deny WAN access to VLAN10 also denies LAN access from VLAN1

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
zdsf
DD-WRT Novice


Joined: 09 Nov 2022
Posts: 20

PostPosted: Wed Mar 29, 2023 20:40    Post subject: deny WAN access to VLAN10 also denies LAN access from VLAN1 Reply with quote
Netgear R7800 build 51440.

VLAN1: Trusted devices
VLAN2: IoT devices.

Goal: deny WAN to some (but not all) IoT devices using MAC address: >>Access restrictions>>WAN Access


Problem: denied devices cant reach the internet, but also makes them unreachable from VLAN1 (trusted devices like homeassistant). They are reachable from within their own subnet but no communication across VLANs

Seems like VLAN1 reaches VLAN10 through the WAN interface??


Code:
For startup command:
#Enable VLANs
  swconfig dev switch0 set enable_vlan 1
#Assigning port 1, 2 to VLAN 1 (trusted). port 6 is CPU
  swconfig dev switch0 vlan 1 set ports "1 2 6"
#Assigning port 3, 4 to VLAN 10 (IoT). port 6 is CPU
  swconfig dev switch0 vlan 10 set ports "3 4 6t"
#Apply settings
  swconfig dev switch0 set apply
#Create interface eth1.10 for VLAN10
  vconfig add eth1 10
#Assign interface eth1.10 and create br1
  brctl addif br1 eth1.10
  ifconfig eth1.10 up
#Enable NAT, I tried with and without, no difference.
iptables -t nat -I POSTROUTING -o `get_wanface` -j MASQUERADE
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12839
Location: Netherlands

PostPosted: Thu Mar 30, 2023 6:53    Post subject: Reply with quote
br1 and br0 are not isolated by default from each other.

If you Enable "Net isolation" on br1 it should be isolated from your main net work (br0) (unless this is not a normal gateway router but a Wireless Access Point then you have to isolate manually)

If that works you can take it from there e.g.:

To get access form br0 to IoT (br1):
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j ACCEPT

Deny internet access for some IoT devices:
iptables -I FORWARD -i br1 -o $(get_wanface) -s 192.168.1.11 -m state --state NEW -j REJECT
iptables -I FORWARD -i br1 -o $(get_wanface) -m mac --mac-source 00:12:34:56:78:9A -m state --state NEW -j REJECT


Not tested but you get the idea, see: https://wiki.dd-wrt.com/wiki/index.php/Iptables_command

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6411
Location: UK, London, just across the river..

PostPosted: Thu Mar 30, 2023 6:57    Post subject: Reply with quote
update to a newer build last one 52189 as this contain a vital upgrades regarding vlan's and some others...
also on this build, you can use the switch config tab instead of start up commands...

vlan to vlan communication is over the switch and those are not easy to restrict..
if you put vlan on a bridge, than this is more easy to control as br are interfaces...
also if you have net isolation and ap isolation those rules work and you have to take those into account..
you can deny vlan from internet access (WAN) via iptables rules

To be honest, you better try the GUI switch config tab, as its easier to make those...
Ill have a look later...when i have more time...

p.s. egc post from above shows to rules you'd need... Razz

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Thu Mar 30, 2023 9:08    Post subject: Reply with quote
Use IP Addresses in the rules, not MAC address.

I presume you have given the HA server a static lease or static address.

The router may not see the MAC if the packet has traversed bridges before reaching the router.
zdsf
DD-WRT Novice


Joined: 09 Nov 2022
Posts: 20

PostPosted: Fri Mar 31, 2023 15:27    Post subject: Reply with quote
@egc, I don't have Net isolation or AP isolation enabled. I will try denying from iptables but I wish the GUI worked, that would be more streamlined.

@Alozaros, update to 52189, VLAN now has enable/disable and WAN CPU port/LAN CPU port. Awesome! I factory reset and tried the new GUI, I could get VLAN interfaces up, and assign them to bridges. The bridges wont take the IP address define in DHCP. Everything defaults to 192.168.1.1/24. Back to the old way but I am hopeful of new build to fix.

@PerYngveBerg, unfortunately restricting internet with IP address didn't work. Access from VLAN1 was also restricted.
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Fri Mar 31, 2023 15:46    Post subject: Reply with quote
yes the factory reset was also the mistake.
The current build has a bug, after a factory reset VLANs no longer work properly.

and consider that VLAN0 is actually not a valid VLAN.
zdsf
DD-WRT Novice


Joined: 09 Nov 2022
Posts: 20

PostPosted: Fri Mar 31, 2023 15:54    Post subject: Reply with quote
More information about the system

SPI firewall: Disabled
UNPNP: disabled
Use DNSmasq for DNS: Disabled
Forced DNS redirection: enabled (to local PiHole)
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Fri Mar 31, 2023 15:57    Post subject: Reply with quote
this is configured incorrectly
if you tag the LAN CPU port, then you have to unbridge eth1 and you have to create a VLAN interface for each LAN-VLAN.
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Fri Mar 31, 2023 16:48    Post subject: Reply with quote
The interface name will be vlan10, not eth1.10 in newer builds using the GUI to set up with the switch config tab.
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Sat Apr 01, 2023 10:02    Post subject: Reply with quote
ho1Aetoo wrote:
yes the factory reset was also the mistake.
The current build has a bug, after a factory reset VLANs no longer work properly.

and consider that VLAN0 is actually not a valid VLAN.


The factory reset bug should be fixed in the next build.

https://svn.dd-wrt.com/changeset/52215
zdsf
DD-WRT Novice


Joined: 09 Nov 2022
Posts: 20

PostPosted: Sun Apr 02, 2023 16:01    Post subject: Reply with quote
Unfortunately, I have tried creating VLANs from either the GUI or from CLI. In both cases, when an IoT device is denied internet access, it cant be reached from trusted VLAN (and Vice Versa). A denied device can still be reached from within the same VLAN. Just the VLAN/VLAN access gets hindered. Sorry. I am hoping that someone might try to execute this on their device and report back.
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6411
Location: UK, London, just across the river..

PostPosted: Sun Apr 02, 2023 18:26    Post subject: Reply with quote
zdsf wrote:
Unfortunately, I have tried creating VLANs from either the GUI or from CLI. In both cases, when an IoT device is denied internet access, it cant be reached from trusted VLAN (and Vice Versa). A denied device can still be reached from within the same VLAN. Just the VLAN/VLAN access gets hindered. Sorry. I am hoping that someone might try to execute this on their device and report back.


yep if you leave VLAN's just as a VLAN, than those communicate on switch level, so you cannot have decent control over those internal communications...but if you assign them to a bridges. than those bridges are interfaces and you can isolate those via iptables rules...
the other common mistake is to ping those vlans/bridges from the router side..but if you try to ping those from each bridge/subnet than you will see the net isolation is working...well it depends what you ve set... Cool

there are no rules to isolate devices that belong on the same subnet...so device A and device B can communicate on their subnet...as SPI firewall works only WAN to LAN and opposite... Razz you cannot intercept those subnet communications..

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Sun Apr 02, 2023 18:39    Post subject: Reply with quote
You have to learn the 7 Layer ISO Model. You can look it up in wikipedia.

Bridges and switched operate on Layer 2, while IP Routing is on Layer 3.
zdsf
DD-WRT Novice


Joined: 09 Nov 2022
Posts: 20

PostPosted: Tue May 09, 2023 15:52    Post subject: Reply with quote
I'm sorry if the question was not clear.

What is desirable:

VLAN1⇔VLAN2: Allowed both ways
VLAN2⇔Internet: denied for specific MACs

The current problem when denying internet access to a particular device:

VLAN2⇔Internet: denied for the specific MAC (works as intended)
VLAN1⇔VLAN2: also gets denied for the MAC (problem)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12839
Location: Netherlands

PostPosted: Wed May 10, 2023 8:39    Post subject: Reply with quote
Unfortunately it is not very clear how you have setup.

I see some VLAN settings, to do this you can just use the GUI (build 52459).
See: VLANs for R7800, scroll down for more examples:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=332023&postdays=0&postorder=asc&start=23

I see this:
Quote:
SPI firewall: Disabled
which seems a particularly bad idea if this is a gateway router connected to the internet.

You also do not tell us what you have done to isolate.

So without additional information about your config and settings it is difficult to give any advice

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum