XR500 VLAN

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Atheros WiSOC based Hardware
Author Message
Impovich
DD-WRT Novice


Joined: 12 Feb 2020
Posts: 14

PostPosted: Tue Feb 02, 2021 21:12    Post subject: XR500 VLAN Reply with quote
Hi dd-wrt community, desperately looking for help!
I have XR500 under DD-WRT v3.0-r45563 connected to the Netgear GS716Tv2 switch and gwn7630 access point.

What I want to achieve:
I want to have a trunk:(
vlan1(192.168.168.1/24),
valn5(192.168.5.1/24),
vlan6(192.168.6.1/24)
)
on the router's port 1 which will be connected to the trunk on the switch and create a tagged SSID's on the access point. I read probably every topic on the forum, but unfortunately, I didn't manage VLANs to work even on the router.

I started with creating VLANs on the router to test that it actually works, but unfortunately, it doesn't matter to which port on the router I connect my laptop, every time I receive 192.168.168.* IP like nothing was done at all.


What I have:

1) startup section:
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "1t 2 3 4 5t 6"
swconfig dev switch0 vlan 5 set ports "2t 5t"
swconfig dev switch0 vlan 6 set ports "3t 5t"
swconfig dev switch0 vlan 2 set ports "0 5"
swconfig dev switch0 set apply
vconfig add eth1 5
vconfig add eth1 6
ifconfig eth1.5 192.168.5.1 netmask 255.255.255.0
ifconfig eth1.6 192.168.6.1 netmask 255.255.255.0

2) swconfig:
VLAN 1:
vid: 1
ports: 1t 2 3 4 5t 6
VLAN 2:
vid: 2
ports: 0 5
VLAN 5:
vid: 5
ports: 2t 5t
VLAN 6:
vid: 6
ports: 3t 5t

3)ifconfig:
Link encap:Ethernet HWaddr 78:D2:94:41:1A:6F
inet addr:192.168.168.1 Bcast:192.168.168.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2783 errors:0 dropped:29 overruns:0 frame:0
TX packets:2714 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:394415 (385.1 KiB) TX bytes:1433177 (1.3 MiB)

eth0 Link encap:Ethernet HWaddr 78:D2:94:41:1A:70
inet addr:10.32.16.153 Bcast:10.32.31.255 Mask:255.255.240.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1820 errors:0 dropped:4 overruns:0 frame:0
TX packets:1569 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:690539 (674.3 KiB) TX bytes:528954 (516.5 KiB)
Interrupt:100

eth1 Link encap:Ethernet HWaddr 78:D2:94:41:1A:6F
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2818 errors:0 dropped:5 overruns:0 frame:0
TX packets:2740 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:436196 (425.9 KiB) TX bytes:1435013 (1.3 MiB)
Interrupt:101

eth1.5 Link encap:Ethernet HWaddr 78:D2:94:41:1A:6F
inet addr:192.168.5.1 Bcast:192.168.5.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:310 (310.0 B)

eth1.6 Link encap:Ethernet HWaddr 78:D2:94:41:1A:6F
inet addr:192.168.6.1 Bcast:192.168.6.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:310 (310.0 B)

4)routing table:
default 10.7.1.1 10 0 tun1
5.253.206.171 10.32.16.1 10 0 WAN
10.7.1.0/24 10 link 0 tun1 10.7.1.3
10.20.30.0/24 10 link 0 tun2 10.20.30.1
10.32.16.0/20 10 link 0 WAN 10.32.16.153
103.86.96.100 10.7.1.1 10 0 tun1
103.86.99.100 10.7.1.1 10 0 tun1
127.0.0.0/8 10 link 0 lo
192.168.5.0/24 10 link 0 eth1.5 192.168.5.1
192.168.6.0/24 10 link 0 eth1.6 192.168.6.1
192.168.168.0/24 10 link 0 LAN & WLAN 192.168.168.1
208.67.220.220 10.7.1.1 10 0 tun1
208.67.222.222 10.7.1.1 10 0 tun1
default 10.32.16.1 default 0 WAN
5.253.206.171 10.32.16.1 default 0 WAN
10.7.1.0/24 default link 0 tun1 10.7.1.3
10.20.30.0/24 default link 0 tun2 10.20.30.1
10.32.16.0/20 default link 0 WAN 10.32.16.153
103.86.96.100 10.7.1.1 default 0 tun1
103.86.99.100 10.7.1.1 default 0 tun1
127.0.0.0/8 default link 0 lo
192.168.5.0/24 default link 0 eth1.5 192.168.5.1
192.168.6.0/24 default link 0 eth1.6 192.168.6.1
192.168.168.0/24 default link 0 LAN & WLAN 192.168.168.1
208.67.220.220 10.7.1.1 default 0 tun1
208.67.222.222 10.7.1.1 default 0 tun1


P.S. @Per Yngve Berg, hope you will come across this post


Last edited by Impovich on Sat Feb 06, 2021 10:05; edited 4 times in total
Sponsor
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6132
Location: Romerike, Norway

PostPosted: Tue Feb 02, 2021 22:04    Post subject: Reply with quote
VLAN 5 and 6 does not have a CPU port included.

Port 0 = eth0
Port 6 = eth1
Impovich
DD-WRT Novice


Joined: 12 Feb 2020
Posts: 14

PostPosted: Wed Feb 03, 2021 9:14    Post subject: Reply with quote
Per Yngve Berg wrote:
VLAN 5 and 6 does not have a CPU port included.

Port 0 = eth0
Port 6 = eth1


Thank you for the quick reply.

I tried to do like suggested in this thread before posting my question: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=325691&sid=aa9b75f2b1851b88614d8c6fc2a24c13

swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "1t 2 3 4 5t 6"
swconfig dev switch0 vlan 5 set ports "1t 2t 5t 6t"
swconfig dev switch0 vlan 6 set ports "1t 3t 5t 6t"
swconfig dev switch0 vlan 2 set ports "0 5"
swconfig dev switch0 set apply
vconfig add eth1 5
vconfig add eth1 6
ifconfig eth1.5 192.168.5.1 netmask 255.255.255.0
ifconfig eth1.6 192.168.6.1 netmask 255.255.255.0

The behavior was the same like nothing was changed Sad

Per Yngve Berg wrote:
Working example for the R7800:

Code:
wconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "3 4t 6"
swconfig dev switch0 vlan 3 set ports "1 2 4t 6t"
swconfig dev switch0 set apply
vconfig add eth1 3
ifconfig eth1.3 192.168.3.1 netmask 255.255.255.0



Note that the processor port for LAN is 6, but 5 for the WAN

Port 6 is not tagged for VLAN1, but tagged for the other VLANs.

I have a managed switch on port 4, that's why it's tagged.


as I understand I can remove t from port 5 as it is the WAN port

so the config should be?

swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "1t 2 3 4 5 6"
swconfig dev switch0 vlan 2 set ports "0 5"
swconfig dev switch0 vlan 5 set ports "1t 2t 6t"
swconfig dev switch0 vlan 6 set ports "1t 3t 6t"
swconfig dev switch0 set apply
vconfig add eth1 5
ifconfig eth1.5 192.168.5.1 netmask 255.255.255.0
vconfig add eth1 6
ifconfig eth1.6 192.168.6.1 netmask 255.255.255.0

Physical port 1(switch 4) operates as a trunk for vlan1, vlan5, vlan6
Physical port 2(switch 3) for vlan5
Physical port 3(switch 2) for vlan6

port 3 and 2 just for testing purposes, as port 1 should be connected to the managed switch. This is the first time when I'm trying to do something like that, that why I add 2 and 3 ports for testing, that DHCP actually works.
Will this command help
swconfig dev switch0 VLAN 1 set vid 10
if I want vlan1 to have tag 10 or I can leave it as it is?
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 4393
Location: UK, London, just across the river..

PostPosted: Wed Feb 03, 2021 17:57    Post subject: Reply with quote
XR500 is baically reboxed R7800 running duma OS,
very likely the swhitch could have a different layout, but creating VLAN for Atheros routers the basics are the same..
have a good read and look here, it may seem messy thread, but all info is there...
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=313472

_________________
Atheros
TP-Link WR740Nv1 -----DD-WRT 46949 BS AP,NAT
TP-Link WR740Nv4 -----DD-WRT 44251 BS WAP/Switch
TP-Link WR1043NDv2 ---DD-WRT 46885 BS AP,NAT,AP Isolation,Ad-Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---DD-WRT 46949 BS AP,NAT,AD/Block,Firewall,Local DNS,Forced DNS,DoT,VPN,VLAN
TP-Link WR1043NDv2 ---Gargoyle OS 1.12.0 AP,NAT,QoS,Quotas
Qualcomm/IPQ8065
Netgear R7800 -----DD-WRT 46949 BS AP,NAT,AD-Block,AP&Net Isolation,VLAN's,Firewall,Local DNS,DoT
Broadcom
Netgear R7000 -----DD-WRT 46949 BS AP,Wi-Fi OFF,NAT,AD-Block,Firewall,Local DNS,Forced DNS,VLAN's,DoT,VPN
-----------------------------------------------------------------------------------------------
Stubby for DNS over TLS I DNSCrypt v2 by mac913
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6132
Location: Romerike, Norway

PostPosted: Wed Feb 03, 2021 18:25    Post subject: Reply with quote
Port 1 is the one labeled 4 on the casing.
Impovich
DD-WRT Novice


Joined: 12 Feb 2020
Posts: 14

PostPosted: Thu Feb 04, 2021 17:55    Post subject: Reply with quote
so I managed to make it work front to back with this config after I did the router reset.

swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "1 2 3 4t 5 6"
swconfig dev switch0 vlan 1 set vid 10
swconfig dev switch0 vlan 2 set ports "0 5"
swconfig dev switch0 vlan 20 set ports "4t 6t"
swconfig dev switch0 vlan 30 set ports "4t 6t"
swconfig dev switch0 vlan 40 set ports "4t 6t"
swconfig dev switch0 set apply
vconfig add eth1 20
ifconfig eth1.20 192.168.20.1 netmask 255.255.255.0
vconfig add eth1 30
ifconfig eth1.30 192.168.30.1 netmask 255.255.255.0
vconfig add eth1 40
ifconfig eth1.40 192.168.40.1 netmask 255.255.255.0

I changed the vid of vlan1 from 1 to 10 because GWN7630 AP doesn't allow me to put 1 in the VLAN field, the minimum number is 2 it says. Without the VLAN specified for the default network, I just can't connect to the WIFI, other VLANs over wifi are working.

The last question hopefully, when I connected to the VLAN 10(over WIFI or over the cable) I can ping and access everything except devices connected to the trunk, like a switch and the Access point, could someone point me in the right direction, please!
P.S. router is accessible
Impovich
DD-WRT Novice


Joined: 12 Feb 2020
Posts: 14

PostPosted: Thu Feb 04, 2021 19:32    Post subject: Reply with quote
looks like I solved it
I returned back vid 1 for vlan1 and made the 4th port untagged for vlan1. Now I can access every device on my main network which is vlan1 and I don't need to specify VLAN id for the wifi which is supposed to work with VLAN 1(I guess it is 1 by default that is why I was not allowed to put 1 there)

swconfig dev switch0 vlan 1 set ports "1 2 3 4u 5 6"
swconfig dev switch0 vlan 1 set vid 1
Impovich
DD-WRT Novice


Joined: 12 Feb 2020
Posts: 14

PostPosted: Thu Feb 04, 2021 20:22    Post subject: Reply with quote
now I got another two issues.
When I enable VPN client I can't connect to my VLANs anymore except the eth1 which is vlan1.
The second issue is that my VLANs are on different subnets. Is it possible to make them see the DNS server which is on the main network? Example: the main network is 192.168.168.1/24, vlan20 is 192.168.20.1/24
DNS server is 192.168.168.5

I have this in the firewall section

iptables -t nat -I POSTROUTING -s 10.20.30.0/24 -o $(get_wanface) -j MASQUERADE
iptables -I FORWARD -s 10.20.30.1/24 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.168.2/31 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.168.4/30 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.168.8/29 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.168.16/28 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.168.32/27 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.168.64/26 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.168.128/26 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.168.192/29 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.168.200/32 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.168.201 -o $(get_wanface) -m state --state NEW -j ACCEPT

and PBR section
10.20.30.1/24
192.168.20.1/24
192.168.168.2/31
192.168.168.4/30
192.168.168.8/29
192.168.168.16/28
192.168.168.32/27
192.168.168.64/26
192.168.168.128/26
192.168.168.192/29
192.168.168.200/32

DNSmasq
no-resolv
interface=tun2
server=208.67.222.222
server=208.67.220.220
dhcp-option=6,192.168.168.5
domain-needed
bogus-priv
Impovich
DD-WRT Novice


Joined: 12 Feb 2020
Posts: 14

PostPosted: Fri Feb 05, 2021 22:03    Post subject: Reply with quote
Looks like I localized the connection issue to a VLAN.

I did the reset of the router one more time.

Configuration steps:
1) initial router setup
2) VLAN config added + DHCP config for every VLAN
3) VPN client configured
4) DNSmasq configured
5) Firewall rules added
6) VPN server configured
Everything was fine until step 7
7) USB core Support enabled and BAM! can't connect to my VLANs again.
Disabled and enabled USB core support few more times, rebooted router off course. Once USB Core support is disabled I can connect to my VLANs via cable or via wifi, but when it is enabled I can't.
Have no idea how VLAN and USB Core Support correlate with each other but definitely, they are, there is an issue at least with this version v3.0-r45563. Confused

found this thread: https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1217997&sid=aea555bc9edd6531ea4ba704f648752f
but unfortunately, there is no solution.
BTW WIFI is disabled on the router.
Impovich
DD-WRT Novice


Joined: 12 Feb 2020
Posts: 14

PostPosted: Sat Feb 06, 2021 18:37    Post subject: Reply with quote
Tried to set up the router one more time.
Reboot after each step.
1) Reset
2) Enabled USB Core Support
3) Added VLAN commands:
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "1 2 3 4u 5 6"
swconfig dev switch0 vlan 1 set vid 1
swconfig dev switch0 vlan 2 set ports "0 5"
swconfig dev switch0 vlan 20 set ports "4t 6t"
swconfig dev switch0 vlan 30 set ports "4t 6t"
swconfig dev switch0 vlan 40 set ports "4t 6t"
swconfig dev switch0 set apply
vconfig add eth1 20
ifconfig eth1.20 192.168.20.1 netmask 255.255.255.0
vconfig add eth1 30
ifconfig eth1.30 192.168.30.1 netmask 255.255.255.0
vconfig add eth1 40
ifconfig eth1.40 192.168.40.1 netmask 255.255.255.0
4) DNSmasq config
no-resolv
interface=tun2,eth1.20,eth1.30,eth1.40
server=208.67.222.222
server=208.67.220.220
cache-size=10000
domain-needed
bogus-priv

dhcp-option=6,192.168.168.5
dhcp-range=eth1.20,192.168.20.128,192.168.20.191,255.255.255.0,72h
dhcp-option=eth1.20,3,192.168.20.1
dhcp-option=eth1.20,6,208.67.222.222

dhcp-range=eth1.30,192.168.30.128,192.168.30.191,255.255.255.0,72h
dhcp-option=eth1.30,3,192.168.30.1
dhcp-option=eth1.30,6,208.67.222.222

dhcp-range=eth1.40,192.168.40.128,192.168.40.191,255.255.255.0,72h
dhcp-option=eth1.40,3,192.168.40.1
dhcp-option=eth1.40,6,208.67.222.222

local=/home.lan/
expand-hosts
dhcp-host=AC:37:43:E0:A8:78,pixel
dhcp-host=40:16:3B:7B:11:43,tv2
dhcp-host=00:1B:9C:0C:73:9C,security
dhcp-host=00:18:AE:B4:9E:7E,surveillance
dhcp-host=E0:3F:49:F1:91:12,ap
dhcp-host=E8:18:63:C6:E3:CF,laser-egg
dhcp-host=40:31:3C:A8:5C:6C,vacuum-cleaner
dhcp-host=C8:93:46:75:8C:00,heating-controller-1
dhcp-host=C8:93:46:75:9E:23,heating-controller-2
dhcp-host=18:69:D8:90:DE:0A,shutter-kitchen
dhcp-host=18:69:D8:90:E1:D7,shutter-dr-exit

dhcp-host=02:42:79:01:E4:59,192.168.168.5
dhcp-host=C0:3F:D5:69:DB:14,192.168.168.10
dhcp-host=C0:74:AD:28:3E:B8,192.168.168.3
dhcp-host=04:A1:51:99:C4:70,192.168.168.20
dhcp-host=BC:60:A7:A0:EC:27,192.168.168.201

address=/plex.server.home.lan/192.168.168.10
address=/traefik.server.home.lan/192.168.168.10
address=/transmission.server.home.lan/192.168.168.10
address=/portainer.server.home.lan/192.168.168.10
address=/server.home.lan/192.168.168.10
address=/pihole.home.lan/192.168.168.5
address=/ap-1.home.lan/192.168.168.2
address=/ap-2.home.lan/192.168.168.3
address=/main-switch.home.lan/192.168.168.20

And again I can't connect to my VLANs until I disable USB Core Support. I think it is a bug. Would appreciate it if someone stumbled upon the same issue and found a workaround and could share it here.

EDIT:
Noticed that DNSmasq commands for VLANs DHCP don't work
dhcp-range=eth1.20,192.168.20.128,192.168.20.191,255.255.255.0,72h
dhcp-option=eth1.20,3,192.168.20.1
dhcp-option=eth1.20,6,208.67.222.222

dhcp-range=eth1.30,192.168.30.128,192.168.30.191,255.255.255.0,72h
dhcp-option=eth1.30,3,192.168.30.1
dhcp-option=eth1.30,6,208.67.222.222

dhcp-range=eth1.40,192.168.40.128,192.168.40.191,255.255.255.0,72h
dhcp-option=eth1.40,3,192.168.40.1
dhcp-option=eth1.40,6,208.67.222.222

Had to configure VLANs manually which is sad
Impovich
DD-WRT Novice


Joined: 12 Feb 2020
Posts: 14

PostPosted: Sat Feb 06, 2021 21:33    Post subject: Reply with quote
One more issue I have got.
I have different AIR sensors. I moved them to the IoT VLAN and reconfigured them. Now I can't manage them despite I see all the readings. I'm getting "Please connect to the same WIFI network as your device to manage its settings". I added them using the IoT WIFI network and when I'm trying to manage them I also connected to the IoT WIFI. I suppose there is something to do with the firewall rules, but really have no idea how to solve it yet, as I'm a complete noob in iptables, and again not sure that my guess is correct.
Desperately looking for help.
Impovich
DD-WRT Novice


Joined: 12 Feb 2020
Posts: 14

PostPosted: Sun Feb 07, 2021 21:58    Post subject: Reply with quote
As for not working VLANs when Core USB Support is enabled, somehow rules disappear from the iptables. See attachment.

I decided to try to add rules manually which is actually helped and now I can connect to my VLANs while having Core USB Support enabled.

I would appreciate it if someone could verify my DNSMasq and Firewall rules configs and tell me what could be wrong there.

I have access to every VLAN from every VLAN. Only eth1 and eth1.20 should have such a privilege.

DNSMasq
no-resolv
interface=tun2,eth1.20,eth1.30,eth1.40
server=208.67.222.222
server=208.67.220.220
cache-size=10000
dhcp-option=6,192.168.168.5
domain-needed
bogus-priv

#VPN_free
dhcp-range=eth1.20,192.168.20.128,192.168.20.191,255.255.255.0,72h
dhcp-option=eth1.20,3,192.168.20.1
dhcp-option=eth1.30,6,208.67.222.222

#IoT
dhcp-range=eth1.30,192.168.30.128,192.168.30.191,255.255.255.0,72h
dhcp-option=eth1.30,3,192.168.30.1
dhcp-option=eth1.30,6,208.67.222.222

#Guest
dhcp-range=eth1.40,192.168.40.128,192.168.40.191,255.255.255.0,72h
dhcp-option=eth1.40,3,192.168.40.1
dhcp-option=eth1.40,6,208.67.222.222

local=/home.lan/
expand-hosts
dhcp-host=AC:37:43:E0:A8:78,pixel
dhcp-host=40:16:3B:7B:11:43,tv2
dhcp-host=00:1B:9C:0C:73:9C,security
dhcp-host=00:18:AE:B4:9E:7E,surveillance
dhcp-host=E0:3F:49:F1:91:12,ap
dhcp-host=E8:18:63:C6:E3:CF,laser-egg
dhcp-host=40:31:3C:A8:5C:6C,vacuum-cleaner
dhcp-host=C8:93:46:75:8C:00,heating-controller-1
dhcp-host=C8:93:46:75:9E:23,heating-controller-2
dhcp-host=18:69:D8:90:DE:0A,shutter-kitchen
dhcp-host=18:69:D8:90:E1:D7,shutter-dr-exit

dhcp-host=02:42:79:01:E4:59,192.168.168.5
dhcp-host=C0:3F:D5:69:DB:14,192.168.168.10
dhcp-host=C0:74:AD:28:3E:B8,192.168.168.3
dhcp-host=04:A1:51:99:C4:70,192.168.168.20
dhcp-host=BC:60:A7:A0:EC:27,192.168.168.201

address=/plex.server.home.lan/192.168.168.10
address=/traefik.server.home.lan/192.168.168.10
address=/transmission.server.home.lan/192.168.168.10
address=/portainer.server.home.lan/192.168.168.10
address=/server.home.lan/192.168.168.10
address=/pihole.home.lan/192.168.168.5
address=/ap-1.home.lan/192.168.168.2
address=/ap-2.home.lan/192.168.168.3
address=/main-switch.home.lan/192.168.168.20
rebind-domain-ok=/404-home.com/
rebind-domain-ok=/plex.direct/
rebind-domain-ok=/plex.tv/

Firewall rules
iptables -I INPUT -i eth1.20 -m state --state NEW -j ACCEPT
iptables -I INPUT -i eth1.20 -j ACCEPT
iptables -I INPUT -i eth1.30 -p udp -m udp --dport 67 -j ACCEPT
iptables -I INPUT -i eth1.30 -p udp -m udp --dport 53 -j ACCEPT
iptables -I INPUT -i eth1.30 -p tcp -m tcp --dport 53 -j ACCEPT
iptables -I INPUT -i eth1.30 -m state --state NEW -j REJECT
iptables -I INPUT -i eth1.30 -j ACCEPT
iptables -I INPUT -i eth1.40 -p udp -m udp --dport 67 -j ACCEPT
iptables -I INPUT -i eth1.40 -p udp -m udp --dport 53 -j ACCEPT
iptables -I INPUT -i eth1.40 -p tcp -m tcp --dport 53 -j ACCEPT
iptables -I INPUT -i eth1.40 -m state --state NEW -j REJECT
iptables -I INPUT -i eth1.40 -j ACCEPT

iptables -I FORWARD -i eth1 -o eth1.20 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i eth1 -o eth1.30 -m state --state NEW -j REJECT
iptables -I FORWARD -i eth1 -o eth1.40 -m state --state NEW -j REJECT
iptables -I FORWARD -i eth1.20 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i eth1.30 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i eth1.40 -m state --state NEW -j ACCEPT

iptables -I FORWARD -i eth1 -i eth1.20 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i eth1.20 -o eth1.30 -m state --state NEW -j REJECT
iptables -I FORWARD -i eth1.20 -o eth1.40 -m state --state NEW -j REJECT
iptables -I FORWARD -i eth1.30 -o eth1 -m state --state NEW -j REJECT
iptables -I FORWARD -i eth1.30 -o eth1.20 -m state --state NEW -j REJECT
iptables -I FORWARD -i eth1.30 -o eth1.40 -m state --state NEW -j REJECT
iptables -I FORWARD -i eth1.40 -o eth1 -m state --state NEW -j REJECT
iptables -I FORWARD -i eth1.40 -o eth1.20 -m state --state NEW -j REJECT
iptables -I FORWARD -i eth1.40 -o eth1.30 -m state --state NEW -j REJECT


iptables -t nat -I POSTROUTING -o `get_wanface` -j MASQUERADE

iptables -I FORWARD -s 10.20.30.0/24 -o $(get_wanface) -m state --state NEW -j REJECT

iptables -I FORWARD -s 192.168.40.1/24 -o $(get_wanface) -m state --state NEW -j REJECT

iptables -I FORWARD -s 192.168.168.2/31 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.168.4/30 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.168.8/29 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.168.16/28 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.168.32/27 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.168.64/26 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.168.128/26 -o $(get_wanface) -m state --state NEW -j REJECT
iptables -I FORWARD -s 192.168.168.201 -o $(get_wanface) -m state --state NEW -j ACCEPT
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum