Posted: Fri Aug 19, 2022 12:25 Post subject: [SOLVED] iptable question
Hi @ll,
I will change my network setup, with additional VLANs.
For now, I had 1 Router (no DD-WRT) that managed the I-Net connection.
From there I had 1 Patch Cable to Router 2 (Archer C8 DD-WRT) Lan1 Port.
Last one is Router 3 (Linksys WRT54GL DD-WRT) patched from Router 2 via WAN Ports.
Both DD-WRT Router are in Router mode.
So:
Router 1
IP: 192.168.21.1
DHCP / DNS Server
Router 2
IP: 192.168.21.5
DD-WRT v3.0-r36527
Router mode
should have 2 VLANs - with access everywhere and own DHCP for subnet (VLAN 11: 192.168.10.0 / VLAN 13: 192.168.30.0)
Wifi should bridged to 192.168.30.0 (own SSID)
Router 3
IP: 192.168.21.10
DD-WRT v3.0-r36527
Router mode
should have 1 VLAN - with access everywhere and own DHCP for subnet (VLAN 12: 192.168.20.0)
Wifi should bridged to 192.168.20.0 (own SSID)
First I'm testing VLAN on Linksys (Router 3).
I made a additional VAP Wifi Network, and bridged that with VLAN12. (br1)
br1 is unbridged and had own DHCP
I can connect to the Wifi, with DHCP, but I can't access to Internet or somwhere else outside Router 3
I've tested several iptables, but nothing seems to work. What will I need?
THX BassT
Last edited by BassT on Tue Aug 23, 2022 7:59; edited 1 time in total
Joined: 18 Mar 2014 Posts: 12884 Location: Netherlands
Posted: Fri Aug 19, 2022 12:37 Post subject:
Your builds are very old and a lot has changed especially regarding VLAN's and Kernel upgrades.
The advice is to upgrade to the latest build first (current 49741) reset to defaults *after* upgrading and put settings in manually, never restore from a backup to a different build.
For the WRT54 I cannot guarantee it will work with the latest build, but at least worth a try
You mention router 3 is connected via its WAN port but it's IP is in the same subnet so it looks like both routers are setup as a Wireless Access Point, see how I do it:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=332778
Your builds are very old and a lot has changed especially regarding VLAN's and Kernel upgrades.
The advice is to upgrade to the latest build first (current 49741) reset to defaults *after* upgrading and put settings in manually, never restore from a backup to a different build.
For the WRT54 I cannot guarantee it will work with the latest build, but at least worth a try
I Will give it a try with this one for WRT54GL: 49741
Quote:
You mention router 3 is connected via its WAN port but it's IP is in the same subnet so it looks like both routers are setup as a Wireless Access Point
Yea, its connected from Router 2 WAN to Router 3 WAN. Will make a Trunked Link, so I can use the VLANs on both Router. For now, I don't need it, but will see what the future brings
WAN is disabled and linked to the switch.
Your IP address is wrong it should be 192.168.20.1
It is an address and not a subnet
Edit: when you are done configuring reboot the router
OK, now I had access to the hole Net. I can ping everything.
But I had no Internet connection.
I set both DD-Wrt Router to Gateway mode and insert the iptable rule also in Router 2 (Archer)
EDIT:
And I can't ping from the normal 192.168.21.0 net the subnet 192.168.20.0
Will try later this day with updating the firmware from Archer.
In the next week, there will come a R7000 for changing the Archer
@egc I additional make a guest wifi. I used your rule examples:
Code:
#Always necessary (alternatively set static route on main router and NAT traffic from VAP/Bridge out via WAN):
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
#Replace with the appropriate interface of your VAP, e.g. wl0.1, wlan0.1 etc:
GUEST_IF="wlan1.1"
#Net Isolation does not work on a WAP so keep it disabled, add for isolating VAP/Bridge from main network:
iptables -I FORWARD -i $GUEST_IF -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT
Joined: 18 Mar 2014 Posts: 12884 Location: Netherlands
Posted: Sat Aug 27, 2022 16:36 Post subject:
You have a complicated setup so that I just show you the easy way (easy for me)
iptables -I FORWARD -i $GUEST_IF -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT
this rule you are using isolates the Guest wifi from the main subnet, with the same rule you can isolate the guest network from other subnets so after the -d you set the subnet you want to isolate from the Guest wifi.
A subnet is always named with the .0 at the end and the netmask in your case is /24 (I have not read everything back )
So it could look like:
Code:
iptables -I FORWARD -i $GUEST_IF -d 192.168.40.0/24 -m state --state NEW -j REJECT
The Guest Network work. There is no possibility to connect to all other subnets and router gui, but I want to allow to use the adblocker in another subnet
so some 192.168.40.x devices should use the 192.168.10.10 DNS Adblocker.
How must the rule looks like?
And also I want, that the devices can connect to the printer at 192.168.20.20