Net Isolation Function seems to have no effect?

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Goto page Previous  1, 2
Author Message
tomron
DD-WRT User


Joined: 10 Sep 2020
Posts: 68

PostPosted: Mon Oct 17, 2022 17:20    Post subject: Reply with quote
I have to apologize, this gateway is already behind a firewall and I forget to activate the firewall on that router.

now the result locks differently

Code:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    2   847 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     udp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
    0     0 ACCEPT     tcp  --  vlan2  *       0.0.0.0/0            10.0.11.1            tcp dpt:22
    0     0 ACCEPT     icmp --  vlan2  *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     2    --  vlan2  *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  vlan2  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:113
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            state NEW
    3   116 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 ACCEPT     udp  --  br30   *       0.0.0.0/0            0.0.0.0/0            udp dpt:67
    0     0 ACCEPT     udp  --  br30   *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  br30   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    4   128 DROP       all  --  br30   *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 ACCEPT     all  --  br30   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  br30   *       0.0.0.0/0            0.0.0.0/0           
    5   615 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           




not to be confused, this double NAT situation is just for testing/setting up for a different location

_________________
VLANs, Wireguard Site to Site, OpenVPN Client, WDS
TP-Link Archer C7 V4, V5
TP-Link Archer A7 V5
TP-Link WR1043 V4
Unifi UAP-AC-M
Sponsor
tomron
DD-WRT User


Joined: 10 Sep 2020
Posts: 68

PostPosted: Mon Oct 17, 2022 17:46    Post subject: Reply with quote
and this was the final puzzle piece... now the Net Isolation works as intended.





BUT how to establish Net Isolation on a WAP where the firewall is disabled?

Thanks for all your help!

BR Tom

_________________
VLANs, Wireguard Site to Site, OpenVPN Client, WDS
TP-Link Archer C7 V4, V5
TP-Link Archer A7 V5
TP-Link WR1043 V4
Unifi UAP-AC-M
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon Oct 17, 2022 17:54    Post subject: Reply with quote
Glad you solved it.

How to isolate on a WAP is also discussed in my notes, in that case you have to manually set the iptables rules Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Mon Oct 17, 2022 17:55    Post subject: Reply with quote
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1273676#1273676

Read what egc posted
in the attached document everything is actually explained quite well
tomron
DD-WRT User


Joined: 10 Sep 2020
Posts: 68

PostPosted: Mon Oct 24, 2022 9:31    Post subject: Reply with quote
egc wrote:
Glad you solved it.

How to isolate on a WAP is also discussed in my notes, in that case you have to manually set the iptables rules Smile



Ok, I will study the document in detail!

Thanks for your help!

_________________
VLANs, Wireguard Site to Site, OpenVPN Client, WDS
TP-Link Archer C7 V4, V5
TP-Link Archer A7 V5
TP-Link WR1043 V4
Unifi UAP-AC-M
tomron
DD-WRT User


Joined: 10 Sep 2020
Posts: 68

PostPosted: Tue Nov 01, 2022 20:50    Post subject: Reply with quote
egc wrote:
Glad you solved it.

How to isolate on a WAP is also discussed in my notes, in that case you have to manually set the iptables rules Smile


Hello again.

so I read your document in the chapter "VAP on WAP"

privat WiFi is working without any issues.

on the VAP for the Guest Network I again have troubles
the VAP is bridged to br50
I added the following Firewall Rule as mentioned in your document:

Code:
#Always necessary (alternatively set static route on main router and NAT traffic from VAP/Bridge out via WAN):
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)


I can ping www.google.com but I am not able to browse to any page on the internet in my browser, there seems to be an issue with the DNS

if I set the my Br50 to "Force DNS Redirection" to 8.8.8.8 I get the ping from google.com and can brows any page in my browser


whats here the issue?
what is the reason not to set WAN connection to VAPs on WAPs by default?

thanks again for your support!

_________________
VLANs, Wireguard Site to Site, OpenVPN Client, WDS
TP-Link Archer C7 V4, V5
TP-Link Archer A7 V5
TP-Link WR1043 V4
Unifi UAP-AC-M
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Wed Nov 02, 2022 7:18    Post subject: Reply with quote
An unbridged VAP (of Bridge) will send a DNS address from DNSmasq, by default DNSMasq will send the IP address of the VAP/Bridge as DNS address to the attached clients (you can check you clients what DNS address they receive).

DNSMasq will query upstream servers in this case (a WAP) DNSMasq is querying the primary router if you have set up according to the documentation which states that you should set the primary routers address in Local DNS.

This all assumes you have setup according to instructions (e.g. left DNSMasq enabled etc.)

So if it is not working you might check your settings Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
tomron
DD-WRT User


Joined: 10 Sep 2020
Posts: 68

PostPosted: Wed Nov 02, 2022 21:25    Post subject: Reply with quote
ok you were right, on my gateway the box "Use dnsmasq for DNS" was not ticked, afterwards the WAP had also DNS on the VAP
_________________
VLANs, Wireguard Site to Site, OpenVPN Client, WDS
TP-Link Archer C7 V4, V5
TP-Link Archer A7 V5
TP-Link WR1043 V4
Unifi UAP-AC-M
tomron
DD-WRT User


Joined: 10 Sep 2020
Posts: 68

PostPosted: Wed Nov 02, 2022 21:39    Post subject: Reply with quote
But the next Problem is not far away

Net isolation seems not to work on the VAP of the WAP

I added the following rule to the firewall from your guidline:
Code:

#Replace with the appropriate interface of your VAP, e.g. wl0.1, wlan0.1 etc:
GUEST_IF="wlan0.1"
#Net Isolation does not work on a WAP so keep it disabled, add for isolating VAP from main network:
iptables -I FORWARD -i $GUEST_IF -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT


iptables -vnL INPUT reports nothing back:


Code:
Chain INPUT (policy ACCEPT 9 packets, 1665 bytes)
 pkts bytes target     prot opt in     out     source               destination       



any ideas whats wrong with the rules?

_________________
VLANs, Wireguard Site to Site, OpenVPN Client, WDS
TP-Link Archer C7 V4, V5
TP-Link Archer A7 V5
TP-Link WR1043 V4
Unifi UAP-AC-M
Goto page Previous  1, 2 Display posts from previous:    Page 2 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum