Posted: Sun Jul 26, 2020 18:58 Post subject: VLANs, iptables, extra DNS (my how-to instructions)
I wanted to document this on the forum because it took me so long to figure out.
I have a Netgear R7000. I can saturate my internet (500Mbps down, 20Mbps up) with dd-wrt, so it's the firmware for me
But I wanted a couple of VLANs and I had to figure out how to do it.
What I wanted:
Main network: 192.168.5.0/24 [ports 1 & 2 on the LAN]
Media VLAN: 192.168.50.0/24 [port 3 on the LAN]
IoT VLAN: 192.168.107.0/24 (107 = IoT) [port 4 on the LAN]
I didn't want the IoT network to be able to access anything on the main network or the media network.
I wanted the media network and the main network to talk to each other freely.
I wanted the media network to use different DNS servers than everything else (uses expressvpn DNS so I can overcome georestrictions)
Here's what I did:
1) Set up the main network to 192.168.5.0/24:
Setup > Basic Setup
Changed Local IP Address to 192.168.5.1, subnet 255.255.255.0
Hit "Apply Settings"
2) Designate the different LAN ports for the VLANs:
Setup > Switch Config
This UI was confusing to me.
Turns out that the columns represent each port on my device (w = WAN, 1-4 are the 4 LAN ports).
The rows are the vlans.
The column on the far left lists the different VLANs. By default, this router came set up with:
vlan0 = nothing checked off, assigned to bridge 'none'
vlan1 = LAN ports 1-4, assigned to bridge "LAN"
vlan2 = WAN port, assigned to bridge "LAN"
I don't know what the "Assigned to bridge" column is for, but what I did was the following:
Port 3, I unchecked from vlan1, and checked onto vlan3, left 'assigned to bridge = None'
Port 4, Unchecked from vlan1, and checked onto vlan4, left 'assigned to bridge = None'
I clicked "Apply Settings".
To summarize, after doing this, the vlans were set up as follows:
vlan0 = no ports selected
vlan1 = LAN ports 1 & 2
vlan2 = WAN port
vlan3 = LAN port 3
vlan4 = LAN port 4
So after doing this, I now know that I want:
vlan1 = ports 1 & 2 = subnet 192.168.5.0/24 (regular network)
vlan2 = internet
vlan3 = port 3 = subnet 192.168.50.0/24 (media)
vlan4 = port 4 = subnet 192.168.107.0/24 (IoT)
3) Assign the VLANs to Bridges
Next I needed to actually make this happen:
Setup > Networking
From here, I noticed that under Bridging was a default bridge named 'br0'
I created 2 new ones: br1 & br2, then clicked "Save"
Then I went to the "Assign to Bridge" section and added 2 assignments:
br1 I assigned to Interface vlan3
br2 I assigned to Interface vlan4
I clicked "Apply Settings"
Now I have:
ports 1 & 2 => br0 => vlan1
port 3 => br1 => vlan3
port 4 => br2 => vlan4
Next I scrolled down to "Port Setup" and found the "Network configuration br1" and "Network configuration br2" sections:
For br1:
Label: media
IP Address: 192.168.50.1
Subnet mask: 255.255.255.0
For br2:
Label: IoT
IP Address: 192.168.107.1
Subnet mask: 255.255.255.0
Clicked "Apply Settings"
Finally, at the bottom of this screen, I went to the DHCPD section
Here I added 3 DHCP servers:
DHCP 0 -> br0
DHCP 1 -> br1
DHCP 2 -> br3
Hit "Apply Settings"
At his point, I have my 3 vlans. Phew!
I tested by plugging a laptop into each port. Ports 1 & 2 assigned an ip in the 192.168.5.x subnet; Port 3 assigned to 192.168.50.x, Port 4 assigned to 192.168.107.x
4) Change the Media subnet to use different DNS servers
Services > Services
Additional Dnsmasq Options:
I don't know iptables that well. As far as I can tell, what I am doing is I'm explicitly telling it to accept traffic from:
192.168.5.0/24 -> 192.168.50.0/24
192.168.50.0/24 -> 192.168.5.0/24
192.168.5.0/24 -> 192.168.107.0/24
And to block traffic from:
192.168.107.0/24 -> 192.168.5.0/24
192.168.107.0/24 -> 192.168.50.0/24
This seems to mostly work. I can ping devices from the '5' to '50' subnet and vice-versa
From '107', I can get to the internet but nowhere else.
The only thing that doesn't work is the '5' network can't ping anything in 107. I figure this is because I don't know iptables well.
So, that's it. I wanted to document because I couldn't find a comprehensive guide anywhere. I'm not an expert in networking and I learned a lot doing this. I hope this helps someone.
In general, I don't recommend blocking access based on IP addresses because it's at least theoretically possible for a client to *manually* reconfigure themselves on a different IP network, and *perhaps* get around your restrictions. Since you're using bridges anyway, better to use those network interfaces in your rules. Note, "br+" is a wildcard (it matches any bridge).
Code:
# block anything that falls through (just a precaution)
iptables -I FORWARD -i br+ -o br+ -j DROP
# deny iot network access to any other networks
iptables -I FORWARD -i br2 -o br+ -j DROP
# allow media network access to any other networks
iptables -I FORWARD -i br1 -o br+ -j ACCEPT
# allow private network access to any other networks
iptables -I FORWARD -i br0 -o br+ -j ACCEPT
# push RELATED/ESTABLISHED rule back to top of chain
iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
Notice that I push the RELATED/ESTABLISHED rule (normally at the top) back to the top of the FORWARD chain. When you're inserting rules, that can cause a problem as the RELATED/ESTABLISHED rule gets pushed down the chain. The reason you can't get '5' to '107' to work is that although '5' to '107' is allowed, the replies are BLOCKED by the subsequent '107' to '5' rule! By pushing the RELATED/ESTABLISHED rule back to the top, that rule allows the replies, long before ever reaching your '107' to '5' rule.
Also, by referencing the interface names, if you decide to change the IP networks in the future, you don't need to change the firewall rules.
You might also want to limit what services are available on the router from the IOT network by using iptables w/ the INPUT chain. I usually only allow DHCP and DNS, and perhaps ICMP (ping). If I've assigned public DNS servers to the IOT network (a common practice), I won't even allow access to DNS on the INPUT chain.
Code:
# note: local dns (port 53) is denied to iot network because
# it is assigned public dns servers in dnsmasq
# push RELATED/ESTABLISHED rule back to top of chain
iptables -D INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Also, beware that network discovery will NOT work across network boundaries. In order to have network discovery restored (which is something you may want if you have, for example, Chromecast-enabled devices on either the media or IOT networks), you'll need to implement an mDNS repeater (aka, a reflector) using Avahi (available in Entware). I've recently posted a tutorial on the tomato forums explaining how to do this (dd-wrt would be very similar).
# block anything that falls through (just a precaution)
iptables -I FORWARD -i br+ -o br+ -j DROP
Thanks for your very good explaination.
as mentioned above br+ will cover any bridges
your first command drops anything from any bridges.... am I getting this right or how is it interpreted correctly? _________________ VLANs, Wireguard Site to Site, OpenVPN Client, WDS
TP-Link Archer C7 V4, V5
TP-Link Archer A7 V5
TP-Link WR1043 V4
Unifi UAP-AC-M
as mentioned above br+ will cover any bridges
your first command drops anything from any bridges.... am I getting this right or how is it interpreted correctly?
as mentioned above br+ will cover any bridges
your first command drops anything from any bridges.... am I getting this right or how is it interpreted correctly?
Correct. From any bridge to any bridge. It's just a catchall, that creates isolation by default. Any access you want to allow has to be explicitly added w/ a rule.
is the priority of the rules bottom up? because if its top down it would lock up any traffic??
