Joined: 17 Dec 2019 Posts: 16 Location: Perth, Australia
Posted: Mon Jan 11, 2021 18:09 Post subject: Using a VLAN to isolate a device
Hi! First-time poster.
My edge device is a FRITZ!Box router. While it's intuitive and easy to use, it is somewhat limited. For instance, it doesn't support WINS. I complement it with a DD-WRT router. At present, this router's only function is to serve as a DNS/DHCP server running DNSMasq. Wireless is switched off and the WAN port assigned as an extra switch port. This arrangement has worked very well for me this last few years.
For home security, I have CCTV cameras running off a Honeywell DVR. While not the latest and greatest, it serves its purpose and I see no reason to upgrade it at this stage (it's a non-trivial task to upgrade the analog CCTV RG-59 cabling to cat 5e or better).
At present, all devices sit in the same 10.1.1.0 subnet. I would like to move the DVR into its own subnet. I have several reasons for wanting to do this:
1. The DVR is a legacy unit that hasn't had a firmware upgrade in years. It may be vulnerable.
2. The unit appears to have been developed by the Hong Kong subsidiary of Honeywell at the time. In the current climate, with China's continued and relentless crackdown on HK, I'm no longer comfortable having the DVR sit in the primary subnet.
To mitigate my overall cyberthreat risk, and to secure myself against the possibility of the DVR being used as a possible attack vector, I'd like to isolate the DVR in its own subnet 10.1.3.0. The access policy should be such that the 10.1.3.0 subnet should be accessible from other subnets, but not vice versa. The DVR should not be able to access devices in other subnets.
After several days of studying the Wiki and searching the forums, I believe I can achieve this using a separate VLAN for the DVR. However, I'm seeking assistance of the brains trust here as I'm a complete novice at this.
This is what the default Switch Config of my DD-WRT router looks like:
Here's my first stumbling block. VLAN 1 in the web UI seems to map to vlan0 on the command line. VLAN 2 in the web UI seems to map to vlan1 on the command line.
I suspect my starting point is to do something like assign port 1 in the web UI to VLAN 3.
Can I achieve what I'm trying to do using just the web UI, or will I also need to resort to the command line as well? It's difficult for me to work out where to go next because of some of the forum threads are quite old, and the evolution of the web UI suggests that some things that use to be done at the command line could now possibly be done using the web UI. and Any advice moving forward would be appreciated.
Joined: 18 Mar 2014 Posts: 12885 Location: Netherlands
Posted: Mon Jan 11, 2021 18:35 Post subject:
Welcome at the forum.
Unfortunately it is impossible to help you at this moment because you do not share enough information.
VLAN's are router dependant and without knowing your router model we can not steer you in the right direction.
Joined: 17 Dec 2019 Posts: 16 Location: Perth, Australia
Posted: Mon Jan 11, 2021 19:09 Post subject:
egc wrote:
Welcome at the forum.
Unfortunately it is impossible to help you at this moment because you do not share enough information.
VLAN's are router dependant and without knowing your router model we can not steer you in the right direction.
Apologies for not making that clear enough. The details are in the first image. The DD-WRT router is a TP-Link ARCHER-C7 v4 (as recommended in the Wiki FAQ Which router should I buy? when I bought it in 2018). I thought it was running the latest beta firmware, but I got that wrong. I've since upgraded it from DD-WRT v3.0-r40559 std (08/06/19) to the current DD-WRT v3.0-r45385 std (01/09/21) for that model.
An updated default switch config screenshot and command-line output are supplied below.
do keep in mind this is a link to another router config, but basics are the same...
to learn how to do it for Atheros routers, i personally refereed to this thread...
once you learn it, its easy, but it will take time, patience, persistence, testing and understanding...
good luck... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
do keep in mind this is a link to another router config, but basics are the same...
to learn how to do it for Atheros routers, i personally refereed to this thread...
once you learn it, its easy, but it will take time, patience, persistence, testing and understanding...
good luck...
Keep in mind that as I work through this, I've reassigned the WAN port to a switch port and turned off wireless on the DD-WRT router. Wireless and WAN access are handled by a FRITZ!Box mesh network.
I don't fully understand what I'm seeing. For instance, it's unclear to me what the relationship is between the outputs of the nvram commands and the swconfig command. Nevertheless, moving on...
I try to relate what I'm seeing back to the TP-Link Archer C7 V4 hardware.
The swconfig command output shows 7 ports. Not sure what DD-WRT port 6 relates to in the context of the Visual Mapping Chart. Moving on...
My objective is to try to set up a VLAN on h/w port 2 (DD-WRT port 3) and subnet 10.1.3.0. These are the startup commands I used to configure VLAN3.
Code:
swconfig dev eth0 vlan 1 set ports "0t 2 4 5"
swconfig dev eth0 vlan 3 set ports "0t 3"
swconfig dev eth0 set enable_vlan 3
swconfig dev eth0 set apply
vconfig add eth0 3
ifconfig vlan3 10.1.3.1 /24
Configuration of VLAN3 networking...
Curiously, the instructions state that Masquerade / NAT should be Enabled, but there is no longer an option to do so on this screen.
After rebooting the DD-WRT router, I plug a laptop into port 2 and it gets an IP in the address range 10.1.3.x. Nice! I have Net Isolation from other subnets, however, the guide suggests that I should have access to the internet, but I don't.
Here are some troubleshooting steps I've taken:
I ran ifconfig on the DD-WRT router and noticed something odd.
On VLAN3, the mask is not what I expected. It appears CIDR notation (/24) hasn't worked. I change to using a netmask for the startup ifconfig command.
Code:
swconfig dev eth0 vlan 1 set ports "0t 2 4 5"
swconfig dev eth0 vlan 3 set ports "0t 3"
swconfig dev eth0 set enable_vlan 3
swconfig dev eth0 set apply
vconfig add eth0 3
ifconfig vlan3 10.1.3.1 netmask 255.255.255.0
Rebooting the router and checking the ifconfig output again shows that the VLAN3 mask is now correct.
Next step was to see if I could access a device in another subnet. I turned off Net Isolation and rebooted the router just to be sure.
I tried to access the FRITZ!Box at 10.1.1.1 from the laptop in the 10.1.3.0 subnet, but nothing. I can ping the 10.1.3.1 interface, but cannot ping anything outside the subnet. The Net Isolation toggle doesn't appear to have had any effect.
Chain INPUT (policy ACCEPT 991 packets, 66488 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 501 packets, 35424 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 501 packets, 35424 bytes)
pkts bytes target prot opt in out source destination
287 29927 MASQUERADE all -- * br0 10.1.3.0/24 0.0.0.0/0
This time, the internet burst into life from the laptop and I could access devices in other subnets. (I need to spend some time studying the iptables command. That was magical stuff!)
A little concerned that the Masquerade / NAT toggle was missing from the UI, though present, I thought I'd better check the NET Isolation toggle so I enabled that in the WebUI and rebooted.
After the reboot, I could still access devices in adjacent subnets as well as the internet. According to the guide, I should still expect to be able to access the internet, but not access devices in adjacent subnets. Does this suggest the NET Isolation toggle in the UI is 'broken'? If so, is it possible to work around this?
Joined: 18 Mar 2014 Posts: 12885 Location: Netherlands
Posted: Wed Jan 13, 2021 10:08 Post subject:
Workarounds are always possible after all the GUI is not much more than a shell to set commands
But the missing options are worrying me also.
There has been a lot of work done on the GUI, so bugs are a real possibility (missing and invisible options galore)
Unfortunately I have no time to look into it or in the net isolation, about the net isolation, it should only isolates your new subnet/interface from br0 and from the router, but not from other subnets
Joined: 17 Dec 2019 Posts: 16 Location: Perth, Australia
Posted: Wed Jan 13, 2021 11:04 Post subject:
egc wrote:
But the missing options are worrying me also.
Should I file a bug report?
egc wrote:
about the net isolation, it should only isolates your new subnet/interface from br0 and from the router, but not from other subnets
Ah, I misunderstood what Net Isolation meant. Please ignore my comments on this.
I suspect I need a bunch of NAT rules to achieve my original objective of one-way access to 10.1.3.0 from other subnets, but not vice versa. I'll start to familiarise myself with the iptables command.
Joined: 17 Dec 2019 Posts: 16 Location: Perth, Australia
Posted: Sat Jan 16, 2021 11:25 Post subject:
So, this is how the DD-WRT router differs from the factory defaults.
1. The SP1 firewall is disabled.
2. DNSMasq enabled as a DNS/DHCP server for the 10.1.1.0/24 subnet.
3. WAN switch port assigned to a LAN port.
4. Wireless is switched off.
5. DD-WRT router has IP address 10.1.1.2.
On the FRITZ!Box edge router:
1. It's IP address is 10.1.1.1.
2. Wireless is switched on and serving a FRITZ!Box mesh network.
3. A static route to the 10.1.3.1 network has be added.
On the DD-WRT router, I've added startup commands to create subnet 10.1.3.0/24 (VLAN3) and assign h/w ports 1 and 2 to it.
Code:
# Enable VLAN3.
swconfig dev eth0 set enable_vlan 3
# Logical LAN ports 2-5 map to h/w ports 1-4.
# Keep h/w ports 3 and 4 on main LAN (VLAN1).
swconfig dev eth0 vlan 1 set ports "0t 4 5"
# Keep h/w port 1 and 2 on VLAN3
swconfig dev eth0 vlan 3 set ports "0t 2 3"
# Apply changes made with the previous set commands
swconfig dev eth0 set apply
# Create the VLAN3 interface.
vconfig add eth0 3
# Assign network IP to the VLAN3 interface.
ifconfig vlan3 10.1.3.1 netmask 255.255.255.0
# Bring the interface up
ifconfig vlan3 up
Without adding any additional firewall rules to the DD-WRT router, from the 10.1.3.0 network, I can ping devices on the 10.1.3.0 and 10.1.1.0 networks. So far, so good.
The issue I'm seeing is that from the 10.1.1.0 network, I can ping the 10.1.3.1 interface, but I'm unable to ping any devices within the 10.1.3.0 network.
I added the following firewall rule, with no change to the outcome (after rebooting; powering off and back on after 30 secs).
Code:
iptables -I FORWARD -i vlan+ -o vlan+ -j ACCEPT
I'm missing something, but I'm not sure what it is. A fresh set of eyes would be helpful.
Joined: 17 Dec 2019 Posts: 16 Location: Perth, Australia
Posted: Sat Jan 16, 2021 20:23 Post subject:
Per Yngve Berg wrote:
This is wrong:
# Enable VLAN3.
swconfig dev eth0 set enable_vlan 3
It's a global option on the switch which is either enabled 1 or disabled 0. It's already enabled, so you do not need to enable it again.
Noted. I've removed it. Thanks for alerting me to this.
I hadn't realised how often the firmware is updated. It's been less than a week since I started this thread and there have been two firmware refreshes since then. I've updated to the most recent version dated (01/15/21).
Per Yngve Berg wrote:
Since you cannot ping clients on 10.1.3.0, you need a static route on the fritz-box.
route 1.1.3.0/24 via 10.1.1.2
I believe you meant 10.1.3.0
basilh wrote:
On the FRITZ!Box edge router:
3. A static route to the 10.1.3.1 network has been added.
Typo on my part. There is already a static route to the 10.1.3.0 network.
Per Yngve Berg wrote:
Since the router is not connected using the WAN port, the NAT rule by egc will not work.
I realised that and removed the NAT rule from the firewall. The startup and firewall commands I'm using are shown in the image below.
Note: With or without the firewall rule shown the behaviour is as follows:
From the 10.1.1.0 subnet, I can ping the 10.1.3.1 interface, but I'm unable to ping other devices in the 10.1.3.0 subnet.
From the 10.1.3.0 subnet, I can ping devices in both the 10.1.3.0 and 10.1.1.0 subnets.