Posted: Sat Jun 19, 2021 10:28 Post subject: Port-Based VLANs and Net Isolation
Hi,
About "Version 1: Port Based VLANs (Generic)" can't we just create the VLANs and then under Networking enable "Net isolation"?
From my understanding and and this post it seems to do the same as the above rules:
Quote:
The problem w/ Net Isolation is that its only intent is to block traffic between network interfaces on the *LAN* side of that router. Clients always have access to the WAN for internet purposes.
I didn't back-track to see if the other thread you linked had any bearing on wiki updates, but we are trying to keep the wikis updated for a single point of reference. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
I didn't back-track to see if the other thread you linked had any bearing on wiki updates, but we are trying to keep the wikis updated for a single point of reference.
I posted on that thread precisely because I wanted to see if anyone had an opiniont about the suggestions of that article VS "Net isolation" option. It looks like "Net isolation" was introduced way after the posts / wiki page.
But thanks anyways.
Note: I followed the guide/posts and it does work, I was just wondering the differences between that guide and the option. _________________ 1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
Joined: 08 May 2018 Posts: 14126 Location: Texas, USA
Posted: Sat Jun 19, 2021 13:28 Post subject:
This firmware is in constant development and evolution and sometimes new features are not necessarily documented in wikis and such, but you found a newer thread that discusses it, per your post. Perhaps the wiki needs updating again, but at least people can comment here still. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Additionally, considering a Netgear R7000 with this setup:
Why is it that the rule:
Code:
iptables -I FORWARD -i vlan3 -o vlan1 -j DROP
Isn't enough to block devices at vlan3 from accessing devices in other vlans:
Code:
> ping 172.21.1.5
Pinging 172.21.1.5 from 172.21.1.77 with 32 bytes of data:
Reply from 172.21.1.5: bytes=32 time=3ms TTL=64
Reply from 172.21.1.5: bytes=32 time=73ms TTL=64
Reply from 172.21.1.5: bytes=32 time=83ms TTL=64TTL=64
It seems to me like there's some stuff around the dd-wrt/r7000 iptables and vlans. Or is it that the traffic if flowing using br0 thus iptables can't track the output interface?
Code:
iptables -I FORWARD -i vlan3 -o br0 -j DROP
Don't also seem to work.
My idea there was to be able to use the main router DHCP server in both vlan1 and vlan3 but make sure any device on port 4 (vlan3) can't communicate with devices in other ports (vlan1). _________________ 1x Netgear R7800 (latest); 3x Netgear R7000 (latest); 2x Asus RT-N16 (v3.0-r47656); 2x Fonera 2100 (v3.0-r45454).
If you want isolation unbridge vlan3 set it's ipaddress and enable net isolation.
On the bottom of that same page add a dhcp server for vlan3
Yeah that works, however my idea was to be able to use the main router DHCP server / subnet in both vlan1 and vlan3 but make sure any device on port 4 (vlan3) can't communicate with devices in other ports (vlan1).
Joined: 04 Aug 2018 Posts: 1446 Location: Appalachian mountains, USA
Posted: Tue Jun 29, 2021 14:44 Post subject:
I'm not following this discussion closely, so forgive me if I've missed the boat here, but fwiw...
Communication between devices connected to the same bridge (via that bridge's various interfaces) never even reaches the firewall. The bridge is a simple way to bypass all that for such communication. The firewall is only going to be able to regulate communication between bridges and/or unbridged interfaces. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
I'm not following this discussion closely, so forgive me if I've missed the boat here, but fwiw...
Communication between devices connected to the same bridge (via that bridge's various interfaces) never even reaches the firewall. The bridge is a simple way to bypass all that for such communication. The firewall is only going to be able to regulate communication between bridges and/or unbridged interfaces.
Okay that works as confirmation of my intial suspicion.
If I add vlan1 to vlan3 two different unbridged interfaces, do you have any ideas on how I can use the main router DHCP server / subnet in both bridges but make sure any device on port 4 can't communicate with devices in other ports?