Posted: Sat May 17, 2025 8:50 Post subject: swconfig - VLAN configuration via GUI - (separate WAN)
You must be registered in the forum and logged in to see the attachments!
The thread is valid for all newer firmware builds ≥57789
The thread is mainly for Atheros routers with 2 CPU ports which have a separate WAN port (the WAN port is not connected to the switch) like:
D-Link DIR-615 E3, TP-Link TL-WR740N v4, and more....
If you have old CLI VLAN settings then remove them first or reset the router.
It is advantageous if you have a working WLAN connection when configuring the switch.
If you lock yourself out and the LAN ports no longer work, you can still connect to the router via WiFi.
The screenshots are from LXX's DIR-615 E3, so the port assignment shown via "swconfig dev switch0 show" may differ on other devices.
The "switch config tab" received a small update and the CPU port is now configurable.
The settings shown in the screenshots are sufficient.
The GUI setting "Net Isolation" isolates interfaces from br0
This means that no connection between br0 <-> br1 is possible.
However, if you have created several new bridges and want a more finely controlled isolation, manual firewall settings are necessary.
As already mentioned, "Net Isolation" only isolates against br0, which means that br1 and br2 are not isolated from each other, for example
Manual firewall rules for isolation.
Insert the firewall rules in the "Diagnostics.asp" tab. (for a trunk port setup with a WAP, the rules are placed on the main router!).
## block connections from br1 to br0
## connection from br0 to br1 possible
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j REJECT
## block connections from br2 to br0
## connection from br0 to br2 possible
iptables -I FORWARD -i br2 -o br0 -m state --state NEW -j REJECT
## block connections from br1 to br2
iptables -I FORWARD -i br1 -o br2 -m state --state NEW -j REJECT
## block connections from br2 to br1
iptables -I FORWARD -i br2 -o br1 -m state --state NEW -j REJECT
