Posted: Wed May 29, 2019 14:18 Post subject: ASUS 68U DD-WRT - behind router for LAN isolation
I can't figure out how to proceed.
I'm trying to connect my ASUS 68U/ DD-WRT behind my main router (not DD-WRT firmware)
I would like to have a another subnet and isolate the network from the main router.
I tried to setup the router, with different IP / subnet, DHCP enable, I can connect the the router while using manual IP settings on my MAC but I have no access to the internet and unable to ping the main router.
my main router need a VLAN + PPPoE to connect to the internet but I don't expect to have this settings required on my second router right?
PS, it's working fine when I'm on the same subnet, but the speed is limited to 700Mb/s instead of 1000Mb/s if I bypass the second router.
Daisy-chaining routers is incredibly easy. All you have to do is reset the secondary router to factory defaults, assign it a different IP network from the primary router, and connect its WAN to a LAN port on the primary router.
Most ppl get into trouble because they take extra steps, like disabling NAT on the secondary router by changing the Operating Mode to Router, instead of leaving it as Gateway (recommended).
Note that in most cases, this only provides one direction of isolation, The devices behind your Asus probably *will* be able to reach devices behind your other router (depending on if the service can traverse the Asus NAT).
So if you wanted to use the Asus to host an untrusted guest network, this setup isn't enough. You might be able to use your other router's settings to isolate the LAN port that the Asus is plugged into into its own VLAN that only has WAN access but isn't bridged to the other ports.
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Wed Jun 05, 2019 7:14 Post subject:
To isolate clients of your Asus from the main router you use firewall rules.
The clients of your Asus have internet access with this rule but cannot see anything on the main routers subnet.
Code:
iptables -I FORWARD -i br0 -d $(nvram get wan_ipaddr)/$(nvram get wan_netmask) -m state --state NEW -j REJECT
Goto Admministration/Commands put the rule there and Save as firewall.
Warning:
Always test these rules from the command line, if they do not work i.e. lock you out of the router, a simple reset will get you back.
But if you make a rule permanent by saving as firewall you have to reset your router to defaults to get access back in case it is not working as intended. _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399 Install guide R7800/XR500:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614 Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087