After trying many times in the GUI, 'apply settings' and rebooting in different phases and order, I got my VLAN on port marked #3 working.
The bridge for eth1.3 and other required settings are done in the GUI. The bridge is called brVL3.
This is the same as what I described above - I don't see any difference.
Quote:
I'm planning to find out and try the proper iptables rule to allow the laptop on 192.168.1.2 access to the VLAN (192.168.30.1/27), but in the mean time I will gladly take suggestions
Well if your DNS rule works then you just need to modify it.
Quote:
I tried the following rules, but they must be the wrong approach, and probably just show how little idea I have how to go about it:
# Allow DNS requests from eth1.3 VLAN to DNS server on main LAN
iptables -I FORWARD -i brVL3 -d $DNS0_IPv4 -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD -i brVL3 -d $DNS0_IPv4 -p udp --dport 53 -j ACCEPT
iptables -D means delete the rule... than you create it again no idea y?
as you mix input with destination... and i presume this is to allow some connectivity, but its odd to
me as the way it look's like..
and yep NetIsolation has been updated and now it causes a hard block and in my case no chance to cross to get access to GUI form my bridged vlans like it used to work before.. even if i add a permitting rule.. but this is the way it should be i guess.. (well...i haven't done a reset and manual config for ages and this could be my issue as egc confirmed it works once the permitting rule was added..in my case it didnt)
my advise is to revise your iptables rules and draw the connections on paper and think on the subject...
on my R7800 i do have x3 vlans all on different br with dhcp and dns (using Stubby for DNS)
with br isolation rules + net-isolation and ap isolation... and those work as intended.. _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
# Allow DNS requests from eth1.3 VLAN to DNS server on main LAN
iptables -I FORWARD -i brVL3 -d $DNS0_IPv4 -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD -i brVL3 -d $DNS0_IPv4 -p udp --dport 53 -j ACCEPT
iptables -D means delete the rule... than you create it again no idea y?
Well, whenever you update the firewall script, in my experience it is executed and during booting it is also executed several times, AFAIK.
At one time, certainly more than a year ago, I observed rules from the script appearing several times in the final result.
I also learned to first delete any rules to be set by the script precisely because of that. I know there's a command to flush all rules, but using that in the script would likely be destructive as the f/w sets rules by itself, too.
Maybe recent dd-wrt f/w builds behave differently, I haven't checked.
In my experience those DNS rules are needed to allow clients on net isolated VLAN or VAP to access the DNS-server (at $DNS0_IPv4) on my main network.
The rule with which I attempted to create access to the port #3 VLAN from my laptop is not working, I know. Had I compared to iptables documentation, I could have noticed the syntax is wrong, and refrained from trying and posting it.
Unfortunately, I wasn't able to find a suitable example for my use case.
I understand some of iptables, like what -A and -I do, and some other details, but the big picture with different tables etc. is quite elusive.
Thanks a lot! I used your second suggestion and it works a treat!
I already expanded on it adding a second IP, which I figured should also have access. I realized the -s parameter can actually take a list of IP's. The second machine $AdminHub is accessible from WAN when I am away, and the administrator laptop, too.
(My LAN is behind a 'corporate' firewall so WAN access is problematic. Part of the year I'm in a cottage on a park with a common wideband network connection. This is also my off-site backup location.)
So this is what I now have and I am very pleased with it:
iptables -I FORWARD -s $NetworkAdmin,$AdminHub -o brVL3 -j ACCEPT
