[buffalo0207]

Hi,

I am trying to isolate 3 subnets (br2, br3 and br4) from each other and bridge br0, on a WAP router (DIR-868l rev b), so they have internet access only.

My setup is a R9000 as the main router and a DIR-868l as a WAP, both running the latest DDWRT r50814.


I have successfully assigned the following bridges on the WAP in Setup > Networking...

br2 - 192.168.30.1 Tenants Subnet
br3 - 192.168.40.1 WG Subnet
br4 - 192.168.50.1 Guest Subnet


I have also used the following setup in DNSMasq, which seems to be needed to connect to the various SSID's on each bridge, otherwise, they fail to connect on my iPhone...

## DNSMasq Settings - create br2, br3 and br4 interfaces
#
interface=br2,br3,br4
dhcp-option=br2,3,192.168.30.1
dhcp-range=br2,192.168.30.81,192.168.30.100,255.255.255.0,24h
dhcp-option=br2,6,1.1.1.1,1.0.0.1
dhcp-option=br3,3,192.168.40.1
dhcp-range=br3,192.168.40.81,192.168.40.100,255.255.255.0,24h
dhcp-option=br3,6,62.210.136.158,69.162.67.202
dhcp-option=br4,3,192.168.50.1
dhcp-range=br4,192.168.50.81,192.168.50.100,255.255.255.0,24h
dhcp-option=br4,6,1.1.1.1,1.0.0.1


Here is my Firewall setup...

# Allow br2, br3 & br4 access to br0 and the WAN
iptables -I FORWARD -i br2 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br3 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br4 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# Enable NAT for traffic being routed out br0 so that br2, br3 & br4 have connectivity
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`

# WG - Enable NAT for traffic being routed out br0 so that br2 & br3 have connectivity
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)

# Allow br2, br3 & br4 to access DHCP on the router
iptables -I INPUT -i br2 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br3 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br4 -p udp --dport 67 -j ACCEPT

# Allow br2, br3 & br4 to access DNS on the router
iptables -I INPUT -i br2 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br2 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i br3 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br3 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i br4 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br4 -p tcp --dport 53 -j ACCEPT


I've enabled the 'AP Isolation' in the Wireless > Basic Settings for all relevant SSID's and disabled their WEB UI too, on the assumption this stops their full access, but I still seem to have access to the Web GUI when I use any of the SSID's on br2, br3 and br4.

So, I would still like br0 (on the DIR-868l and br0 only on the R9000) to have full access to all the bridges, while bridges br2, br3 and br4 have no access each other, or br0.


Any help would be grateful.

Nb. Is there a way to shorten the above iptables so each bridge isn't consecutively repeated?

[egc]

Attached my personal notes how I setup a VAP/bridge also a paragraph about setting those up on a WAP.

The DNSMasq settings can also be done in the GUI via DHCPd no need to do it in the Additional DNSMasq (one exception might be the DNS servers, if you wan to have one DNS server not being the IP address of the bridge e.g. on your br4 you can use Forced DNS redirection (which actually uses iptables rules) but if you really want two DNS servers like you have it now (1.1.1.1, 1.0.0.1) then you must do it for br4 the way you are doing it)

You can ditch all the firewall rules except one NAT rule.
The two NAT rules you have are exactly the same.

You do have to make isolating firewall rules as described in my notes to get proper isolation.

I hope you can make some sense out of my notes but if you have questions feel free to ask.

[buffalo0207]

Thanks for the insight. I deleted all the firewall rules, except the one NAT rule as you suggested.

My DNSMasq now looks like...

## DNSMasq - create DNS settings br2, br3 and br4 interfaces
#
dhcp-option=br2,6,1.1.1.1,1.0.0.1
dhcp-option=br3,6,62.210.136.158,69.162.67.202
dhcp-option=br4,6,1.1.1.1,1.0.0.1


In regards to your attachment, I followed the unbridged section, but the section following...

'If you want br0 to have access to all other but the rest isolated (this if for two extra bridges br1 and br2 you can also substitute brx for wlanx etc):
iptables -D FORWARD -i br1 -o br+ -m state --state NEW -j REJECT
iptables -I FORWARD -i br1 -o br+ -m state --state NEW -j REJECT
iptables -D FORWARD -i br2 -o br+ -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br+ -m state --state NEW -j REJECT'


...I assume, that as have 3 bridges that I want to isolate from each other, and for br0 to have access to all bridges, my rules should therefore be...

iptables -D FORWARD -i br2 -o br3 -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br3 -m state --state NEW -j REJECT
iptables -D FORWARD -i br2 -o br4 -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br4 -m state --state NEW -j REJECT

iptables -D FORWARD -i br3 -o br2 -m state --state NEW -j REJECT
iptables -I FORWARD -i br3 -o br2 -m state --state NEW -j REJECT
iptables -D FORWARD -i br3 -o br4 -m state --state NEW -j REJECT
iptables -I FORWARD -i br3 -o br4 -m state --state NEW -j REJECT

iptables -D FORWARD -i br4 -o br2 -m state --state NEW -j REJECT
iptables -I FORWARD -i br4 -o br2 -m state --state NEW -j REJECT
iptables -D FORWARD -i br4 -o br3 -m state --state NEW -j REJECT
iptables -I FORWARD -i br4 -o br3 -m state --state NEW -j REJECT

Is this correct?

[egc]

[buffalo0207]

So, I followed all your suggestions, but I can't connect to any of the unbridged SSID's. I have an iPhone 12 and it keeps saying the passwords are incorrect, but then when i enter the passwords again, it states it can't connect to the network - I get the same error when I try to connect on my computer. I've double checked that all the passwords in DDWRT are exactly as they should be.

Here are all my settings which I believe are exactly as stated in your attachment...


SFE - disabled

Gateway mode

Services>Services
## DNSMasq - create DNS settings br2, br3 and br4 interfaces
#
dhcp-option=br2,6,1.1.1.1,1.0.0.1
dhcp-option=br3,6,62.210.136.158,69.162.67.202
dhcp-option=br4,6,1.1.1.1,1.0.0.1

Administration>Commands>Firewall
# Isolate bridges from other bridges
for GUEST_IF in br2 br3 br4
do
iptables -D FORWARD -i $GUEST_IF -o br+ -m state --state NEW -j REJECT
iptables -I FORWARD -i $GUEST_IF -o br+ -m state --state NEW -j REJECT
done

As I can't upload more than 3 pics to a message, the rest of the configs are in the messages to follow...

[buffalo0207]

More...

[buffalo0207]

Last one...

[egc]

It could be that there are other issues, I will take a closer look later, but the VAP's should be left bridged because they are bridged to brX.

That should be highlighted and in bold in my notes I hope, as it is a mistake often made

Furthermore you can disable Net isolation as it is not working on a WAP.

[buffalo0207]

@egc - Sorry for the delay in replying - I've been away from my computer til now...

So, I went back to bridging all the VAP's and disabling all the Net isolation tabs as you stated, and I am now able to connect to any SSID again, but, now, I no longer have internet access. I tried all your firewall examples, but for all the SSID's that have the WEB UI disabled, I am never able to connect to the internet - though I think it's something to do with the firewall rules. Unusually, I am still able to log on to the DDWRT GUI, even with the WEB UI disabled.

So, as soon as I delete all the firewall iptables, except for...

iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)

...I am able to get internet access once again.

Really does seem like there's a couple of issues going on there.

[egc]

OK at least you now have a working solution

Try the following step by step

[buffalo0207]

I tried all your options, and although I did have internet on every bridge, no bridge was isolated from each other...

I don't understand how these iptables are not working.

[egc]

[buffalo0207]

So, here is the output for the following iptables...

Using...

#for isolating the VAP/bridge from the main subnet so only allow internet access
for GUEST_IF in br2 br3 br4
do
iptables -D FORWARD -i $GUEST_IF -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT
iptables -I FORWARD -i $GUEST_IF -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT
done

I got...

root@myWAP2:~# iptables -vnL FORWARD
Chain FORWARD (policy ACCEPT 47 packets, 5696 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- br4 * 0.0.0.0/0 192.168.10.0/24 state NEW reject-with icmp-port-unreachable
0 0 REJECT all -- br3 * 0.0.0.0/0 192.168.10.0/24 state NEW reject-with icmp-port-unreachable
0 0 REJECT all -- br2 * 0.0.0.0/0 192.168.10.0/24 state NEW reject-with icmp-port-unreachable


With...

#For isolating bridges from each other
iptables -D FORWARD -i br2 -o br3 -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br3 -m state --state NEW -j REJECT
iptables -D FORWARD -i br2 -o br4 -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br4 -m state --state NEW -j REJECT

iptables -D FORWARD -i br3 -o br2 -m state --state NEW -j REJECT
iptables -I FORWARD -i br3 -o br2 -m state --state NEW -j REJECT
iptables -D FORWARD -i br3 -o br4 -m state --state NEW -j REJECT
iptables -I FORWARD -i br3 -o br4 -m state --state NEW -j REJECT

iptables -D FORWARD -i br4 -o br2 -m state --state NEW -j REJECT
iptables -I FORWARD -i br4 -o br2 -m state --state NEW -j REJECT
iptables -D FORWARD -i br4 -o br3 -m state --state NEW -j REJECT
iptables -I FORWARD -i br4 -o br3 -m state --state NEW -j REJECT

I got...

root@myWAP2:~# iptables -vnL FORWARD
Chain FORWARD (policy ACCEPT 175 packets, 74191 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- br4 br3 0.0.0.0/0 0.0.0.0/0 state NEW reject-with icmp-port-unreachable
0 0 REJECT all -- br4 br2 0.0.0.0/0 0.0.0.0/0 state NEW reject-with icmp-port-unreachable
0 0 REJECT all -- br3 br4 0.0.0.0/0 0.0.0.0/0 state NEW reject-with icmp-port-unreachable
0 0 REJECT all -- br3 br2 0.0.0.0/0 0.0.0.0/0 state NEW reject-with icmp-port-unreachable
0 0 REJECT all -- br2 br4 0.0.0.0/0 0.0.0.0/0 state NEW reject-with icmp-port-unreachable
0 0 REJECT all -- br2 br3 0.0.0.0/0 0.0.0.0/0 state NEW reject-with icmp-port-unreachable


and lastly...

#For isolating the WAP itself from the VAP/bridge:
iptables -D INPUT -i $GUEST_IF -m state --state NEW -j REJECT
iptables -D INPUT -i $GUEST_IF -p udp --dport 67 -j ACCEPT
iptables -D INPUT -i $GUEST_IF -p udp --dport 53 -j ACCEPT
iptables -D INPUT -i $GUEST_IF -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i $GUEST_IF -m state --state NEW -j REJECT
iptables -I INPUT -i $GUEST_IF -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i $GUEST_IF -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i $GUEST_IF -p tcp --dport 53 -j ACCEPT

I got...

root@myWAP2:~# iptables -vnL FORWARD
Chain FORWARD (policy ACCEPT 17 packets, 3734 bytes)
pkts bytes target prot opt in out source destination

[egc]

I have done a quick test, I setup a WAP according to my own rules.

I made two bridges br1 and br2 and added a VAP (and also a VLAN but that is outside the scope of this problem)

I isolate those bridges from each other with (Administration/Commands Safe as Firewall):

[buffalo0207]

Ok. So, following your iptables, I have the following setup...

br0 (192.168.10.254) is the main LAN
br2 (192.168.30.1) is the tenants 2.4GHz and 5GHz LAN
br3 (192.168.40.1) is Wireguard
br4 (192.168.50.1) is the Guest LAN

I have the following as the firewall rules...

#For NAT traffic being routed out br0 so that br2, br3 & br4 have internet
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)

#For isolating bridges from each other
iptables -D FORWARD -i br2 -o br3 -m state --state NEW -j REJECT
iptables -D FORWARD -i br3 -o br2 -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br3 -m state --state NEW -j REJECT
iptables -I FORWARD -i br3 -o br2 -m state --state NEW -j REJECT

iptables -D FORWARD -i br3 -o br4 -m state --state NEW -j REJECT
iptables -D FORWARD -i br4 -o br3 -m state --state NEW -j REJECT
iptables -I FORWARD -i br3 -o br4 -m state --state NEW -j REJECT
iptables -I FORWARD -i br4 -o br3 -m state --state NEW -j REJECT

iptables -D FORWARD -i br2 -o br4 -m state --state NEW -j REJECT
iptables -D FORWARD -i br4 -o br2 -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br4 -m state --state NEW -j REJECT
iptables -I FORWARD -i br4 -o br2 -m state --state NEW -j REJECT


After rebooting, I connect to br4 (Guest bridge - 192.168.50.1) on my iphone and use a Ping app. Then I ping 192.168.30.1 and 192.168.40.1, but I am still able to ping them - the hosts are very much reachable.

The same happens if I join the other bridges and ping the other subnets.

Here is the output...

root@myWAP2:~# iptables -vnL FORWARD
Chain FORWARD (policy ACCEPT 4245 packets, 1552K bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- br4 br2 0.0.0.0/0 0.0.0.0/0 state NEW reject-with icmp-port-unreachable
0 0 REJECT all -- br2 br4 0.0.0.0/0 0.0.0.0/0 state NEW reject-with icmp-port-unreachable
0 0 REJECT all -- br4 br3 0.0.0.0/0 0.0.0.0/0 state NEW reject-with icmp-port-unreachable
0 0 REJECT all -- br3 br4 0.0.0.0/0 0.0.0.0/0 state NEW reject-with icmp-port-unreachable
0 0 REJECT all -- br3 br2 0.0.0.0/0 0.0.0.0/0 state NEW reject-with icmp-port-unreachable
0 0 REJECT all -- br2 br3 0.0.0.0/0 0.0.0.0/0 state NEW reject-with icmp-port-unreachable


I'm starting to think it's an issue with the DIR-868L.