Joined: 15 Aug 2016 Posts: 223 Location: Melbourne, Australia
Posted: Tue Aug 16, 2022 23:47 Post subject: [SOLVED]Access to resources from specific VLANs/Bridges
Dear gurus,
My R9000 has several VLANs. Due to its dual switches, these VLANS are placed on their own bridges so they can work without conflict. Each in a separate network. At present, no traffic crossing VLAN and/or bridge boundaries.
Port 4 of R9000 is connected to a second router. On R9000, Port 4 is designated as VLAN14 and placed on bridge br14.
Behind the second router, are a shared printer and a NAS with IPs 192.168.14.5 & 192.168.14.10 respectively.
I need to allow devices from br0 (172.20.0.X) and brHLAN (172.20.10.X) to access the printer and NAS (behind br14).
I would appreciate some help, please.
Additional info:
• GUI Current settings:
(See image for details)
• Startup CLI
sleep 4
# Setup VLANS
# Switch0 Config
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "0t 4t 6t"
swconfig dev switch0 vlan 2 set ports "3 5t"
swconfig dev switch0 vlan 8 set ports "0t 1 2 4t 6t"
swconfig dev switch0 vlan 10 set ports "0t 4t 6t"
swconfig dev switch0 vlan 12 set ports "0t 4t 6t"
swconfig dev switch0 vlan 14 set ports "0t 4t 6t"
swconfig dev switch0 set apply
# Switch1 Config
swconfig dev switch1 set enable_vlan 1
swconfig dev switch1 vlan 1 set ports "0t 2 5t"
swconfig dev switch1 vlan 8 set ports "0t 5t"
swconfig dev switch1 vlan 10 set ports "0t 1 5t"
swconfig dev switch1 vlan 12 set ports "0t 3 5t"
swconfig dev switch1 vlan 14 set ports "0t 4 5t"
swconfig dev switch1 set apply
# adding vlan link
vconfig add eth1 8
vconfig add eth1 10
vconfig add eth1 12
vconfig add eth1 14
# give vlans a kick into life
ifconfig vlan8 up
ifconfig vlan10 up
ifconfig vlan12 up
ifconfig vlan14 up
# Bridging vlans for connection in recalcitrant R9000
brctl addif br8 vlan8
brctl addif br10 vlan10
brctl addif br12 vlan12
brctl addif br14 vlan14 _________________ Life is a journey; travel alone makes it less enjoyable and lonely.
Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
Posted: Wed Aug 17, 2022 7:19 Post subject:
i guess you have to set a br crossing rules...
I don't know if you will be able to set only specific clients to do that instead...
--------------------------------------------------------------------
Life is a journey, travel alone makes it less enjoyable and lonely. -- yea i got my router with me _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Joined: 18 Mar 2014 Posts: 12884 Location: Netherlands
Posted: Wed Aug 17, 2022 7:31 Post subject:
Bridges themselves are not isolated by default (also not with Net Isolation enabled they are not isolated from each other, at least not on builds you are using)
So do you have Net isolation enabled? Are you using rules to isolate the bridges from each other?
If not you should be able to reach other bridges, but you are talking about a secondary router that can have its own firewall depending on how it is setup.
In that case you have to open up the firewall of the secondary router and set a static route on the main router and do not isolate the connecting bridge (as it is isolated form br0 if you have Net isolation enabled)
Joined: 15 Aug 2016 Posts: 223 Location: Melbourne, Australia
Posted: Wed Aug 17, 2022 21:57 Post subject:
Hi,
Alozaros wrote:
i guess you have to set a br crossing rules...
I don't know if you will be able to set only specific clients to do that instead...
I wanted network separation. So, access by selected devices across VLAN/bridge boundary becomes an exception in my case.
Alozaros wrote:
----
Life is a journey, travel alone makes it less enjoyable and lonely. -- yea i got my router with me
Good to hear you finally got your R9000 (if my assumption is correct). Recent releases of DDWRT versions seem to have ironed out many recalcitrant issues with my R9000. Version updating runs more smoothly without a reset, manual or otherwise, in my case as earlier.
egc wrote:
Bridges themselves are not isolated by default (also not with Net Isolation enabled they are not isolated from each other, at least not on builds you are using)
So do you have Net isolation enabled? Are you using rules to isolate the bridges from each other?
If not you should be able to reach other bridges...
Right, i did enable 'Net Isolation' so all bridges, except br0, are isolated from one another.
egc wrote:
...but you are talking about a secondary router that can have its own firewall depending on how it is setup. In that case you have to open up the firewall of the secondary router and set a static route on the main router and do not isolate the connecting bridge (as it is isolated form br0 if you have Net isolation enabled)
So food for thought
Thank you, i am aware of this requirement. It's a MikroTik router, actually.
Let me go off line and re-arrange settings for br14. Will be back. One way or another.
---------------------
Thank you again, Alozaros and egc. _________________ Life is a journey; travel alone makes it less enjoyable and lonely.
Joined: 18 Mar 2014 Posts: 12884 Location: Netherlands
Posted: Thu Aug 18, 2022 9:28 Post subject:
Note there is a bug in the firewall rule where the net isolation does not isolate the router form the Bridge, this has been corrected in the last build
https://svn.dd-wrt.com/changeset/49695
Furthermore Bridges are not isolated form each other even not if you have enabled Net Isolation, that only isolates the bridge form br0 and form the router.
so to isolate bridges form each other you have to do that manually
e.g.
Code:
iptables -I FORWARD -i br1 -o br+ -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br+ -m state --state NEW -j REJECT
Joined: 15 Aug 2016 Posts: 223 Location: Melbourne, Australia
Posted: Thu Aug 18, 2022 21:19 Post subject:
egc wrote:
Note there is a bug in the firewall rule where the net isolation does not isolate the router form the Bridge, this has been corrected in the last build
https://svn.dd-wrt.com/changeset/49695
Furthermore Bridges are not isolated form each other even not if you have enabled Net Isolation, that only isolates the bridge form br0 and form the router.
so to isolate bridges form each other you have to do that manually
e.g.
Code:
iptables -I FORWARD -i br1 -o br+ -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br+ -m state --state NEW -j REJECT
etc.
Thanks for your help, egc. It was confusing to me when i first set up with my limited understanding of CLI. Your explanation certainly makes a lot of sense now regarding the 'inconsistency' of Net Isolation feature relating to bridge settings. Glad to know that.
I am still working through the firewalls on the second router. But will write a final post for completeness, once resolved.
Thanks again. _________________ Life is a journey; travel alone makes it less enjoyable and lonely.
Joined: 15 Aug 2016 Posts: 223 Location: Melbourne, Australia
Posted: Sat Aug 20, 2022 14:16 Post subject:
Having spent several hours on learning/resolving the firewall issue on the second router (a MikroTik), i was able to, from a PC behind DDWRT router (R1), send a print to the printer behind R2.
On the R1:
In short, i set up a static route to the printer's IP (with /32 being destination), and the (WAN) IP of R2 being gateway. (Setup/Advanced Routing)
On the R2:
MikroTik's settings can be very granular but they are also highly complex. It goes with the territory. So to speak. (Steps not given here due to different platform).
End note:
I have had a dual network setup at home for a long time but this is the first time i setup a connection for printing across networks. My next attempt will be a replication to gain access to my NAS from another separate network.
P.S. I noticed that someone else already marked this issue as SOLVED earlier.
Thanks again. _________________ Life is a journey; travel alone makes it less enjoyable and lonely.