(ASK) Isolate Each VLAN

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
danish14
DD-WRT Novice


Joined: 23 Apr 2008
Posts: 25

PostPosted: Tue Sep 23, 2008 16:59    Post subject: (ASK) Isolate Each VLAN Reply with quote
I have make separate 3 Vlan (vlan2=port4 & vlan3=port3) on my GL.
vlan2 addres : 192.168.3.1/24 dhcp
vlan3 addres : 192.168.4.1/24 dhcp

when i have ip from vlan2, i still can ping to vlan3 address.
what i want is isolate beetwen vlan2 address and vlan3 address so each other can'nt ping again.
the goal is : vlan2 address i use for access webadmin router only. vlan3 address is for used to other client, not to connect webadmin dd-wrt.
So it secure (i perhaps) from sniffing or other stuff to steal my user or password.

please, anyone can give me a hand.
thanks for help.
sorry if my english not well
Sponsor
Bird333
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 809

PostPosted: Tue Sep 23, 2008 17:48    Post subject: Reply with quote
Sounds like you haven't set up iptables rules to block traffic. See this.

http://www.geek-pages.com/articles/latest/dd-wrt_-_setting_up_a_separate/isolated_vlan_on_port_4_with_dhcp.html
danish14
DD-WRT Novice


Joined: 23 Apr 2008
Posts: 25

PostPosted: Tue Sep 23, 2008 18:17    Post subject: Reply with quote
yup ... i have read it before. Sure i follow instruction from there and from wiki too.

problem is im not experince for iptables command
i use v24,dhcp on WAN side, v24 that simple enough use from the gui for make vlan. Thanks to developer.

Beside separate (vlan0=port1 & 2, vlan2=port4, vlan3=port3, wifi is off) also on each vlan i still get internet access. Just want to secure, can't ping each vlan. Thats i want. Is it command good for me ? Sory im just a noob. :)

iptables -I INPUT -i vlan2 -j ACCEPT
iptables -I INPUT -i vlan3 -j ACCEPT
iptables -I INPUT -i vlan0 -j ACCEPT

iptables -I FORWARD -i vlan2 -o vlan1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan3 -o vlan1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan0 -o vlan1 -m state --state NEW -j ACCEPT

iptables -I FORWARD -i vlan2 -o ppp0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan3 -o ppp0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan0 -o ppp0 -m state --state NEW -j ACCEPT

iptables -I FORWARD -i br0 -o vlan2 -j logdrop
iptables -I FORWARD -i br0 -o vlan3 -j logdrop
iptables -I FORWARD -i br0 -o vlan0 -j logdrop

thanks for help
Bird333
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 809

PostPosted: Tue Sep 23, 2008 18:43    Post subject: Reply with quote
You need additional rules to stop the traffic. For example

iptables -I FORWARD -i vlan2 -o vlan0 -j logdrop
iptables -I FORWARD -i vlan3 -o vlan0 -j logdrop
iptables -I FORWARD -i vlan2 -o vlan3 -j logdrop
iptables -I FORWARD -i vlan3 -o vlan2 -j logdrop
iptables -I FORWARD -i vlan0 -o vlan2 -j logdrop
iptables -I FORWARD -i vlan0 -o vlan3 -j logdrop
danish14
DD-WRT Novice


Joined: 23 Apr 2008
Posts: 25

PostPosted: Wed Sep 24, 2008 15:44    Post subject: Reply with quote
well ... i start again,reset router and follow exactly with instruction from http://www.geek-pages.com/articles/latest/dd-wrt_-_setting_up_a_separate/isolated_vlan_on_port_4_with_dhcp.html

the iptables not work ...

vlan1 = port 1,2,3 = 192.168.100.1/24
vlan2 = port 4 = 192.168.101.1/24

ifen at vlan2 = port4 (192.168.101/24), i still can acees webadmin with ip that vlan1 have (192.168.100.1/24). also with vlan1 to ip vlan4.

maybe i missing somewhere ...

thanks
joksi
DD-WRT Guru


Joined: 16 Jan 2007
Posts: 1240

PostPosted: Wed Sep 24, 2008 17:02    Post subject: Reply with quote
You will always be able to access the router at its different VLAN IPs, to mitigate this there needs to be more IPTables added in the INPUT chain
danish14
DD-WRT Novice


Joined: 23 Apr 2008
Posts: 25

PostPosted: Wed Sep 24, 2008 17:23    Post subject: Reply with quote
well ... imnot expert with iptables. just follow the instruction. and little try and error for that.but no luck with that :)

please, if ur kind, can u give a command that what i need for my setup. and maybe alot user need it too.

sory if my english not good. its not my native


thanks
joksi
DD-WRT Guru


Joined: 16 Jan 2007
Posts: 1240

PostPosted: Wed Sep 24, 2008 20:13    Post subject: Reply with quote
You need the following rules to isolate the vlans from each other.

Code:
iptables -I FORWARD -i vlan2 -o vlan3 -j DROP
iptables -I FORWARD -i vlan3 -o vlan2 -j DROP


Now clients in each VLAN should not be able to access each other, but they will still be able to access Internet.

You will also need the following rule, to block access from vlan3 to the router.

Code:
iptables -I INPUT -s 192.168.3.0/24 -j DROP


Now vlan2 and vlan3 will have access to Internet, however, they will not have access to each other and vlan3 will not have access to the router.

Some people are recommending additional IP table rules for "connecting" new vlans to the Internet, but from my experience (kind of much) there is no need for this case the basic setup will always allow all traffic to reach the internet. You just have to use IPtables when you want to block anything.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum