[Decoy256]

Equipment: Netgear R7000
DD-WRT Build: r57200
WAN Setup: Centurylink fiber -> ONT -> my R7000, which is replacing the CL router and handles CL's PPPoE.

I apologize if what follows is too much information, but I've read enough posts on here to err on the side of too much information rather than too little.

~~ LAN Setup ~~
R7000 ports:
Port 1 -> Netgear unmanaged switch -> 2 PCs and additional WiFi router*
Port 2 -> Roku
Port 3 -> Reserved for troubleshooting if I mess up other ports.
Port 4 -> Proxmox server

*WiFi router -> Setup to extend range of WiFi (old house is terrible for signal strength). DHCP handled by R7000. Should be just providing WiFi signal. There may be issues here that I need to work on, but I don't *think* that this is causing the problem here.

~~ VLAN Setup ~~
Each VLAN is setup with a different IP address range.
VLAN 1 -> Port 3 (reserved for troubleshooting) - Uses router's IP range (10.0.0.x)
VLAN 2 -> Unused (I've had... issues trying to mess with VLAN 2, so I just leave it alone.)
VLAN 201 -> Tagged VLAN (required by CL) for connecting to WAN
VLAN 4 -> Ports 2 (Roku) and 4 (Proxmox) - Uses IP range 10.10.10.x
VLAN 5 -> Port 1 (family PCs and WiFi extender) - Uses IP range 10.100.100.x
VLAN 6 -> Right now it is unused, but intended for IoT - uses IP Range 10.0.10.x

Each VLAN is setup as an additional DHCP server for it's respective subnet, with the server being at address x.x.x.1.

(As a somewhat irrelevant aside, but I just have to say it... I am not thrilled with the numbering scheme of the VLANs as it kind of confuses me trying to remember which VLAN is connected to which port and serving which machines/subnets. But I have found VLANs to be... finnicky. I've got it working right now, so I'm just going to let sleeping dogs lie... unless someone has a suggestion that won't screw everything up.)

~~ WiFi Setup ~~
-Two SSIDs on wl0 and wl1 (which I understand are eth1 and eth2 when looking at the interface options available on the Networking tab). These are for family to connect to WiFi

-Two guest/IoT SSIDs on wl0.1 and wl1.1 VAPs.

~~ Bridging Setup ~~
TBH, I am not sure I understand how bridging works... particularly, why isn't VLAN 201 assigned to a bridge but I can still access the WAN? Is that because bridges "bridge" between the lan ports and the wan port and since VLAN 201 is assigned to the WAN port it doesn't need a bridge? That's the best explanation that I can come up with.

This is what the Networking tab shows:

Bridge Name STP Interface
br0 no vlan1 vlan2
br1 no vlan4
br2 no eth1 eth2 vlan5
br3 no vlan6 wl0.1 wl1.1

I kept my troubleshooting VLAN1 on br0 because in reading posts, I have come to believe that br0 is the default bridge for the WAN and since I want one bridge untouched by any of my other tweaking, I figured br0 and VLAN 1 should do that.

br1 is for the Roku/Proxmox VLAN (if anyone is wondering, I was having issues with my Roku box being able to access my Plex server when they were on separate VLANs)

br2 has my main PCs and the main WiFi SSIDs.

br3 has my (unused) IoT VLAN and my guest WiFi SSIDs.

~~ Firewall Setup ~~
I wanted my main PC VLAN (vlan5) to be able to see and interact with all other VLANs (mainly so I can administer the Proxmox server from my PC), but I basically don't want any other VLAN to see anything but the WAN (except being able to receive [not initiate], connections from vlan5.)

I didn't save my previous firewall configuration and I am not an expert in this, so when I lost it during a factory reset (I had screwed something up and lost all access to the router), I had to go online and figure out again how to do what I wanted to do and I think it's working correctly. But I really don't know if it is done correctly...

The easiest/quickest way for me to check the interaction between the VLANs is from one of my Proxmox VMs. From there, I can only ping the DHCP servers for each VLAN, but cannot ping any of the PCs. So, I assume it has quarantined off each VLAN correctly (although I'm not sure why it can still see the DHCP servers... shouldn't it be completely blocked off from everything on that VLAN?)

This may or may not have something to do with the problems I am having with Access Restrictions.

Commands for Firewall:
# Bridge 2
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br2 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br0 -o br+ -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# Bridge 3
iptables -I FORWARD -i br3 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP
iptables -I FORWARD -i br3 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br3 -o br2 -m state --state NEW -j DROP

# Bridge 1
iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -o br2 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -o br3 -m state --state NEW -j DROP

# Bridge 0
iptables -I FORWARD -i br0 -o br1 -j ACCEPT
iptables -I FORWARD -i br0 -o br2 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br3 -j ACCEPT

# push RELATED/ESTABLISHED rule back to top of chain
iptables -D FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

~~ Access Restrictions ~~
My kids access the network primarily through WiFi coming from the WiFi extender, which is in vlan5 and gets assigned IP addresses in the 10.100.100.x range *starting at 100*.

I have an Access Restriction rule setup to limit internet access after 8:30 pm for any device with an IP address in the range from 10.100.100.100 to 10.100.100.254. My PC and my wife's PC have static addresses under 100 so we don't get restricted.

I have verified that my kids' devices are getting assigned IP addresses above 100 in the 10.100.100.x subnet. However, the access restrictions are not getting applied at 8:30 (or at all).

The frustrating thing is that I had this setup and working correctly on this same firmware build before I had to do the factory reset, so I know it has to come down to me having screwed something up during the rebuild.

Actually, that's not entirely accurate... before the reset I had Access Restriction setup to use each kid's MAC address, but some devices do the randomized MAC address, so I figured I would change it to do it by IP range. It was actually while I was changing the IP range on my main PC VLAN that everything got screwed up and necessitated the reset. The IP range is setup the way I want it now, but the whole point of setting up the IP range this way was so that I could have Access Restriction use that IP range instead of MAC addresses.

If I have to go back to using MAC address, I suppose I can, but that defeats the whole point of going through this drama in the first place. And at this point, I'm thinking that this may be the only option to have Access Restrictions working. But I am hoping that someone will take a look at my firewall setup and tell me where I went wrong (as I assume it is the firewall config that is messing things up, but again, I'm not an expert... just my semi-educated guess.)

~~ OpenVPN ~~
I will also note that I do have OpenVPN setup connected to AirVPN. It only applies to one IP address from a *certain VM* on my Proxmox server with killswitch enabled. And again, I had this setup and working the same way on the same firmware build before the reset. OpenVPN, killswitch, firewalls, and Access Restrictions all got along.