Unidirectional net isolation?

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
LDL707
DD-WRT Novice


Joined: 14 Oct 2012
Posts: 14

PostPosted: Sat Apr 25, 2020 22:44    Post subject: Unidirectional net isolation? Reply with quote
I have an R7000 that I just upgraded to DD-WRT v3.0-r42954 std (04/20/20).

On it, I have four wireless interfaces. I have a "main" 2.4 GHz (wl0) physical interface and a "main" 5 GHz physical interface (wl1) which both address to 192.168.1.x, and are visible to one another. I also have a "guest" 2.4 GHz (wl0.1) virtual interface which addresses to 192.168.10.x and a "guest" 5 GHz virtual interface (wl1.1) which addresses to 192.168.5.x. They both have "Net Isolation" enabled from the GUI.

From my "main" interface, I can see other devices within the "main" network, access the router, etc.

That is the intended behavior.

However, on the guest interfaces, I can see other devices on same "guest" network (that is, devices on the 2.4 GHz can see other devices on the 2.4 GHz, and devices on the 5 GHz can see other devices on the 5 GHz, but they can't see from one to the other). Neither can access the router (which is the intended behavior).

In my perfect world, I'd like the two guest accounts to both address to 192.168.10.x, but I can't get that to work. (When I follow the same steps on the Guest WiFi + Abuse Control For Beginners, and set them both to 192.168.10.x, the second one I set up didn't have internet access.) I'd also like to be able to see devices on the "guest" network from the "main" network.

The DHCP setup looks like this:


Are these goals possible to achieve? How can I set it up?
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Sat Apr 25, 2020 22:56    Post subject: Reply with quote
Assign them both to the same bridge (br1) and set up the secondary dhcp server for br1. The only drawback is that you may have to use extra startup commands for the guest virtual access points to work - there are several variations that work, and I don't have them memorized, unfortunately, but that is how you would do it, AFAIK.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
LDL707
DD-WRT Novice


Joined: 14 Oct 2012
Posts: 14

PostPosted: Sun Apr 26, 2020 1:33    Post subject: Reply with quote
They are both set up as unbridged right now, as per the instructions in the Guest Wifi link. Do I have to change that in order to get it to work?
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Sun Apr 26, 2020 2:07    Post subject: Reply with quote
The only way they will be on the same subnet without some magic IP voodoo is to put them on the same bridge and use the same dhcp server, AFAIK. The only drawback is that you have to make the VAPs work on reboot for Broadcom.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
LDL707
DD-WRT Novice


Joined: 14 Oct 2012
Posts: 14

PostPosted: Sun Apr 26, 2020 2:16    Post subject: Reply with quote
That sounds way more complicated than I am going to be able to figure out without a lot of pain.

Do you know if the other question is possible? Is there any way to make the devices on the "guest" networks visible to the "main" network? Is there some iptables trickery I can put in that would give me that kind of functionality?
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Sun Apr 26, 2020 16:57    Post subject: Reply with quote
You'll need to bridge the two guest networks if you want them on the same IP-address subnet, with a shared DHCP server. (Two DHCP servers MUST have nonoverlapping IP-address ranges.) However, if you bridge wifi interfaces foo and bar, guests on foo will be able to see guests on bar and vice versa. If you check AP Isolation in the setup for foo, you can keep foo guests from seeing each other. You can check it for bar to keep bar guests from seeing each other. But once they are bridged, the foo clients will see the bar clients, as far as I know. It's a weird enough setup though that I can't say that I'm 100% certain. In any case, I don't think it's what you want. I think you want incompatible things: one shared subnet with all isolated guests. And this is before you even get to the question of one-way net isolation!

So first, figure out your priorities. Here I just use separate guest networks, each with AP Isolation, and just settle for them being on separate IP subnets. It's a minor inconvenience. I get Net Isolation for them using iptables commands (see below, last paragraph). Be sure you fully understand your goals re one-way isolation. I do something here akin to allowing guests on one subnet to see a particular printer on br0, but nothing on br0 has access to the guest devices. It's one iptables command, but it does not make the printer discoverable from the guest network. The guest client needs to know the printer IP address.

If you do want to bridge the networks, what kp69 suggests is probably simpler than getting into iptables trickery. Uncheck the "unbridged" boxes for the two guest networks. I believe that will assign both to br0 by default. See the GUI>Setup>Networking page. On that page also, look for an "add bridge" or "new bridge" button or some such to create br1. Somewhere nearby (I don't have it in front of me) you'll see some way to (re)assign the two guest-network interfaces to br1. You'll probably have to Apply before moving on.

Way down the page there'll then be a br1 config section where you can check Net Isolation (initially... see below) and also Masquerade/NAT (to give clients the internet). You also set the IP address for the subnet there instead of setting it for each wifi interface separately. At the bottom of that Networking page, be sure you only create one DHCP server for the combined subnet, which should be for br1 now. The default DHCP scope of start=100, max=50 certainly works. (Speak up if you plan to use Policy Based Routing to put this subnet on a VPN, as different numbers will make things easier in that case.)

None of that gets you to one-way isolation though. For that you have to resort to iptables trickery. Get started by looking at the firewall to see what rules dd-wrt put there to achieve the two-way isolation. Figure out which one gives you the direction you want and how to recreate it with an iptables command. Uncheck the net-isolation box and try the new rule by hand from the CLI (via ssh or PuTTY or even telnet). If you see your rule in the firewall and you're sure it's right, use the Firewall box at GUI>Administration>Commands to install it at boot time. Be careful. Sloppiness in firewall setups can break things.

I don't know whether this is still the case with the most recent builds, but the last time I looked, Net Isolation only isolated the interface (or bridge) in question from br0. If you have interfaces or bridges br0, foo, and bar, checking net isolation on foo and bar will not isolate foo from bar. If that isolation is also desired, iptables commands in Firewall are needed.

So your question opens a real can of worms. Which worms do you actually want?

_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum