Posted: Sun Nov 06, 2022 23:46 Post subject: Isolate bridges on a WAP, but still connect to the internet
Hi,
I am trying to isolate 3 subnets (br2, br3 and br4) from each other and bridge br0, on a WAP router (DIR-868l rev b), so they have internet access only.
My setup is a R9000 as the main router and a DIR-868l as a WAP, both running the latest DDWRT r50814.
I have successfully assigned the following bridges on the WAP in Setup > Networking...
I have also used the following setup in DNSMasq, which seems to be needed to connect to the various SSID's on each bridge, otherwise, they fail to connect on my iPhone...
# Allow br2, br3 & br4 access to br0 and the WAN
iptables -I FORWARD -i br2 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br3 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br4 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# Enable NAT for traffic being routed out br0 so that br2, br3 & br4 have connectivity
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
# WG - Enable NAT for traffic being routed out br0 so that br2 & br3 have connectivity
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
I've enabled the 'AP Isolation' in the Wireless > Basic Settings for all relevant SSID's and disabled their WEB UI too, on the assumption this stops their full access, but I still seem to have access to the Web GUI when I use any of the SSID's on br2, br3 and br4.
So, I would still like br0 (on the DIR-868l and br0 only on the R9000) to have full access to all the bridges, while bridges br2, br3 and br4 have no access each other, or br0.
Any help would be grateful.
Nb. Is there a way to shorten the above iptables so each bridge isn't consecutively repeated?
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Mon Nov 07, 2022 8:47 Post subject:
Attached my personal notes how I setup a VAP/bridge also a paragraph about setting those up on a WAP.
The DNSMasq settings can also be done in the GUI via DHCPd no need to do it in the Additional DNSMasq (one exception might be the DNS servers, if you wan to have one DNS server not being the IP address of the bridge e.g. on your br4 you can use Forced DNS redirection (which actually uses iptables rules) but if you really want two DNS servers like you have it now (1.1.1.1, 1.0.0.1) then you must do it for br4 the way you are doing it)
You can ditch all the firewall rules except one NAT rule.
The two NAT rules you have are exactly the same.
You do have to make isolating firewall rules as described in my notes to get proper isolation.
Thanks for the insight. I deleted all the firewall rules, except the one NAT rule as you suggested.
My DNSMasq now looks like...
## DNSMasq - create DNS settings br2, br3 and br4 interfaces
#
dhcp-option=br2,6,1.1.1.1,1.0.0.1
dhcp-option=br3,6,62.210.136.158,69.162.67.202
dhcp-option=br4,6,1.1.1.1,1.0.0.1
In regards to your attachment, I followed the unbridged section, but the section following...
'If you want br0 to have access to all other but the rest isolated (this if for two extra bridges br1 and br2 you can also substitute brx for wlanx etc): iptables -D FORWARD -i br1 -o br+ -m state --state NEW -j REJECT
iptables -I FORWARD -i br1 -o br+ -m state --state NEW -j REJECT
iptables -D FORWARD -i br2 -o br+ -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br+ -m state --state NEW -j REJECT'
...I assume, that as have 3 bridges that I want to isolate from each other, and for br0 to have access to all bridges, my rules should therefore be...
iptables -D FORWARD -i br2 -o br3 -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br3 -m state --state NEW -j REJECT
iptables -D FORWARD -i br2 -o br4 -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br4 -m state --state NEW -j REJECT
iptables -D FORWARD -i br3 -o br2 -m state --state NEW -j REJECT
iptables -I FORWARD -i br3 -o br2 -m state --state NEW -j REJECT
iptables -D FORWARD -i br3 -o br4 -m state --state NEW -j REJECT
iptables -I FORWARD -i br3 -o br4 -m state --state NEW -j REJECT
iptables -D FORWARD -i br4 -o br2 -m state --state NEW -j REJECT
iptables -I FORWARD -i br4 -o br2 -m state --state NEW -j REJECT
iptables -D FORWARD -i br4 -o br3 -m state --state NEW -j REJECT
iptables -I FORWARD -i br4 -o br3 -m state --state NEW -j REJECT
Is this correct?
Last edited by buffalo0207 on Mon Nov 07, 2022 12:07; edited 1 time in total
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Mon Nov 07, 2022 11:49 Post subject:
buffalo0207 wrote:
Thanks for the insight. I deleted all the firewall rules, except the one NAT rule as you suggested.
My DNSMasq now looks like...
## DNSMasq - create DNS settings br2, br3 and br4 interfaces
#
dhcp-option=br2,6,1.1.1.1,1.0.0.1
dhcp-option=br3,6,62.210.136.158,69.162.67.202
dhcp-option=br4,6,1.1.1.1,1.0.0.1
In regards to your attachment, the section following...
'If you want br0 to have access to all other but the rest isolated (this if for two extra bridges br1 and br2 you can also substitute brx for wlanx etc): iptables -D FORWARD -i br1 -o br+ -m state --state NEW -j REJECT
iptables -I FORWARD -i br1 -o br+ -m state --state NEW -j REJECT
iptables -D FORWARD -i br2 -o br+ -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br+ -m state --state NEW -j REJECT'
...I assume, that as have 3 bridges that I want to isolate from each other and for br0 to have access to all, my rules should therefore be...
iptables -D FORWARD -i br2 -o br3 -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br3 -m state --state NEW -j REJECT
iptables -D FORWARD -i br2 -o br4 -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br4 -m state --state NEW -j REJECT
iptables -D FORWARD -i br3 -o br2 -m state --state NEW -j REJECT
iptables -I FORWARD -i br3 -o br2 -m state --state NEW -j REJECT
iptables -D FORWARD -i br3 -o br4 -m state --state NEW -j REJECT
iptables -I FORWARD -i br3 -o br4 -m state --state NEW -j REJECT
iptables -D FORWARD -i br4 -o br2 -m state --state NEW -j REJECT
iptables -I FORWARD -i br4 -o br2 -m state --state NEW -j REJECT
iptables -D FORWARD -i br4 -o br3 -m state --state NEW -j REJECT
iptables -I FORWARD -i br4 -o br3 -m state --state NEW -j REJECT
Is this correct?
Almost good you also want to isolate from br0 (there is no br1 I guess) I take the last example (br4) you have to add:
iptables -D FORWARD -i br4 -o br0 -m state --state NEW -j REJECT
iptables -I FORWARD -i br4 -o br0 -m state --state NEW -j REJECT
This will stop traffic from br4 going to br0 but not the other way around so you still have access form br0 to br4
As you actually want to isolate br4 from all other bridges you can use a wildcard:
iptables -D FORWARD -i br4 -o br+ -m state --state NEW -j REJECT
iptables -I FORWARD -i br4 -o br+ -m state --state NEW -j REJECT
These two rules should be sufficient and can replace the other rules for br4
If you really want play in the big boys league you make the for loop with:
for GUEST_IF in br2 br3 br4
do
iptables -D FORWARD -i $GUEST_IF -o br+ -m state --state NEW -j REJECT
iptables -I FORWARD -i $GUEST_IF -o br+ -m state --state NEW -j REJECT
done
So, I followed all your suggestions, but I can't connect to any of the unbridged SSID's. I have an iPhone 12 and it keeps saying the passwords are incorrect, but then when i enter the passwords again, it states it can't connect to the network - I get the same error when I try to connect on my computer. I've double checked that all the passwords in DDWRT are exactly as they should be.
Here are all my settings which I believe are exactly as stated in your attachment...
SFE - disabled
Gateway mode
Services>Services
## DNSMasq - create DNS settings br2, br3 and br4 interfaces
#
dhcp-option=br2,6,1.1.1.1,1.0.0.1
dhcp-option=br3,6,62.210.136.158,69.162.67.202
dhcp-option=br4,6,1.1.1.1,1.0.0.1
Administration>Commands>Firewall
# Isolate bridges from other bridges
for GUEST_IF in br2 br3 br4
do
iptables -D FORWARD -i $GUEST_IF -o br+ -m state --state NEW -j REJECT
iptables -I FORWARD -i $GUEST_IF -o br+ -m state --state NEW -j REJECT
done
As I can't upload more than 3 pics to a message, the rest of the configs are in the messages to follow...
Last edited by buffalo0207 on Mon Nov 07, 2022 15:16; edited 1 time in total
@egc - Sorry for the delay in replying - I've been away from my computer til now...
So, I went back to bridging all the VAP's and disabling all the Net isolation tabs as you stated, and I am now able to connect to any SSID again, but, now, I no longer have internet access. I tried all your firewall examples, but for all the SSID's that have the WEB UI disabled, I am never able to connect to the internet - though I think it's something to do with the firewall rules. Unusually, I am still able to log on to the DDWRT GUI, even with the WEB UI disabled.
So, as soon as I delete all the firewall iptables, except for...
So, here is the output for the following iptables...
Using...
#for isolating the VAP/bridge from the main subnet so only allow internet access
for GUEST_IF in br2 br3 br4
do
iptables -D FORWARD -i $GUEST_IF -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT
iptables -I FORWARD -i $GUEST_IF -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT
done
I got...
root@myWAP2:~# iptables -vnL FORWARD
Chain FORWARD (policy ACCEPT 47 packets, 5696 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- br4 * 0.0.0.0/0 192.168.10.0/24 state NEW reject-with icmp-port-unreachable
0 0 REJECT all -- br3 * 0.0.0.0/0 192.168.10.0/24 state NEW reject-with icmp-port-unreachable
0 0 REJECT all -- br2 * 0.0.0.0/0 192.168.10.0/24 state NEW reject-with icmp-port-unreachable
With...
#For isolating bridges from each other
iptables -D FORWARD -i br2 -o br3 -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br3 -m state --state NEW -j REJECT
iptables -D FORWARD -i br2 -o br4 -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br4 -m state --state NEW -j REJECT
iptables -D FORWARD -i br3 -o br2 -m state --state NEW -j REJECT
iptables -I FORWARD -i br3 -o br2 -m state --state NEW -j REJECT
iptables -D FORWARD -i br3 -o br4 -m state --state NEW -j REJECT
iptables -I FORWARD -i br3 -o br4 -m state --state NEW -j REJECT
iptables -D FORWARD -i br4 -o br2 -m state --state NEW -j REJECT
iptables -I FORWARD -i br4 -o br2 -m state --state NEW -j REJECT
iptables -D FORWARD -i br4 -o br3 -m state --state NEW -j REJECT
iptables -I FORWARD -i br4 -o br3 -m state --state NEW -j REJECT
I got...
root@myWAP2:~# iptables -vnL FORWARD
Chain FORWARD (policy ACCEPT 175 packets, 74191 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- br4 br3 0.0.0.0/0 0.0.0.0/0 state NEW reject-with icmp-port-unreachable
0 0 REJECT all -- br4 br2 0.0.0.0/0 0.0.0.0/0 state NEW reject-with icmp-port-unreachable
0 0 REJECT all -- br3 br4 0.0.0.0/0 0.0.0.0/0 state NEW reject-with icmp-port-unreachable
0 0 REJECT all -- br3 br2 0.0.0.0/0 0.0.0.0/0 state NEW reject-with icmp-port-unreachable
0 0 REJECT all -- br2 br4 0.0.0.0/0 0.0.0.0/0 state NEW reject-with icmp-port-unreachable
0 0 REJECT all -- br2 br3 0.0.0.0/0 0.0.0.0/0 state NEW reject-with icmp-port-unreachable
Ok. So, following your iptables, I have the following setup...
br0 (192.168.10.254) is the main LAN
br2 (192.168.30.1) is the tenants 2.4GHz and 5GHz LAN
br3 (192.168.40.1) is Wireguard
br4 (192.168.50.1) is the Guest LAN
I have the following as the firewall rules...
#For NAT traffic being routed out br0 so that br2, br3 & br4 have internet
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
#For isolating bridges from each other
iptables -D FORWARD -i br2 -o br3 -m state --state NEW -j REJECT
iptables -D FORWARD -i br3 -o br2 -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br3 -m state --state NEW -j REJECT
iptables -I FORWARD -i br3 -o br2 -m state --state NEW -j REJECT
iptables -D FORWARD -i br3 -o br4 -m state --state NEW -j REJECT
iptables -D FORWARD -i br4 -o br3 -m state --state NEW -j REJECT
iptables -I FORWARD -i br3 -o br4 -m state --state NEW -j REJECT
iptables -I FORWARD -i br4 -o br3 -m state --state NEW -j REJECT
iptables -D FORWARD -i br2 -o br4 -m state --state NEW -j REJECT
iptables -D FORWARD -i br4 -o br2 -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br4 -m state --state NEW -j REJECT
iptables -I FORWARD -i br4 -o br2 -m state --state NEW -j REJECT
After rebooting, I connect to br4 (Guest bridge - 192.168.50.1) on my iphone and use a Ping app. Then I ping 192.168.30.1 and 192.168.40.1, but I am still able to ping them - the hosts are very much reachable.
The same happens if I join the other bridges and ping the other subnets.
Here is the output...
root@myWAP2:~# iptables -vnL FORWARD
Chain FORWARD (policy ACCEPT 4245 packets, 1552K bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- br4 br2 0.0.0.0/0 0.0.0.0/0 state NEW reject-with icmp-port-unreachable
0 0 REJECT all -- br2 br4 0.0.0.0/0 0.0.0.0/0 state NEW reject-with icmp-port-unreachable
0 0 REJECT all -- br4 br3 0.0.0.0/0 0.0.0.0/0 state NEW reject-with icmp-port-unreachable
0 0 REJECT all -- br3 br4 0.0.0.0/0 0.0.0.0/0 state NEW reject-with icmp-port-unreachable
0 0 REJECT all -- br3 br2 0.0.0.0/0 0.0.0.0/0 state NEW reject-with icmp-port-unreachable
0 0 REJECT all -- br2 br3 0.0.0.0/0 0.0.0.0/0 state NEW reject-with icmp-port-unreachable
I'm starting to think it's an issue with the DIR-868L.