R7000: Subnet/Net Isolation Ineffective

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
idlehands
DD-WRT Novice


Joined: 09 Nov 2012
Posts: 12

PostPosted: Fri May 20, 2022 6:27    Post subject: R7000: Subnet/Net Isolation Ineffective Reply with quote
R7000 Build 48810
LAN Gateway: 10.13.13.1
NetLink2.4 Gateway: 10.13.15.1
NetLink5 Gateway: 10.13.17.1

I am no networking expert but it seems to me that I should be able to create a wifi network isolated from the LAN by removing the wl.0 interface for example from br0 and assigning to to it's own subnet. I did just that via the web gui (without creating a VAP) and found I can still ping devices on the LAN from devices on wl.0. Should this be the case? I also enabled NetIsolation and the subnets were still reachable from one another.Is this behavior to be expected?
.
I have attached the outputs of:
ip -L
brctl show
itables -L
WebUI - Networking
WebUI - Wireless

_________________
Netgear R7000 Updated ≈ Monthly
Wireguard, PBR, VAP
Adblocking & Authoritative, Validating, Recursive Caching DNS Server with DNSSEC via Unbound Verified with ddwrt-dns-monitor.sh and dig

Tutorial: How to monitor DNS traffic in real-time
Sponsor
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Fri May 20, 2022 19:57    Post subject: Reply with quote
Read this post and the screenshots.

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1260059#1260059

works no matter if 2.4 or 5G radio

You can essentially do same without creating a VAP, but TBH it works wonderfully well as is for me.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)


Last edited by the-joker on Sat May 21, 2022 13:15; edited 1 time in total
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Fri May 20, 2022 20:07    Post subject: Reply with quote
I think some people may not be aware of all the places the associated configurations apply. You can also do this with bridged interfaces, but a few more steps are required in proper order.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Fri May 20, 2022 20:10    Post subject: Reply with quote
Exactly how did you check reachability across the IP networks?

If you only checked the router itself on those IP networks, NetIsolation (afaik) will NOT prevent access. IOW, NetIsolation is for all devices OTHER THAN the router. For the router itself, you would have to create additional firewall rules.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
idlehands
DD-WRT Novice


Joined: 09 Nov 2012
Posts: 12

PostPosted: Sat May 21, 2022 4:40    Post subject: Reply with quote
Quote:
PostPosted: Fri May 20, 2022 12:10 Post subject:
Exactly how did you check reachability across the IP networks?


I used the pythonista stash shell on my iphone to ping my pc connected via lan (after allowing icmp through firewalld).

Code:
ping.py -c 10 10.xx.xx.xx

_________________
Netgear R7000 Updated ≈ Monthly
Wireguard, PBR, VAP
Adblocking & Authoritative, Validating, Recursive Caching DNS Server with DNSSEC via Unbound Verified with ddwrt-dns-monitor.sh and dig

Tutorial: How to monitor DNS traffic in real-time
idlehands
DD-WRT Novice


Joined: 09 Nov 2012
Posts: 12

PostPosted: Sat May 21, 2022 4:55    Post subject: Reply with quote
Quote:
Read this post and the screenshot.

https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1260059#1260059

works no matter if 2.4 or 5G radio

You can essentially do same without creating a VAP, but TBH it works wonderfully well as is for me.


Thanks Joker, I thought I had attached these screenshots already, in any case, I believe my setup looks identical. Have struggled with VAPs for years, I thinks due to a Broadcom specific issue of some kind. I should add that if I also create VAPs, the networks are not pingable with or without Net Isolation. In that case I am then stuck with four (4) APs, two (2) of which are "guest" and two (2) of which are lan when I only need the two (2) guest APs at the moment.

_________________
Netgear R7000 Updated ≈ Monthly
Wireguard, PBR, VAP
Adblocking & Authoritative, Validating, Recursive Caching DNS Server with DNSSEC via Unbound Verified with ddwrt-dns-monitor.sh and dig

Tutorial: How to monitor DNS traffic in real-time
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Sat May 21, 2022 8:06    Post subject: Reply with quote
I have a Broadcom RT-AC68U and as per my screenshots EXACTLY anyone connected to the AP/NET isolated VAPS, can NOT access each other (AP isolation) or the LAN clients (Net Isolation) and are able to use internet.

No additional firewall anything required, my setup was achieved via UI purely and simply as depicted.

This was tested by connecting a device to the VAP and pinging the LAN clients (hosts unreachable) and other wifi devices on regular wifi and also the VAP (hosts unreachable) and pinging the internet google for instance (fully working). Real world usage also works fine and none can access my main subnet LAN NAS devices and other devices.

However I am always using the latest builds and have reset my nvram twice this year just because the firmware changes somehow caused gremlins without the reset even from this years builds.

Sadly Broadcom has quirks but nothing the nvram resets and reconfigure from scratch doesn't oust.

After that, it all works perfectly well.

So you know you need to setup the networking tab for the relevant VAP and add the extra DHCPD with another subnet different than the regular one.

As per my screenshots, its the fastest most effective way with the least fiddling with custom settings possible, anything else, YMMV.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Sat May 21, 2022 9:49    Post subject: Reply with quote
The netisolation does not work properly is also more or less known.

tested on my R7800:

1.

br0 eth1,wlan0,wlan1
unbridged VAP wlan0.1 wlan1.1

eth1 = 192.168.1.1/24
wlan0.1 = 192.168.2.1/24
wlan1.1 = 192.168.3.1/24

clients connected to wlan0.1 and wlan1.1 are not isolated from each other!

2.

br0 eth1
unbridged wlan0 wlan1

eth1 = 192.168.1.1/24
wlan0 = 192.168.2.1/24
wlan1 = 192.168.3.1/24

clients connected to wlan0 and wlan1 are not isolated from each other!

works for me only with active PPPoE WAN connection.
If I disable the WAN interface no network isolation works at all.
Same if I set to "automatic DHCP" (no DHCP server on WAN side - so no WAN connection) = all subnets are fully reachable

Can be fixed with additional rules, but would be not bad if this would work correctly...
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Sat May 21, 2022 9:56    Post subject: Reply with quote
AP isolation = isolates wifi clients on same network from seeing each other over wifi.
Net isolation = Prevents connected clients from accessing LAN clients on a different subnet.

Both require proper setup to fully work without issue, like another DHCPD assigning a different subnet to the unbridged VAP interface.

Of course Im not discounting the gremlins mainly existing because lack of nvram resets.

@ho1Aetoo I dont see AP isolation on the screenshot above, or im 100% blind. Probably a device specific bug or not a Broadcom device?

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)


Last edited by the-joker on Thu May 26, 2022 20:05; edited 2 times in total
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Sat May 21, 2022 10:03    Post subject: Reply with quote
lol I know what AP isolation and Netisolation is.

Both do not work with multiple unbridged AP/VAP

I can enable both and different clients on wlan0 and wlan1 can communicate with each other

Rolling Eyes


Last edited by ho1Aetoo on Sat May 21, 2022 10:06; edited 1 time in total
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Sat May 21, 2022 10:05    Post subject: Reply with quote
Works here just fine... what router is that screenshot from? I dont see AP isolation there.

I know you know what AP/Net isolation are Wink, I posted for the general benefit of others who may not know.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Sat May 21, 2022 10:12    Post subject: Reply with quote
R7800

AP isolation is in the advanced WLAN settings.

AP isolation works only on the same AP / WLAN interface

* clients connected to wlan0 can not communicate with other clients on wlan0

* clients connected to wlan1 can not communicate with other clients on wlan1

* clients on wlan0 can talk to other clients on wlan1 and vice versa without any restrictions

* network isolation does not work either as mentioned above
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Sat May 21, 2022 10:16    Post subject: Reply with quote
Yea thats a different beast, thats atheros, both OP and I are on Broadcom

So Atheros may bugs apply to your platform, so who knows whats that about really. I have an Atheros, but old and already boxed up, so cant really test that scenario.

I cant see any issue here from the perspective of my setup.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
idlehands
DD-WRT Novice


Joined: 09 Nov 2012
Posts: 12

PostPosted: Sun May 22, 2022 2:00    Post subject: Reply with quote
TLDR: Multiple attempts to follow the same process to find a repeatable cause of the connectivity between subnets resulted in an intermittent recurrence of the problem. Based on this and other similar issues I suspect failing nvram.


I just walked through the configuration again start to finish to document a repeatable way to see the undesired connectivity. I repeated the process using 3 slight variations of the order of operations/power cycling which had caused the problems. I could not get the issue to repeat until I had completed a write up on the topic and decided to follow the procedure one more time using the latest build. This time, after applying the final settings and power cycling, I again had connectivity but only with net isolation disabled. Applying the settings again fixed the issue. I attached the operations performed which actually resulted in no connectivity 3 x in a row with the build referenced in the original post. I then performed the operations again with the latest build, 48897, and the problem presented itself again. The intermittent issues I have experienced make me wonder if my nvram may not be reading/writing correctly on occasion...? I have flashed it perhaps 100+ times.

_________________
Netgear R7000 Updated ≈ Monthly
Wireguard, PBR, VAP
Adblocking & Authoritative, Validating, Recursive Caching DNS Server with DNSSEC via Unbound Verified with ddwrt-dns-monitor.sh and dig

Tutorial: How to monitor DNS traffic in real-time
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Thu May 26, 2022 20:11    Post subject: Reply with quote
Yes, so double apply cured it, right?

Ive notice some services/configs need double apply on Broadcom to actually take, I noticed this while testing another unrelated service for another issue.

I can confirm that snmp, tor, dnsmasq at the very least need double applies, haven't tested with VAPS yet but am not jumping at the chance to test the VAP scenario tonight.

Even if you confirm this, Brainslayer doesn't confirm any such issues (all miraculously works for him), and one cant fix what one cant duplicate.

However, my 5ghz VAPs work fine here and Im two maybe three builds ahead of you.

You are seriously Gremlin infested, it should work TM.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum