

My current startup script looks like this:

Code:

swconfig dev switch0 set reset 1
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "6 1 2 3"
swconfig dev switch0 vlan 2 set ports "5 4"
swconfig dev switch0 vlan 3 set ports "6t 0"
swconfig dev switch0 set apply
vconfig set_name_type VLAN_PLUS_VID_NO_PAD
vconfig add eth1 3
ifconfig vlan3 up
brctl addif br1 vlan3



I did NOT enable Net Isolation on the bridge network settings nor did I change any of the default settings for the VAP's.

When I currently ping from my desktop (192.168.1.114) to my laptop on the VAP VLAN3 (192.168.99.134) it times out... when I ping from my laptop to the desktop it also times out.

I believe this is good (as far as security goes) -- HOWEVER, I did not turn on net isolation or add any fire wall settings to create a seperation of the VLANs.


So here are my questions and what I want to do:

1) What do I need to do (either in GUI and/or adding Fire Wall commands) to properly isolate my IoT network so it can not access my main network?

2) How can I allow access between my main network and IoT network ONLY IF the request comes from my main network. i.e. I am on my phone connected to my main network, I want to use the Roku remote app - but my Roku is on my IoT network.

Thank you in advance. I will be happy to post my current firewall settings if that will help. (can someone remind me the command in Telnet to display my current firewall settings?)
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Tue Oct 11, 2022 11:00    Post subject: Reply with quote
By default bridges are not isolated from each other, so not sure what is going on

I will move your thread to the Marvell forum as VLAN's are router specific.

What build are you running?

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
klacourciere@gmail.com
DD-WRT Novice


Joined: 26 Jun 2022
Posts: 3

PostPosted: Wed Oct 12, 2022 1:36    Post subject: Reply with quote
I am running:
Firmware: DD-WRT v3.0-r50308 std (10/01/22)


Below is my current firewall:

... Yes, I named my router Velociraptor Smile

So if @ecg or anyone can first help me understand why I cant ping one vlan from the other, that would be great. AFAIK I didn't add anything to block pings/traffic between vlans - so now I am even more confused. Thank you!!


Code:

BusyBox v1.35.0 (2022-10-01 01:56:39 +07) built-in shell (ash)

0;root@Velociraptor: ~root@Velociraptor:~# cat /tmp/.ipt
*mangle
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A PREROUTING -p icmp -d 69.14.172.58 -j DNAT --to-destination 192.168.1.1
-A PREROUTING -d 69.14.172.58 -j TRIGGER --trigger-type dnat
-A POSTROUTING -s 192.168.1.1/24 -o eth0 -j SNAT --to-source 69.14.172.58
-A POSTROUTING -s 192.168.99.1/24 -o eth0 -j SNAT --to-source 69.14.172.58
-A POSTROUTING -o br1 -m pkttype --pkt-type broadcast -j RETURN
-A POSTROUTING -o br1 -s 192.168.99.1/24 -d 192.168.99.1/24 -j MASQUERADE
-A POSTROUTING -o br0 -m pkttype --pkt-type broadcast -j RETURN
-A POSTROUTING -o br0 -s 192.168.1.1/24 -d 192.168.1.1/24 -j MASQUERADE
COMMIT
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
:logreject - [0:0]
:trigger_out - [0:0]
:upnp - [0:0]
:lan2wan - [0:0]
:grp_1 - [0:0]
:advgrp_1 - [0:0]
:grp_2 - [0:0]
:advgrp_2 - [0:0]
:grp_3 - [0:0]
:advgrp_3 - [0:0]
:grp_4 - [0:0]
:advgrp_4 - [0:0]
:grp_5 - [0:0]
:advgrp_5 - [0:0]
:grp_6 - [0:0]
:advgrp_6 - [0:0]
:grp_7 - [0:0]
:advgrp_7 - [0:0]
:grp_8 - [0:0]
:advgrp_8 - [0:0]
:grp_9 - [0:0]
:advgrp_9 - [0:0]
:grp_10 - [0:0]
:advgrp_10 - [0:0]
:grp_11 - [0:0]
:advgrp_11 - [0:0]
:grp_12 - [0:0]
:advgrp_12 - [0:0]
:grp_13 - [0:0]
:advgrp_13 - [0:0]
:grp_14 - [0:0]
:advgrp_14 - [0:0]
:grp_15 - [0:0]
:advgrp_15 - [0:0]
:grp_16 - [0:0]
:advgrp_16 - [0:0]
:grp_17 - [0:0]
:advgrp_17 - [0:0]
:grp_18 - [0:0]
:advgrp_18 - [0:0]
:grp_19 - [0:0]
:advgrp_19 - [0:0]
:grp_20 - [0:0]
:advgrp_20 - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -i eth0 -p icmp -j DROP
-A INPUT -i eth0 -p igmp -j DROP
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i br1 -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -i br1 -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -o br0 -j ACCEPT
-A OUTPUT -o br1 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j upnp
-A FORWARD -i br1 -j lan2wan
-A FORWARD -j lan2wan
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -o eth0 -s 192.168.1.1/24 -p tcp --dport 1723 -j ACCEPT
-A FORWARD -o eth0 -s 192.168.1.1/24 -p gre -j ACCEPT
-A FORWARD -i eth0 -o br0 -j TRIGGER --trigger-type in
-A FORWARD -i br0 -j trigger_out
-A FORWARD -i eth0 -o eth1 -j TRIGGER --trigger-type in
-A FORWARD -i eth1 -j trigger_out
-A FORWARD -i eth1 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -o vlan3 -j TRIGGER --trigger-type in
-A FORWARD -i vlan3 -j trigger_out
-A FORWARD -i vlan3 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -o wlan0 -j TRIGGER --trigger-type in
-A FORWARD -i wlan0 -j trigger_out
-A FORWARD -i wlan0 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -o wlan0.1 -j TRIGGER --trigger-type in
-A FORWARD -i wlan0.1 -j trigger_out
-A FORWARD -i wlan0.1 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -o wlan1 -j TRIGGER --trigger-type in
-A FORWARD -i wlan1 -j trigger_out
-A FORWARD -i wlan1 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -o wlan1.1 -j TRIGGER --trigger-type in
-A FORWARD -i wlan1.1 -j trigger_out
-A FORWARD -i wlan1.1 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -o wlan2 -j TRIGGER --trigger-type in
-A FORWARD -i wlan2 -j trigger_out
-A FORWARD -i wlan2 -m state --state NEW -j ACCEPT
-A FORWARD -i eth0 -o br1 -j TRIGGER --trigger-type in
-A FORWARD -i br1 -j trigger_out
-A FORWARD -i br1 -m state --state NEW -j ACCEPT
-A FORWARD -i br0 -m state --state NEW -j ACCEPT
-A FORWARD -i br0 -o eth0 -j ACCEPT
-A FORWARD -i br1 -o eth0 -j ACCEPT
-A FORWARD -j DROP
-A logaccept -j ACCEPT
-A logdrop -j DROP
-A logreject -p tcp -j REJECT --reject-with tcp-reset
COMMIT
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Wed Oct 12, 2022 10:16    Post subject: Reply with quote
It is easier to view firewall rules with:
iptables -vnL FORWARD|INPUT|OUTPUT

But I do not see any drop rules so it does not seem the firewall of the router.

Some clients have their own firewall which could be blocking incoming traffic form other subnets?

You use VLAN 3 do you have wired IoT clients?

I cannot comment on the VLANs those are router specific (and I am not an expert)

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.) All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum