Author
Message
ampapa DD-WRT User Joined: 25 Nov 2011 Posts: 102
Posted: Sun Jan 03, 2016 15:31 Post subject: VLAN setup problem... need some help.
Hardware - Nighthawk R7000
Firmware: DD-WRT v3.0-r28000M kongac (10/24/15)
I'm having a problem connecting to machines that are on my 192.168.2.0 VLAN that I created. I believe the VLAN is setup correctly as I am able to ping the ip address of 192.168.2.1 from 192.168.3.100.
However, I can't ping any other machine on the VLAN subnet for example 192.168.2.11 from 192.168.3.100.
I was following this guide (http://www.flashrouters.com/blog/2015/04/06/what-is-a-vlan-how-to-setup-vlan-ddwrt/ ) and I haven;t put in any firewall rules as of yet but the VLAN seems to already be unreachable to some extent.
What am I missing here????
My ultimate goal is that I don't want the VLAN 192.168.2.0 subnet to be able to see anything on my 192.168.3.0 subnet but I do want my 192.168.3.0 subnet to be able to reach any machine on the 192.168.2.0 subnet. I want to run my webserver on the 192.168.2.0 subnet as well as a media server for the 192.168.3.0 subnet.
192.168.3.0 > 192.168.2.0 GOOD
192.168.2.0 > 192.168.3.0 BAD
Let me know if this isn't clear and I'll try to explain better.
Any help is appreciated.
p.s. can anyone tell me what this iptables entry is attempting to do?
iptables -I INPUT -p udp --sport 67 --dport 68 -j ACCEPT
Description:
Filesize:
44.82 KB
Viewed:
9435 Time(s)
Description:
Filesize:
41.44 KB
Viewed:
9435 Time(s)
Back to top
Sponsor
ampapa DD-WRT User Joined: 25 Nov 2011 Posts: 102
Posted: Sun Jan 03, 2016 16:03 Post subject:
Would an entry like this in iptables allow all trffic from the 192.168.3.0 subnet to 192.168.2.0?
iptables --append INPUT --protocol tcp --src 192.168.3.0 --dst 192.168.2.11 --jump ACCEPT
[EDIT]
or something similar to the following?
iptables -I FORWARD -i vlan1 -d 192.168.2.0 -j ACCEPT
iptables -I FORWARD -o vlan1 -s 192.168.2.0 -j ACCEPT
or
iptables -I INPUT -i vlan3 -j ACCEPT
iptables -I FORWARD -s 192.168.3.0/24 -d 192.168.2.0/24 -j ACCEPT
Back to top
Per Yngve Berg DD-WRT Guru Joined: 13 Aug 2013 Posts: 6966 Location: Romerike, Norway
Posted: Sun Jan 03, 2016 17:22 Post subject:
http://www.linklogger.com/UDP67_68.htm
The INPUT Chain is for accessing resources on the router.
Routing from one segment to the outer is the FORWARD Chain.
iptables -I FORWARD -i vlan1 -o vlan3 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan3 -o vlan2 -m state --state NEW -j DROP
Allow new connections from vlan1 to vlan3, but not the reverse.
Back to top
ampapa DD-WRT User Joined: 25 Nov 2011 Posts: 102
Posted: Sun Jan 03, 2016 18:11 Post subject:
Thanks for the reply.
I'm assuming you meant VLAN1 here?
iptables -I FORWARD -i vlan1 -o vlan3 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan3 -o vlan1 -m state --state NEW -j DROP
The new iptables and a reboot of the router seems to have solved it, thanks
[EDIT]
This did not work...
Back to top
ampapa DD-WRT User Joined: 25 Nov 2011 Posts: 102
Posted: Sun Jan 03, 2016 18:21 Post subject:
OK... a few more screenshots... VLAN1 cannot ping 192.168.2.11 but can ping 192.168.2.1, it was able to do this before the new rules also.
Description:
Filesize:
27.54 KB
Viewed:
9387 Time(s)
Description:
Filesize:
36.53 KB
Viewed:
9387 Time(s)
Description:
Filesize:
85.55 KB
Viewed:
9387 Time(s)
Last edited by ampapa on Sun Jan 03, 2016 19:05; edited 1 time in total
Back to top
Per Yngve Berg DD-WRT Guru Joined: 13 Aug 2013 Posts: 6966 Location: Romerike, Norway
Posted: Sun Jan 03, 2016 18:29 Post subject:
What is on 192.168.3.9?
It will much easier to have a consistent address plan i.e the router is on 192.168.2.1 and 192.168.3.1 respectively.
Back to top
ampapa DD-WRT User Joined: 25 Nov 2011 Posts: 102
Posted: Sun Jan 03, 2016 18:40 Post subject:
192.168.3.9 is the router address VLAN1.
VLAN2 is 192.168.2.0
Description:
Filesize:
46.05 KB
Viewed:
9368 Time(s)
Back to top
Per Yngve Berg DD-WRT Guru Joined: 13 Aug 2013 Posts: 6966 Location: Romerike, Norway
Posted: Sun Jan 03, 2016 19:19 Post subject:
You can enable login in Security->Log and see if the packets is dropped or accepted.
Back to top
ampapa DD-WRT User Joined: 25 Nov 2011 Posts: 102
Posted: Sun Jan 03, 2016 20:31 Post subject:
The logs are empty...even when set to "high"
Description:
Filesize:
54.73 KB
Viewed:
9341 Time(s)
Back to top
Per Yngve Berg DD-WRT Guru Joined: 13 Aug 2013 Posts: 6966 Location: Romerike, Norway
Posted: Sun Jan 03, 2016 22:23 Post subject:
Have you tried to change the iptables rules to LOGDROP and LOGACCEPT?
Back to top
ampapa DD-WRT User Joined: 25 Nov 2011 Posts: 102
Posted: Mon Jan 04, 2016 3:20 Post subject:
Do you have a link to a how to or any more info you can share on LOGDROP or LOGACCEPT?
Is what I am attempting to do out of the norm or something DDWRT can't handle?
Thanks for the assistance.
Back to top
ampapa DD-WRT User Joined: 25 Nov 2011 Posts: 102
Posted: Mon Jan 04, 2016 13:57 Post subject:
So are you saying to change ACCEPT and DROP to LOGACCEPT and LOGDROP so that the info is logged to /tmp/var/log/messages?
Quote: iptables -I FORWARD -i vlan1 -o vlan3 -m state --state NEW -j LOGACCEPT
iptables -I FORWARD -i vlan3 -o vlan1 -m state --state NEW -j LOGDROP
How do I view the login /tmp/var/log/messages after attempting the connection?
Thanks,
Back to top
Per Yngve Berg DD-WRT Guru Joined: 13 Aug 2013 Posts: 6966 Location: Romerike, Norway
Posted: Mon Jan 04, 2016 15:47 Post subject:
Download with ftp.
Back to top
ampapa DD-WRT User Joined: 25 Nov 2011 Posts: 102
Posted: Mon Jan 04, 2016 23:07 Post subject:
I don't understand why there isn't a log being generated??
I modified the commands being sent to logging, I believe this is correct. I then ran a ping from all the machines expecting some logging and got nothing.
See attached, messages is blank.
Quote:
iptables -I FORWARD -i vlan1 -o vlan3 -m state --state NEW -j LOGACCEPT
iptables -I FORWARD -i vlan3 -o vlan1 -m state --state NEW -j LOGDROP
Description:
Filesize:
50.03 KB
Viewed:
9255 Time(s)
Back to top
ampapa DD-WRT User Joined: 25 Nov 2011 Posts: 102
Posted: Tue Jan 05, 2016 2:33 Post subject:
Making a little progress here... I finally got some logging the log commands are case specific.
I essentially logged in as root on the router and ran an ifconfig and found the following:
Quote: root@DD-WRT-LOWER:~# ifconfig
br0 Link encap:Ethernet HWaddr AC:UH:09:AD:2B:99
inet addr:192.168.3.9 Bcast:192.168.3.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:734 errors:0 dropped:95 overruns:0 frame:0
TX packets:396 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:76254 (74.4 KiB) TX bytes:39202 (38.2 KiB)
br0:0 Link encap:Ethernet HWaddr AC:UH:09:AD:2B:99
inet addr:169.254.255.1 Bcast:169.254.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth0 Link encap:Ethernet HWaddr AC:UH:09:AD:2B:97
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:8327 errors:0 dropped:0 overruns:0 frame:0
TX packets:7520 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:902384 (881.2 KiB) TX bytes:6196526 (5.9 MiB)
Interrupt:179 Base address:0x4000
eth1 Link encap:Ethernet HWaddr AC:UH:09:AD:2B:99
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:92839
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:163
eth2 Link encap:Ethernet HWaddr AC:UH:09:AD:2B:96
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:169
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MULTICAST MTU:65536 Metric:1
RX packets:12 errors:0 dropped:0 overruns:0 frame:0
TX packets:12 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:640 (640.0 B) TX bytes:640 (640.0 B)
vlan1 Link encap:Ethernet HWaddr AC:UH:09:AD:2B:97
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5961 errors:0 dropped:0 overruns:0 frame:0
TX packets:7158 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:503060 (491.2 KiB) TX bytes:6116890 (5.8 MiB)
vlan2 Link encap:Ethernet HWaddr AC:UH:09:AD:2B:98
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:67 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:22914 (22.3 KiB)
vlan3 Link encap:Ethernet HWaddr AC:UH:09:AD:2B:97
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2366 errors:0 dropped:652 overruns:0 frame:0
TX packets:295 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:216130 (211.0 KiB) TX bytes:26642 (26.0 KiB)
I noticed the IP addresses for 192.168.3.9 was on br0 so I modified the Firewall rule to the following:
Quote: iptables -I FORWARD -i br0 -o vlan3 -m state --state NEW -j logaccept
iptables -I FORWARD -i vlan3 -o br0 -m state --state NEW -j logdrop
Then I started getting some log information, I'm not sure why vlan1 doesn't work but I switched the Firewall rule back to vlan1 and tested it to be certain.
Quote: root@DD-WRT-LOWER:~# tail -f /var/log/messages
Dec 31 19:09:09 DD-WRT-LOWER daemon.info dnsmasq-dhcp[3257]: DHCPINFORM(vlan3) 192.168.2.11 00:23:ae:26:3d:1c
Dec 31 19:09:09 DD-WRT-LOWER daemon.info dnsmasq-dhcp[3257]: DHCPACK(vlan3) 192.168.2.11 00:23:ae:26:3d:1c AJM-PC
Jan 1 00:09:10 DD-WRT-LOWER kern.warn kernel: ACCEPT IN=br0 OUT=vlan3 MAC=AC:UH:09:ad:2b:99:10:bf:48:77:c1:de:08:00 SRC=192.168.3.125 DST=192.168.2.11 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=17895 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=706
Jan 1 00:09:15 DD-WRT-LOWER kern.warn kernel: ACCEPT IN=br0 OUT=vlan3 MAC=AC:UH:09:ad:2b:99:10:bf:48:77:c1:de:08:00 SRC=192.168.3.125 DST=192.168.2.11 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=17901 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=707
Jan 1 00:09:20 DD-WRT-LOWER kern.warn kernel: ACCEPT IN=br0 OUT=vlan3 MAC=AC:UH:09:ad:2b:99:10:bf:48:77:c1:de:08:00 SRC=192.168.3.125 DST=192.168.2.11 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=17910 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=708
Jan 1 00:09:25 DD-WRT-LOWER kern.warn kernel: ACCEPT IN=br0 OUT=vlan3 MAC=AC:UH:09:ad:2b:99:10:bf:48:77:c1:de:08:00 SRC=192.168.3.125 DST=192.168.2.11 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=17919 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=709
Jan 1 00:09:41 DD-WRT-LOWER kern.warn kernel: DROP IN=vlan3 OUT=br0 MAC=AC:UH:09:ad:2b:97:00:23:ae:26:3d:1c:08:00:45:00:00:3c SRC=192.168.2.11 DST=192.168.3.125 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=30100 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=309
Jan 1 00:09:45 DD-WRT-LOWER kern.warn kernel: DROP IN=vlan3 OUT=br0 MAC=AC:UH:09:ad:2b:97:00:23:ae:26:3d:1c:08:00:45:00:00:3c SRC=192.168.2.11 DST=192.168.3.125 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=30111 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=310
Jan 1 00:09:50 DD-WRT-LOWER kern.warn kernel: DROP IN=vlan3 OUT=br0 MAC=AC:UH:09:ad:2b:97:00:23:ae:26:3d:1c:08:00:45:00:00:3c SRC=192.168.2.11 DST=192.168.3.125 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=30121 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=311
Jan 1 00:09:55 DD-WRT-LOWER kern.warn kernel: DROP IN=vlan3 OUT=br0 MAC=AC:UH:09:ad:2b:97:00:23:ae:26:3d:1c:08:00:45:00:00:3c SRC=192.168.2.11 DST=192.168.3.125 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=30132 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=312
Dec 31 19:10:12 DD-WRT-LOWER daemon.info dnsmasq-dhcp[3257]: DHCPINFORM(vlan3) 192.168.2.11 00:23:ae:26:3d:1c
Dec 31 19:10:12 DD-WRT-LOWER daemon.info dnsmasq-dhcp[3257]: DHCPACK(vlan3) 192.168.2.11 00:23:ae:26:3d:1c AJM-PC
I'm still getting request time outs however on both PC's...
Description:
Filesize:
11.02 KB
Viewed:
9246 Time(s)
Back to top