Posted: Tue Sep 23, 2008 16:59 Post subject: (ASK) Isolate Each VLAN
I have make separate 3 Vlan (vlan2=port4 & vlan3=port3) on my GL.
vlan2 addres : 192.168.3.1/24 dhcp
vlan3 addres : 192.168.4.1/24 dhcp
when i have ip from vlan2, i still can ping to vlan3 address.
what i want is isolate beetwen vlan2 address and vlan3 address so each other can'nt ping again.
the goal is : vlan2 address i use for access webadmin router only. vlan3 address is for used to other client, not to connect webadmin dd-wrt.
So it secure (i perhaps) from sniffing or other stuff to steal my user or password.
please, anyone can give me a hand.
thanks for help.
sorry if my english not well
yup ... i have read it before. Sure i follow instruction from there and from wiki too.
problem is im not experince for iptables command
i use v24,dhcp on WAN side, v24 that simple enough use from the gui for make vlan. Thanks to developer.
Beside separate (vlan0=port1 & 2, vlan2=port4, vlan3=port3, wifi is off) also on each vlan i still get internet access. Just want to secure, can't ping each vlan. Thats i want. Is it command good for me ? Sory im just a noob. :)
You need the following rules to isolate the vlans from each other.
Code:
iptables -I FORWARD -i vlan2 -o vlan3 -j DROP
iptables -I FORWARD -i vlan3 -o vlan2 -j DROP
Now clients in each VLAN should not be able to access each other, but they will still be able to access Internet.
You will also need the following rule, to block access from vlan3 to the router.
Code:
iptables -I INPUT -s 192.168.3.0/24 -j DROP
Now vlan2 and vlan3 will have access to Internet, however, they will not have access to each other and vlan3 will not have access to the router.
Some people are recommending additional IP table rules for "connecting" new vlans to the Internet, but from my experience (kind of much) there is no need for this case the basic setup will always allow all traffic to reach the internet. You just have to use IPtables when you want to block anything.