[SOLVED] iptable question

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
BassT
DD-WRT Novice


Joined: 01 Sep 2020
Posts: 36

PostPosted: Fri Aug 19, 2022 12:25    Post subject: [SOLVED] iptable question Reply with quote
Hi @ll,

I will change my network setup, with additional VLANs.

For now, I had 1 Router (no DD-WRT) that managed the I-Net connection.
From there I had 1 Patch Cable to Router 2 (Archer C8 DD-WRT) Lan1 Port.
Last one is Router 3 (Linksys WRT54GL DD-WRT) patched from Router 2 via WAN Ports.
Both DD-WRT Router are in Router mode.

So:

Router 1
IP: 192.168.21.1
DHCP / DNS Server

Router 2
IP: 192.168.21.5
DD-WRT v3.0-r36527
Router mode
should have 2 VLANs - with access everywhere and own DHCP for subnet (VLAN 11: 192.168.10.0 / VLAN 13: 192.168.30.0)
Wifi should bridged to 192.168.30.0 (own SSID)

Router 3
IP: 192.168.21.10
DD-WRT v3.0-r36527
Router mode
should have 1 VLAN - with access everywhere and own DHCP for subnet (VLAN 12: 192.168.20.0)
Wifi should bridged to 192.168.20.0 (own SSID)

First I'm testing VLAN on Linksys (Router 3).
I made a additional VAP Wifi Network, and bridged that with VLAN12. (br1)
br1 is unbridged and had own DHCP
I can connect to the Wifi, with DHCP, but I can't access to Internet or somwhere else outside Router 3

I've tested several iptables, but nothing seems to work. What will I need?

THX BassT


Last edited by BassT on Tue Aug 23, 2022 7:59; edited 1 time in total
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12812
Location: Netherlands

PostPosted: Fri Aug 19, 2022 12:37    Post subject: Reply with quote
Your builds are very old and a lot has changed especially regarding VLAN's and Kernel upgrades.

The advice is to upgrade to the latest build first (current 49741) reset to defaults *after* upgrading and put settings in manually, never restore from a backup to a different build.

For the WRT54 I cannot guarantee it will work with the latest build, but at least worth a try

You mention router 3 is connected via its WAN port but it's IP is in the same subnet so it looks like both routers are setup as a Wireless Access Point, see how I do it:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=332778

There is also the wiki: https://wiki.dd-wrt.com/wiki/index.php/Wireless_access_point
which I do not follow on all points Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
BassT
DD-WRT Novice


Joined: 01 Sep 2020
Posts: 36

PostPosted: Fri Aug 19, 2022 13:49    Post subject: Reply with quote
egc wrote:
Your builds are very old and a lot has changed especially regarding VLAN's and Kernel upgrades.

The advice is to upgrade to the latest build first (current 49741) reset to defaults *after* upgrading and put settings in manually, never restore from a backup to a different build.

For the WRT54 I cannot guarantee it will work with the latest build, but at least worth a try

I Will give it a try with this one for WRT54GL: 49741
Quote:

You mention router 3 is connected via its WAN port but it's IP is in the same subnet so it looks like both routers are setup as a Wireless Access Point

Yea, its connected from Router 2 WAN to Router 3 WAN. Will make a Trunked Link, so I can use the VLANs on both Router. For now, I don't need it, but will see what the future brings Wink
WAN is disabled and linked to the switch.

THX for reply
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12812
Location: Netherlands

PostPosted: Fri Aug 19, 2022 13:51    Post subject: Reply with quote
Have fun, but see my remarks about using the WAN port (spoiler better do not use for trunk, if necessary use for simple LAN port)
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
BassT
DD-WRT Novice


Joined: 01 Sep 2020
Posts: 36

PostPosted: Sun Aug 21, 2022 10:13    Post subject: Reply with quote
Hi @ll,
new day, new luck Smile

I replaced my WRT54GL with an Netgear R6400v1. I flashed it with DD-WRT v3.0-r49681 std.
I setup all like egc suggest. So my new config is like this:

- Archer C8 (changed Link from WAN to Port 4) no more changes.

- In R6400 I make a br1 with VLAN20 (Port1) and wl0.1 (VAP 2,4GHz) with seperate DHCP 192.168.20.0 for br1

The iptable I made is following:

Code:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)


tab "run command" and "save firewall"
But if I run "iptables -vnL INPUT" in ssh terminal, there is only

Code:
Chain INPUT (policy ACCEPT 159K packets, 9543K bytes)
 pkts bytes target     prot opt in     out     source               destination


What is wrong?

EDIT
If I connect to VAP I had no Internet or connection outside
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12812
Location: Netherlands

PostPosted: Sun Aug 21, 2022 10:36    Post subject: Reply with quote
The rule is a -t nat rule
iptables -t nat -vnL

Your IP address is wrong it should be 192.168.20.1
It is an address and not a subnet Smile

Edit: when you are done configuring reboot the router

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
BassT
DD-WRT Novice


Joined: 01 Sep 2020
Posts: 36

PostPosted: Sun Aug 21, 2022 10:56    Post subject: Reply with quote
egc wrote:

Your IP address is wrong it should be 192.168.20.1
It is an address and not a subnet Smile

Edit: when you are done configuring reboot the router


OK, now I had access to the hole Net. I can ping everything.
But I had no Internet connection.

I set both DD-Wrt Router to Gateway mode and insert the iptable rule also in Router 2 (Archer)

EDIT:
And I can't ping from the normal 192.168.21.0 net the subnet 192.168.20.0 Sad
Will try later this day with updating the firmware from Archer.
In the next week, there will come a R7000 for changing the Archer Smile
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6855
Location: Romerike, Norway

PostPosted: Sun Aug 21, 2022 16:01    Post subject: Reply with quote
Put this on the router facing the Internet:

iptables -t nat -I POSTROUTING -o `get_wanface` -j MASQUERADE

and a static route to the sub-nets on the downstream routers.
BassT
DD-WRT Novice


Joined: 01 Sep 2020
Posts: 36

PostPosted: Sun Aug 21, 2022 16:32    Post subject: Reply with quote
Per Yngve Berg wrote:
Put this on the router facing the Internet:

iptables -t nat -I POSTROUTING -o `get_wanface` -j MASQUERADE

and a static route to the sub-nets on the downstream routers.


The Router, which gives the Internet to the DD-WRT Routers is a FritzBox 7490 (non DD-WRT) Sad

On the otherside I Bricked the Archer during upgrade. First must unbrick Wink
BassT
DD-WRT Novice


Joined: 01 Sep 2020
Posts: 36

PostPosted: Mon Aug 22, 2022 18:28    Post subject: Reply with quote
So, I'm a little smarter Wink

The Archer has a 15sec Boot Loop and looks like dead.
For now I Had the R6400 behind the FritzBox.

The ping from the normal Net into the br1 subnet now work with an static route in the FritzBox Cool

Only the Internet in the subnet (br1) will not work Sad

EDIT:
I found the problem; I set the Gateway IP wrong Sad
With correct IP, now everything work like it should!


THX to @ll
BassT
DD-WRT Novice


Joined: 01 Sep 2020
Posts: 36

PostPosted: Sat Aug 27, 2022 16:22    Post subject: Reply with quote
@egc I additional make a guest wifi. I used your rule examples:
Code:
#Always necessary (alternatively set static route on main router and NAT traffic from VAP/Bridge out via WAN):
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)

#Replace with the appropriate interface of your VAP, e.g. wl0.1, wlan0.1 etc:
GUEST_IF="wlan1.1"
#Net Isolation does not work on a WAP so keep it disabled, add for isolating VAP/Bridge from main network:
iptables -I FORWARD -i $GUEST_IF -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT

#For isolating the WAP itself from the VAP:
iptables -I INPUT -i $GUEST_IF -m state --state NEW -j REJECT
iptables -I INPUT -i $GUEST_IF -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i $GUEST_IF -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i $GUEST_IF -p tcp --dport 53 -j ACCEPT


It work, but I can enter from the guest wifi to all other subnets. How to deny these nets also?

THX

EDIT: (Solved)
I used an static route for the other nets. Disable these, and use the rule. Now it works!
SRY Wink

EDIT2:
OK, don't solved. Now I had no access to the subnets, from normal net, ...


Last edited by BassT on Sat Aug 27, 2022 16:36; edited 1 time in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12812
Location: Netherlands

PostPosted: Sat Aug 27, 2022 16:36    Post subject: Reply with quote
You have a complicated setup so that I just show you the easy way (easy for me)

iptables -I FORWARD -i $GUEST_IF -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT

this rule you are using isolates the Guest wifi from the main subnet, with the same rule you can isolate the guest network from other subnets so after the -d you set the subnet you want to isolate from the Guest wifi.
A subnet is always named with the .0 at the end and the netmask in your case is /24 (I have not read everything back )

So it could look like:
Code:
iptables -I FORWARD -i $GUEST_IF -d 192.168.40.0/24 -m state --state NEW -j REJECT

to isolate the Guest wifi from the 192.168.40.0/24 subnet, make a rule for every subnet you want to isolate the Guest wifi from

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


Last edited by egc on Sat Aug 27, 2022 16:47; edited 1 time in total
BassT
DD-WRT Novice


Joined: 01 Sep 2020
Posts: 36

PostPosted: Sat Aug 27, 2022 16:42    Post subject: Reply with quote
egc wrote:


So it could look like:
Code:
iptables -I FORWARD -i $GUEST_IF -d 192.168.40.0/24 -m state --state NEW -j REJECT

to isolate the Guest wifi from the 192.168.40.0/24 subnet, make a rule for every subnet you want to isolate the Guest wifi from


Works like a charme!
Big THX
BassT
DD-WRT Novice


Joined: 01 Sep 2020
Posts: 36

PostPosted: Sun Aug 28, 2022 20:28    Post subject: Reply with quote
OK, I had another question.

The Guest Network work. There is no possibility to connect to all other subnets and router gui, but I want to allow to use the adblocker in another subnet

so some 192.168.40.x devices should use the 192.168.10.10 DNS Adblocker.
How must the rule looks like?
And also I want, that the devices can connect to the printer at 192.168.20.20

Smile
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6855
Location: Romerike, Norway

PostPosted: Sun Aug 28, 2022 21:22    Post subject: Reply with quote
Add the allow rules to the printer etc. before the den rule to the subnet.
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum