I've recently tweaked my network (added a Cisco WAP321) and need some help figuring out the "right" way to isolate my networks.
Currently working setup (minus isolation)
R7000 in gateway mode.
Ports 1, 2 and 3 are vlan1, untagged
Port 4 is vlan5 and vlan10, tagged
wl0, wl1 are on my private network (192.168.0.0/24)
wl0.1 is my guest network, setup in bridged mode (br1 192.168.2.0/24)
br0 - eth1 eth2 vlan1 vlan5
br1 - vlan10 wl0.1
Cisco WAP321 (on other side of house) connected to port 4 of the R7000, has a private network IP address.
Private network (wl0 SSID) passed through on vlan5
Guest network (wl0.1 SSID) passed through on vlan10
To this point, everything works. I had to add the Redhawk work around to get the wl0.1 VAP working
What I would like to do is prevent the guest network (wl0.1 and vlan10 from the WAP321) from accessing the private network.
Trying the classic commands
Code:
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
Does indeed isolate the networks, but creates an odd new problem.
Communication with the WAP321 for administration via its web interface from a PC (on vlan1) is now very slow to non-existent.
Pinging the WAP321 from the PC, or even from an ssh terminal on the R7000 has mixed results, with packet loss ranging from 30-100%.
Without these two rules the WAP321 is very responsive with no timeouts and no lost packets when pinging.
I'm not understanding why the rules result in this behavior. I would expect no change or consistent lack of communication. Some packets getting through and some getting lost/dropped doesn't make sense (to me anyway).
I would greatly appreciate help sorting this out so I can keep my guests off my private network. _________________ WRT54GL modded to 32MB DRAM and 16MB Flash.
Something is confusing to me Port 4 is vlan5 and vlan10 tagged, but then you have vlan5 and vlan10 on different bridges, which then gets even more complicated when you add the firewall rules.
To me this is starting to create a strange web of connections.
Something is confusing to me Port 4 is vlan5 and vlan10 tagged, but then you have vlan5 and vlan10 on different bridges, which then gets even more complicated when you add the firewall rules.
To me this is starting to create a strange web of connections.
The Cisco 321 WAP has a single wired ethernet connection, so my understanding is that I need to put each VAP on the Cisco in to a different vlan to keep them separated.
That is why port 4 has vlan5 and vlan10, vlan5 is my private network VAP on the Cisco, bridged to vlan1 in the R7000 (192.168.0.0/24, br0) and vlan10 is my guest network VAP bridged to wl0.1 in the R7000 (192.168.2.0/24, br1).
I would have left the Cisco private VAP on vlan1 instead of creating vlan5 just for this connection, but I have read that mixing tagged and untagged vlans on a port can create problems.
Quote:
Could you possibly simplify the situation?
I'm not sure, but I don't think so based on what I'm trying to accomplish. _________________ WRT54GL modded to 32MB DRAM and 16MB Flash.
ahh, I understand better now. Thank you for the extra explanation. I have to think on this and try a few things out.
Right off hand, I do not see why it should not work beyond when things are applied/checked and thus sometimes the packets get labeled one way and then other times they are labeled which breaks.
if you are comfortable with wireshark, that might help you debug (you could even change the two rules to be -j REJECT to see what comes back)
Right off hand, I do not see why it should not work beyond when things are applied/checked and thus sometimes the packets get labeled one way and then other times they are labeled which breaks.
Thanks for this comment.
You set off a light bulb with the "routing this way and that", so I just tried turning on STP on the bridges and set the priority for br0 higher than br1 (16k instead of the default 32k).
I can't say for sure it's fixed, but short term (less than 10 minutes up time) I am seeing much better results. _________________ WRT54GL modded to 32MB DRAM and 16MB Flash.
Funny I was just thinking about spanning tree protocol, but I thought that could not be it, but it is very likely.
I know that having the "race" condition or circular logic has happened to me before, but that was because of packet marking conflicts and which interrupt serviced first.
