Struggling with Isolations

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
beerdini
DD-WRT Novice


Joined: 22 Jun 2021
Posts: 1

PostPosted: Tue Jun 22, 2021 2:11    Post subject: Struggling with Isolations Reply with quote
This past weekend I updated and renovated my DD-WRT router which was a Asus RT-N66U, Broadcom BCM5300 chip r1, but am struggling with AP and Net Isolations trying to get things working how in my mind I'd like them to be.

First of all I have the DD-WRT SSID remote access disabled, so I can only manage the admin interface while connected to that SSID.

Next I made 3 more SSIDs for my Private, IoT and Guest wireless networks. Each network was originally set up with:
SSID Broadcast: Enable
AP Isolation: Enable *
Network Configuration: Unbridged
Multicast Forwarding: Disable
Masquarade/NAT: Enable
Filter WAN NAT Redirection: Disable
Net Isolation: Disable
Forced DNS Redirection: Enable
Optional DNS Target/IP Address/Subnet: set unique for each network

*I ended up changing this for my IoT network so streaming devices could see and communicate with each other.

This completed step 1, reconfiguring my AP so these 3 types of systems had isolated environments. Next I moved into setting up a PiHole and that is where I'm lost. PiHole setup completed successfully and I wanted to put the traffic from Private and IoT through it.

I found putting it on the any individual SSID it was only accessible by that SSID due to what I thought was Net Isolation, even though I turned it off and still couldn't access it from outside of the SSID's network. I even tried making another Virtual Interface with a barebones config and I couldn't get anything other than test systems I also put on the subnet to talk to it.

Ideally, I would like to set it up in an accessible location for these 2 networks to direct their DNS to but I can't seem to figure out where or how to place it so I can do this. Any advice is greatly appreciated.

After I can figure this out, my final phase is to set up at least the Private SSID to use an always on VPN at the router level, but that is a post for another day.
Sponsor
foz111
DD-WRT Guru


Joined: 01 Oct 2017
Posts: 704
Location: Earth

PostPosted: Tue Jun 22, 2021 7:51    Post subject: Reply with quote
I am far from an expert but sounds to me you need some firewall rules so from your LAN you can reach your IoT SSID etc and then allow them access to the pi.
Change the below ip to your pi and paste into commands and save firewall change to suite your bridges.

Code:
# Give br1 (or other bridges) access to pi-hole/allow access to br1 from br0 but not the other way.
iptables -I FORWARD -i br1 -o br0 -p tcp -d 192.168.x.x --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -p udp -d 192.168.x.x --dport 53 -j ACCEPT
iptables -I FORWARD -i br0 -o br+ -j ACCEPT # optional
iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# Stop guest router access UI   
iptables -I INPUT -i br1 -p tcp --dport 80 -m state --state NEW -j REJECT
# Give guest network WAN
iptables -t nat -I POSTROUTING -o `get_wanface` -j MASQUERADE

hope this helps or gets you a little further.

_________________
Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.

No one can build you the bridge on which you, and only you, must cross the river of life!
mac913
DD-WRT Guru


Joined: 02 May 2008
Posts: 1848
Location: Canada

PostPosted: Tue Jun 22, 2021 16:05    Post subject: Reply with quote
Some rules I use that you can "play" with...
Code:
# BR1 is isolated with only accesses DNS & DHCP from the router
# Make sure the rule ESTABLISHED,RELATED is on top
iptables -I INPUT 2 -i br1 -m state --state NEW -j DROP
iptables -I INPUT 2 -i br1 -p icmp -j ACCEPT
iptables -I INPUT 2 -i br1 -p udp -m multiport --dports 53,67 -j ACCEPT
# Forced BR1 DNS Requests to Local servers (example: BR1 is 192.168.2.0/24)
iptables -t nat -I PREROUTING -p udp -s 192.168.2.0/24 --dport 53 -j DNAT --to 192.168.2.1:53
iptables -t nat -I PREROUTING -p tcp -s 192.168.2.0/24 --dport 53 -j DNAT --to 192.168.2.1:53
# If BR1 has IPv6 Access Force DNS Servers (example using Quad9 IPv6 DNS Server)
ip6tables -t nat -D PREROUTING -p udp -i br1 --dport 53 -j DNAT --to [2620:fe::9]:53
ip6tables -t nat -D PREROUTING -p tcp -i br1 --dport 53 -j DNAT --to [2620:fe::9]:53
ip6tables -t nat -I PREROUTING -p udp -i br1 --dport 53 -j DNAT --to [2620:fe::9]:53
ip6tables -t nat -I PREROUTING -p tcp -i br1 --dport 53 -j DNAT --to [2620:fe::9]:53

_________________
Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9

Off Site 1

R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4

Off Site 2

R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531


YAMon 3.4.6 | DNSCrypt-Proxy V2
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum