Posted: Fri Jul 01, 2022 13:44 Post subject: Isolated VLAN setup not working
Hello all have configured VLAN4 on port4 that I wanted to completely isolate from VLAN3(port1,2,3) for the same I assigned bridge by name br1 to VLAN4 and br0 to VLAN3 and used the following command iptables -I FORWARD -i br1 -o br+ -j DROP but still my VLAN4 network comfortably pings the VLAN3 network, kindly guide what could be the issue and is there some error in the syntax mentioned above. Just to mention running the latest firmware build r49392.Thanks
Last edited by arunesh_dutta on Sat Jul 02, 2022 7:03; edited 1 time in total
anyway... by default br0 contains vlan1 + wifi + wan (vlan 1 is switch (LAN ports) WAN is vlan2...
Best bet is to use swconfig commands via start up script..
Than assign to the new bridge, the new vlan you created, and give DHCPd to the bridge...that is the way how i set up my vlans, but each router is different...and GUI not always works as expected so, you rather stay away form it...
Sadly, your router doesn't have vlan support on the switch...as it has a dumb switch... those routers with 4MB flash size are for very basic use and don't have many functions and options, the next router in line, capable of vlan segmentation is TP-link wr1043ndv2 or v3 v4, also higher class like Netgear R6400v2, R7000 or even R7800... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Pretty sure that he followed the how-to's; VLANs should be isolated by default, no? _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
im not sure it will work as older of those wr8xxx series routers don't have a vlan on the switch...but if anyone wants to head bang follow the guide for R7800 as the basics are there...and yes it needs reading and understanding...swconfig commands as well the router ports layout are important cue point in this endeavour... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
I think the devices that don't support vlans have RealTek switches (i.e. TL-WR1043ND v1.x); the only other devices I can think of that wouldn't support vlans are the TL-WA* wireless access points. I think even the older devices with Marvell switches support vlans (i.e. TL-WR841ND v3.x)?
Pretty sure that he followed the how-to's; VLANs should be isolated by default, no?
Thanks for the guidance being a novice don't know u missed or not but u mentioned r43961 as latest in ur thread instead of 49392, I would be thankful if u could point anywhere mentioned on how to isolate VLANs if u have guided or kindly if know please do guide..thanks for ur guidance
anyway... by default br0 contains vlan1 + wifi + wan (vlan 1 is switch (LAN ports) WAN is vlan2...
Best bet is to use swconfig commands via start up script..
Than assign to the new bridge, the new vlan you created, and give DHCPd to the bridge...that is the way how i set up my vlans, but each router is different...and GUI not always works as expected so, you rather stay away form it...
Sadly, your router doesn't have vlan support on the switch...as it has a dumb switch... those routers with 4MB flash size are for very basic use and don't have many functions and options, the next router in line, capable of vlan segmentation is TP-link wr1043ndv2 or v3 v4, also higher class like Netgear R6400v2, R7000 or even R7800...
Thanks for the guidance being a novice don't know u missed or not but u mentioned r43961 as latest in ur thread instead of 49392,
49361 was the latest at the time of your other thread, 49392 was released since that thread.
arunesh_dutta wrote:
I would be thankful if u could point anywhere mentioned on how to isolate VLANs if u have guided or kindly if know please do guide..thanks for ur guidance
You should be able to use the R7800 vlans guide as a reference for configuring
your vlans, provided swconfig utility is included in your firmware image. What you may *not* be able to do is have VLAN / VLAN tagging functionality on the WAN port.
_________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
Thanks for the guidance being a novice don't know u missed or not but u mentioned r43961 as latest in ur thread instead of 49392,
49361 was the latest at the time of your other thread, 49392 was released since that thread.
arunesh_dutta wrote:
I would be thankful if u could point anywhere mentioned on how to isolate VLANs if u have guided or kindly if know please do guide..thanks for ur guidance
You should be able to use the R7800 vlans guide as a reference for configuring
your vlans, provided swconfig utility is included in your firmware image. What you may *not* be able to do is have VLAN / VLAN tagging functionality on the WAN port.
Hello ,, thanks for the message.Sorry for late message was engaged in some part.Yes I checked the router supports VLAN ,have two VLAN's VLAN3(192.168.0.x) and VLAN4(192.168.107.x).I have further associated them with br0 and br1 bridge interfaces.As VLAN's they work fine and issue IP address as per the configuration.I wanted entire traffic of br1(VLAN4) to be blocked entering br0(VLAN3) and used iptables -I FORWARD -i br1 -o br+ -j DROP but still the systems on br1 can ping systems on br0.My other needs were to block SSH and I used iptables -I INPUT -i br0 -p tcp --dport ssh -j REJECT --reject-with tcp-reset and it works fine ..kindly guide..thanks