Posted: Sun Oct 02, 2022 8:55 Post subject: [SOLVED] R7000 unbridged wireless no internet, DHCP works
Router: Netgear R7000
Firmware: v3.0-r50308
Kernel: Linux 4.4.302
I am trying to isolate a switch (unmanaged, Sitecom LN 120 v1 002) into a vLAN, as it has a NAS on it (at 10.0.50.10) that I want to be able to access from my own PC (also in the switch) but from no other devices. Setting up the switch in vlan3 gave me trouble, so I set up the switch in vlan1 on port 1, and moved ports 2 through 4 to vlan3. Everything works perfectly so far.
However, isolating the wireless gives me trouble. I did the following:
Create a bridge br1, STP on (should it be?) and subnet 10.0.52.0/24
Add the wireless interfaces eth1 and eth2 to the bridge, as well as the guest network wl0.1 (with AP isolation on, the guest network is still isolated from devices on the default interfaces right?)
Enable DHCP for the bridge
Open up some communication on the firewall as below
Code:
# Block all communication between vlans except for vlan# - vlan2 (WAN vlan)
iptables -I FORWARD -i vlan+ -o vlan+ -j DROP
iptables -I FORWARD -i vlan+ -o vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o vlan+ -j ACCEPT
# Allow everyone to access NAS and allow local devices to access configuration
iptables -I FORWARD -d 10.0.50.10/32 -p tcp -m multiport --dports 80,443,6690 -j ACCEPT
iptables -I FORWARD -d 10.0.50.10/32 -s 10.0.0.0/16 -p tcp -m multiport --dports 5000,5001 -j ACCEPT
EDIT: For the record, if I don't move my wireless interfaces from br0 to br1, internet connection works perfectly. I also don't have any connection issues over ethernet.
Now if I connect to the wireless on my Windows 11 PC, it says it can't connect, and if I try on my Android 13 phone, it says "Connected to device, can't provide internet", but I can verify that my phone gets an IP in the 10.0.52.0/24 subnet. I assume I'm missing some firewall rules to allow the bridge to communicate to the outside world, but I've tried the rules provided here for allowing "br1 to access br0, the WAN and any other subnets" (not the functionality I'd want, but at least getting internet would be the starting point for me), but my phone responde with the same behaviour.
What am I missing? I've tried to go through the instructions at https://wiki.dd-wrt.com/wiki/index.php/Switched_Ports, and that gave me the idea that my issue may be that br1 isn't connected to the WAN vlan2, but this guide only talks about vlans, not wlans, and I don't know how to extend that information to wlans.
If I'm missing iptables rules, what rules would I need? I'm very unfamiliar with iptables and quite new to networking in general, so any help would be much appreciated!
Attached some screenshots of my Wireless settings, my Bridge setup and the DHCP settings. Below you can find the outputs of iptables -t nat -vnL PREROUTING and iptables -vnL FORWARD.
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Sun Oct 02, 2022 9:28 Post subject:
Unfortunately I have very little time to look at it in detail but I am sure others will chime in.
On first glance it looks needlessly complicated.
Net isolation is sufficient to isolate unbridged interfaces from the main network.
So the only thing you have to do is isolate br1 from vlan3.
I see a lot of DROP rules from the individual interfaces those should not be there as they only can come if those interfaces are unbridged and Net isolation is turned on but the only unbridged interfaces should be br1 and vlan3, the wireless interfaces should all be kept bridged (as they are bridged to br1).
Good to hear I'm overthinking, that should mean the solution is more simple
To test what you say, I've removed my Firewall commands and removed every reference to br1, with all interfaces back on br0. I then reboot and run iptables -vnL FORWARD again, and indeed a lot of the DROP rules towards the top are now gone. I tested another reboot with the firewall commands in place and the rules show up again, so it's clear that's where they're coming from. However, there is no rule that contains br1. I add br1 again, with net isolation, still no internet. This is what iptables -vnL FORWARD | grep br1 gives:
Code:
0 0 DROP all -- br1 * 0.0.0.0/0 10.0.50.0/24 state NEW
0 0 lan2wan all -- br1 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP all -- br0 br1 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 TRIGGER all -- vlan2 br1 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- br1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br1 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all -- br1 vlan2 0.0.0.0/0 0.0.0.0/0
Turning off net isolation, I still have no internet:
Code:
0 0 lan2wan all -- br1 * 0.0.0.0/0 0.0.0.0/0
0 0 TRIGGER all -- vlan2 br1 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
0 0 trigger_out all -- br1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br1 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all -- br1 vlan2 0.0.0.0/0 0.0.0.0/0
Removing all the wireless interfaces from br1 gives my clients internet access.
