Posted: Wed Mar 29, 2023 20:40 Post subject: deny WAN access to VLAN10 also denies LAN access from VLAN1
Netgear R7800 build 51440.
VLAN1: Trusted devices
VLAN2: IoT devices.
Goal: deny WAN to some (but not all) IoT devices using MAC address: >>Access restrictions>>WAN Access
Problem: denied devices cant reach the internet, but also makes them unreachable from VLAN1 (trusted devices like homeassistant). They are reachable from within their own subnet but no communication across VLANs
Seems like VLAN1 reaches VLAN10 through the WAN interface??
Code:
For startup command:
#Enable VLANs
swconfig dev switch0 set enable_vlan 1
#Assigning port 1, 2 to VLAN 1 (trusted). port 6 is CPU
swconfig dev switch0 vlan 1 set ports "1 2 6"
#Assigning port 3, 4 to VLAN 10 (IoT). port 6 is CPU
swconfig dev switch0 vlan 10 set ports "3 4 6t"
#Apply settings
swconfig dev switch0 set apply
#Create interface eth1.10 for VLAN10
vconfig add eth1 10
#Assign interface eth1.10 and create br1
brctl addif br1 eth1.10
ifconfig eth1.10 up
#Enable NAT, I tried with and without, no difference.
iptables -t nat -I POSTROUTING -o `get_wanface` -j MASQUERADE
Joined: 18 Mar 2014 Posts: 12887 Location: Netherlands
Posted: Thu Mar 30, 2023 6:53 Post subject:
br1 and br0 are not isolated by default from each other.
If you Enable "Net isolation" on br1 it should be isolated from your main net work (br0) (unless this is not a normal gateway router but a Wireless Access Point then you have to isolate manually)
If that works you can take it from there e.g.:
To get access form br0 to IoT (br1):
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j ACCEPT
Deny internet access for some IoT devices:
iptables -I FORWARD -i br1 -o $(get_wanface) -s 192.168.1.11 -m state --state NEW -j REJECT
iptables -I FORWARD -i br1 -o $(get_wanface) -m mac --mac-source 00:12:34:56:78:9A -m state --state NEW -j REJECT
Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
Posted: Thu Mar 30, 2023 6:57 Post subject:
update to a newer build last one 52189 as this contain a vital upgrades regarding vlan's and some others...
also on this build, you can use the switch config tab instead of start up commands...
vlan to vlan communication is over the switch and those are not easy to restrict..
if you put vlan on a bridge, than this is more easy to control as br are interfaces...
also if you have net isolation and ap isolation those rules work and you have to take those into account..
you can deny vlan from internet access (WAN) via iptables rules
To be honest, you better try the GUI switch config tab, as its easier to make those...
Ill have a look later...when i have more time...
p.s. egc post from above shows to rules you'd need... _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
@egc, I don't have Net isolation or AP isolation enabled. I will try denying from iptables but I wish the GUI worked, that would be more streamlined.
@Alozaros, update to 52189, VLAN now has enable/disable and WAN CPU port/LAN CPU port. Awesome! I factory reset and tried the new GUI, I could get VLAN interfaces up, and assign them to bridges. The bridges wont take the IP address define in DHCP. Everything defaults to 192.168.1.1/24. Back to the old way but I am hopeful of new build to fix.
@PerYngveBerg, unfortunately restricting internet with IP address didn't work. Access from VLAN1 was also restricted.
Unfortunately, I have tried creating VLANs from either the GUI or from CLI. In both cases, when an IoT device is denied internet access, it cant be reached from trusted VLAN (and Vice Versa). A denied device can still be reached from within the same VLAN. Just the VLAN/VLAN access gets hindered. Sorry. I am hoping that someone might try to execute this on their device and report back.
Joined: 16 Nov 2015 Posts: 6437 Location: UK, London, just across the river..
Posted: Sun Apr 02, 2023 18:26 Post subject:
zdsf wrote:
Unfortunately, I have tried creating VLANs from either the GUI or from CLI. In both cases, when an IoT device is denied internet access, it cant be reached from trusted VLAN (and Vice Versa). A denied device can still be reached from within the same VLAN. Just the VLAN/VLAN access gets hindered. Sorry. I am hoping that someone might try to execute this on their device and report back.
yep if you leave VLAN's just as a VLAN, than those communicate on switch level, so you cannot have decent control over those internal communications...but if you assign them to a bridges. than those bridges are interfaces and you can isolate those via iptables rules...
the other common mistake is to ping those vlans/bridges from the router side..but if you try to ping those from each bridge/subnet than you will see the net isolation is working...well it depends what you ve set...
there are no rules to isolate devices that belong on the same subnet...so device A and device B can communicate on their subnet...as SPI firewall works only WAN to LAN and opposite... you cannot intercept those subnet communications.. _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913