Posted: Wed Apr 14, 2021 0:46 Post subject: Guest and IoT iptables for DNS, FTP and Web access
Old Subject: Firewall/iptables performance/slowness
I have just installed dd-wrt on my DLink DIR-860LA router for the first time.
I had it running for some days and things were fine.
Last weekend, I created two VAPs (wl0.1 and wl0.2) on my 2GHz interface (wl0), using wl0.1 for guest network and wl0.2 for my Automation devices. What I want to achieve is:
Guests (on 192.168.2) should have internet access but no access to main network (isolation works well). But:
* Sometimes guests want to transfer files so I want to allow all access to guests from one machine.
* I want my DNS server on main LAN to be the DNS server for all guests.
Automation devices (on 192.168.3.96-159) should have no access to main network and most of the IPs on Automation subnet should not have internet. But
* A small set of IPs (192.168.3.96-111) can have internet access just in case some IoT devices cannot work without internet.
* One computer on my main LAN (192.168.1.105) should have full access to Automation devices so that I could login/configure etc.
* Automation devices should have FTP access to one IP on main LAN (192.168.1.102) so that they could upload alerts/info.
* I want my DNS server on main LAN to be the DNS server for Automation devices.
So in order to achieve this, I did
AP Isolation and Net Isolation for Guest VAP
AP Isolation only for Automation network (blocking all access via iptables)
But since adding VAPs, I am experiencing slower network. When I open any website in a browser, it takes a second to connect and then follow up pages load fine. This makes me guess that iptables/firewall is slowing the router down.
Has anyone tried and achieved anything similar using iptables ? Any suggestions to speed up iptables or to debug/diagnose iptables' performance ? (One thing I am thinking of trying is to use multiport match)
Slowness turned out to be my DNS server. My DNS server was misconfigured and was not able to forward upstream. Now that issue is solved.
But I would still seek any advice anyone may have for iptables for Guest and Automation networks and if anyone has suggestions on performance measurement tools/tips for dd-wrt in general or iptables.
Thanks, that helps. I had read the iptables wiki page but the example you posted is a good validation.
A lot of forum posts are talking about VLANs rather than VAPs. I was thinking of going VAP route, for two reasons 1) it does not reserve a physical port on my router for Guest and IoT 2) R8500 WebUI port assignment is not fully functional I read somewhere. Is there an advantage to going VLAN (br1) route that I am missing, as compared to VAP (wl0.1) ? I could still write my firewall rules on wl0.1 rather than br1.
