Posted: Sun Apr 16, 2023 19:58 Post subject: Separated VLAN networks NightHawk R8000
This seems to not be working in the R52330 (4/11/23) Builds.
Can anyone please help with what has changed I orginally had this working back a while ago but recently updated the firmware and forgot to do a backup. Here's the post of when I had it working and the process to do this.
When I assign a Port on the back of the router to a Vlan I dont see that Vlan in the Bridge options. Can someone help with how to do this in the Codes, and where it needs to go.
Basically I have a separate network with a WiFi access point that I want on a 192.168.6.# network. Before the the updates I had this working that this port used the multilpe DHCP and issued those IP's after the update isn't doing this anymore. everything is getting a 192.168.1.# IP. Seems like it's not assigning the Port to a VLAN and to the correct Bridge.
Yep, understand that I did reset to Default but when I go through my steps listed in the pervious post. I don't get the same response on the new builds. So somewhere along the lines things have changed and the expected input isn't the same. That's the problem I believe.
So for example in the old build in the SwitchConfig tab I would add a VLAN lets say (VLAN5) assign it to the port(3) I'd like to separate. Then switch to the Networking tab and under the Bridge (BR1) settings assign a bridge to that VLAN(5). When I try those steps now I only get (ETH0, ETH1, ETH2, ETH3, VLAN1, VLAN2) for interface options. I dont see the newely created VLAN5. Even after saving and applying settings.
What I'm looking for is to assign port 3 to a separate network allow it access to the internet but not to items on ports 1, 2, & 4 or WIFI for the 4ghz, 5ghz1, 5ghz2. under a 192.168.6.# IP address.
That added it to the Interface on the bridge config. Let me go plug the switches in and turn them on and I'll report back shortly if that has solved my issues.
So my IP camera's seem to be connecting to the internet also on the 192.168.6.# network. However the router doesn't seem to be handing out DHCP data to other smart home devices on the 192.168.6.# Network.
I have the devices and mac address's in the Services tab with correct IP addresses.
Here's how I have the Network Configured.
We go from Port 3 to a Network Switch (Isolated to just port 3) There's a access point on the switch that all the Smart home things should be accessing. The Wifi is up I can see it but when I Try to connect it's not connecting or giving internet.
Also running these commands on Startup.
# block anything that falls through (just a precaution)
iptables -I FORWARD -i br+ -o br+ -j DROP
# deny iot network access to any other networks
iptables -I FORWARD -i br1 -o br+ -j DROP
# allow private network access to any other networks
iptables -I FORWARD -i br0 -o br+ -j ACCEPT
# push RELATED/ESTABLISHED rule back to top of chain
iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Mon Apr 17, 2023 10:48 Post subject:
# block anything that falls through (just a precaution)
iptables -I FORWARD -i br+ -o br+ -j DROP
# deny iot network access to any other networks
iptables -I FORWARD -i br1 -o br+ -j DROP
# allow private network access to any other networks
iptables -I FORWARD -i br0 -o br+ -j ACCEPT
Those 3 rules are funny...
1 rule - drops communication on forward chain on any bridge (br+ means any)
2 rule - this is already done by the first rule...
3 rule - accepts communication on br0 from any bridge...but you have the top one and this 1st
is with I on the top of the chain, but must be with A on the end of the chain..
as well... do you need WAN to NAT redirection on your isolated network ?? _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Mon Apr 17, 2023 11:32; edited 3 times in total
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Mon Apr 17, 2023 11:15 Post subject:
ho1Aetoo wrote:
at the end of the chain the rule is useless, before that all packages are already dropped
as the rules placed in that order in firewall script, will be in reverse order on the router side...(unless those are not numbered) and iptables output will look like: (reversed)
# allow private network access to any other networks
iptables -I FORWARD -i br0 -o br+ -j ACCEPT
# deny iot network access to any other networks
iptables -I FORWARD -i br1 -o br+ -j DROP
# block anything that falls through (just a precaution)
iptables -I FORWARD -i br+ -o br+ -j DROP
in which case the last rule will drop any communication from any bridge...so second rule is redundant..
it was my mistake as i was coming from my set up which is actually
iptables -A INPUT -i br0 -p tcp --dport 443 -j REJECT
iptables -I INPUT -i br0 -p tcp --dport 443 -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT
in that way, in my case, only specific clients can access GUI _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913