Posted: Thu May 02, 2024 14:58 Post subject: [SOLVED]iptables - DENY all inter-bridge routed (layer 3) tr
I think I am close to understanding how frames and packets are forwarded internally within a DD-WRT system now, so the diagram below entitled "ROUTING INTER-BRIDGE" illustrates a sample of the current configuration (for brevity, I'm only showing 2 of the 5 extra VLANs configured).
My Goal:
I want to block all inter-vlan/inter-bridge traffic (layer 2 and layer 3) such that no frames or packets are switched or routed (respectively) between any two vlans/bridges. This is illustrated in the diagram entitled "NO ROUTING INTER-BRIDGE".
I haven't used iptables a whole lot (used to dedicated enterprise firewall systems), so I want to make sure I have understood how to use it properly and what the correct syntax is.
################################################################################
# FLUSH all existing entries from the FORWARD chain
iptables -F FORWARD
# ACCEPT all intRA-bridge traffic per bridge
iptables -A FORWARD -i br4 -o br4 -j ACCEPT
iptables -A FORWARD -i br5 -o br5 -j ACCEPT
...
iptables -A FORWARD -i brN -o brN -j ACCEPT
# DROP all intER-bridge traffic (no routing, silo each bridge/vlan)
iptables -A FORWARD -i br+ -o br+ -j DROP
Would someone be kind enough to confirm or correct me?
Note:
My basic assumption (which may be completely wrong) is that, in the absence of configuration to the contrary, iptables are processed top down and the first match wins. I am used to top-down firewall policy processing, but iptables are potentially quite complex.
Joined: 18 Mar 2014 Posts: 13692 Location: Netherlands
Posted: Thu May 02, 2024 15:16 Post subject:
If you do: iptables -vnl FORWARD
You will see that a lot more rules are present.
By flushing the table you delete them all probably not what you want.
Besides what you ACCEPT first you later DROP again
From my notes:
Quote:
DDWRT bridges are by default FORWARDING to each other so there is no isolation at all and you should be able to freely connect to all subnets
To isolate bridges from each other DDWRT has a GUI option on all interfaces: "Net isolation" this should be enabled to isolate the bridges (br1 and br2) from br0 and from the Main router (there is a bug in builds before 49732 which prevents to isolate a bridge from the router)
However bridges are not isolated from each other (patch is pending), so that has to be done manually by adding the following rules to the firewall:
## isolate bridges from each other:
iptables -D FORWARD -i br1 -o br+ -m state --state NEW -j REJECT
iptables -D FORWARD -i br2 -o br+ -m state --state NEW -j REJECT
iptables -I FORWARD -i br1 -o br+ -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br+ -m state --state NEW -j REJECT
Add to Administration > Commands and Save as Firewall
Just read the documentation.
The thing is still configured as WAP and all firewall rules belong in your firewall (main router) and this is also written in the sticky. _________________ Quickstart guides:
If you do: iptables -vnl FORWARD
You will see that a lot more rules are present.
By flushing the table you delete them all probably not what you want.
Ha haa, point taken!
egc wrote:
Besides what you ACCEPT first you later DROP again
Ok, thanks for pointing this out - this is why I wanted to be clear about my assumptions of the sequence. You have confirmed to me that iptablesdo not function the same as other exterprise firewall solutions.
egc wrote:
From my notes:
Quote:
DDWRT bridges are by default FORWARDING to each other so there is no isolation...To isolate bridges from each other DDWRT has a GUI option on all interfaces: "Net isolation" this should...isolate the bridges (br1 and br2) from br0 and from the Main router...
I have "Net isolation" checked on all non-default bridges.
egc wrote:
Quote:
...However bridges are not isolated from each other (patch is pending), so that has to be done manually by adding the following rules to the firewall:
## isolate bridges from each other:
iptables -D FORWARD -i br1 -o br+ -m state --state NEW -j REJECT
iptables -D FORWARD -i br2 -o br+ -m state --state NEW -j REJECT
iptables -I FORWARD -i br1 -o br+ -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br+ -m state --state NEW -j REJECT
Add to Administration > Commands and Save as Firewall
To isolate DDWRT has a GUI option on all interfaces: "Net isolation" this should be enabled to isolate the bridges
(br1 and br2) from br0 and from the Main router (there is a bug in builds before 49732 which prevents to isolate a
bridge form the router)
However bridges are not isolated from each other (patch is pending), so that has to be done manually by adding the
following rule to the firewall (
## isolate bridges from each other:
iptables -D FORWARD -i br1 -o br+ -m state --state NEW -j REJECT
iptables -D FORWARD -i br2 -o br+ -m state --state NEW -j REJECT
iptables -I FORWARD -i br1 -o br+ -m state --state NEW -j REJECT
iptables -I FORWARD -i br2 -o br+ -m state --state NEW -j REJECT
Although these rules are set at the Main router, this also applies to the WAP br1 and br2 because those are just an
extension of the Main.
here we are back to the topic that your question in connection with the configuration is nonsense
if you need extra firewall rules on a WAP then you are doing something wrong _________________ Quickstart guides:
*** Please forgive me for all the detailed questions ***
I just want to clarify with absolute certainty in my head exactly how all traffic is forwarded internally within the device, and how the various configuration settings change that internal forwarding behaviour - your patience is gratefully appreciated. (I promise that once my device is working the way I want, you will almost never hear from me - I am just in the implementation phase...)
** I am not using my dd-wrt device for DHCP or DNS and bridge IP addresses are only configured to allow connectivity testing **
ho1Aetoo wrote:
Just read the documentation.
The thing is still configured as WAP...and this is also written in the sticky.
Although this is a valid design (generically speaking), it is an advanced routing concept which is usually not applicable to a home network scenario. Therefore, I am not 100% sure exactly which part of the configuration actually designates the device as a WAP [only] as opposed to a Router (with or without wireless access).
Q: Does this literally come down to setting WAN Connection Type to Disabled, or does it [also] come down to whether or not the CPUPORT is checked against any VLANs in the Switch Config GUI page, or it is some other setting(s)?
WAN connectivity is distinctly separate from the routing function. WAN connectivity *requires* an internal routing function in order to route packets between the WAN and any LAN interfaces, but an internal Router does *not* require there to be an external WAN connection - routing may still [need to] happen between different 'internal' VLANs/subnets.
Note: See attached config settings (all non-default bridges have Net Isolation enabled).
ho1Aetoo wrote:
...all firewall rules belong in your firewall (*main router)...
*Emphasis mine Q: Does this imply there are in fact two internal routers?
My device is a Netgear EX6200 WiFi Range Extender, which I believe has both a BCM4708 and a BCM53011, both of which have an integrated Advanced Gigabit Switch.
Q: Is it possible that both of these chips can (or do) perform layer 3 routing functions by default?
In one of your posts in the thread linked above, you state:
ho1Aetoo wrote:
By default all interfaces are bridged with br0.
The 'laws' of switching and routing state that if there are no layer 3 interfaces or no rules that allow inter-VLAN routing, then packets should never be forwarded between VLANs.
Q: Does the quote above imply that even if I do not use the WAN port (no cable) and I also create iptable rules that block all inter-BRIDGE connectivity, packets will still be forwarded between non-default bridges?
In the networking world, a 'bridge' is strictly a layer 2 [switching] device/function, and I am a little confused about how the term 'bridge' is being used in this specific context.
Q: It seems to imply it performs layer 3 routing functionality - is this correct?
Q: If so, may I humbly suggest that we use the term 'bridge' strictly to refer to the layer 2 switching function, and when talking about the forwarding of packets between two or more VLANs/subnets or bridge/switch [broadcast] 'domains' that we stick to using the term 'routing'?
This is perhaps less confusing and is also in keeping with well established networking terminology.
** Please also forgive the verbosity of this post - I have made it this way in the hope that my future self and other users asking the same questions may find it more useful **
Layer2 switching is not used at all between the VLANs as switching is only used in the same subnet.
and Layer3 routing is performed by your ( enterprise ) firewall.
As this provides the gateway for your WAPs/VAPs VLANs.
If your VLANs clients want to talk to a client in another subnet, they talk to your firewall/gateway and not to your DD-WRT router.
In order for your DD-WRT router to route layer3 between the VLANs, it would also need to be used as a gateway and have DHCP servers configured.
And now I have to do other things for 2 hours
Is it possible that you are some kind of student who is too lazy to do his homework himself or why are you asking us holes in our bellies? _________________ Quickstart guides:
Layer2 switching is not used at all between the VLANs as switching is only used in the same subnet. Agree
and Layer3 routing is performed by your ( enterprise ) firewall. Agree
As this provides the gateway for your WAPs/VAPs VLANs.
If your VLANs clients want to talk to a client in another subnet, they talk to your firewall/gateway and not to your DD-WRT router.
In order for your DD-WRT router to route layer3 between the VLANs, it would also need to be used as a gateway Agree, "gateway" = "router" and have DHCP servers configured Disagree - not required with static host IPs.
...
Is it possible that you are some kind of student who is too lazy to do his homework himself Network professional, done a huge amount of homework, just a DD-WRT specific student or why are you asking us holes in our bellies?
Do you mean I am causing you to:
- naval gaze?
or
- question your beliefs?
I guess they are the same thing
You've been very patient, and I thank you.
No need to reply.
No, you're just annoying.
You have misconfigured your WAP, I have already pointed this out to you in the other thread.
That you should not assign IP addresses to your bridges as this is not required in a WAP setup.
This leads to the dd-wrt router itself being accessible (e.g. the WebIF or via ssh or telnet, which is certainly not desirable for an isolated network).
This also leads to VLANs being entered in the routing table.
And the bridge address can be misused as a gateway, thus bypassing the isolation of the main router/your firewall.
In short, you have absolutely no idea what you are doing and do not take into account either the documentation or serious recommendations and then annoy us with questions about self-inflicted problems.
Simply remove the bridge addresses and routing between the VLANs will definitely not be possible. (not even abusively) _________________ Quickstart guides:
)
