1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to set up a VLAN on Tomato

Discussion in 'Tomato Firmware' started by SteveF, Jan 17, 2013.

  1. Bird333

    Bird333 Network Guru Member

    Most of the rules are built into the firmware and not on the Firewall page otherwise people would be exposed to the internet until they put their own firewall rules in their router. I suggest you run the commands listed earlier in the thread to look at your iptables' rules and decipher them using the tutorial I posted earlier or possibly find some other source of reading iptables rules from google. Happy reading.
     
  2. SteveF

    SteveF Serious Server Member

    Did you mean your rules or gfunkdave's rules listed earlier? And what did you mean by 'in the thread'? And even if I decipher them and they turn out to be not sufficient, then some rule may have to be advisable to be added? Am I correct on that? In any case, I do not even have the basics of linux programming and iptables, this would take me forever.

    I would like to know how much protection is built into the firmware at the release level (you mentioned most) and what level is the protection at at that level of the firmware. From what you are telling me I can not grasp what level is the protection at and what needs to be added. Surely this can only be answered only by the designers of the firmware. I simply do not have the background to figure this out and I need help.

    Thanks for your suggestion and reply.
     
  3. SteveF

    SteveF Serious Server Member

    Folks, someone may be able to help me. I would like to know what level of safeguard is built into the Tomato firmware against outside intrusion or attack. Is it at a 10% or a 90% level or what. Should I be concerned about it? I think the best people to answer this question are the people who designed the firmware. Can anybody help me by answering this question please?

    My firmware is a Toastman build: tomato-ND-1.28.7633.3-VLAN-ITP-ND-Std.trx.

    Thanks for your time.
     
  4. Monk E. Boy

    Monk E. Boy Network Guru Member

    What do you consider 10% and what do you consider 90%? This isn't a black and white or even shades of grey question really, since your router and clients on the LAN/WLAN behind it are as safe as you configure everything to be.

    You can make it rock solid impenetrable or you can make it swiss cheese, it all depends on how you set it up.
     
  5. SteveF

    SteveF Serious Server Member

    Monk, that is fair ball. I just wanted to get a feel for the built-in protection, that is, the level the router is at at the release level. Is there any protection built in? Is it good enough for a non-commercial application? I guess I am struggling with the qualification of the level of protection. The more important question is: where can I get some help to set it up, maybe not rock solid, but pretty good or good enough for a non-commercial application.

    Thanks for you reply.

    Steve
     
  6. Bird333

    Bird333 Network Guru Member

    I posted commands earlier in this thread that showed you how to list the iptables rules that you have on your router. Tomato out of the box (ie already built into the firmware) protects your computers from the outside (ie internet). The 'firewall' page is for additional rules one might want to add because they have a special need. For example, like you want to keep br1 from accessing the router, well you need to add special rules for that because the default doesn't block this. Most people are fine with the default/built-in rules. Nobody starts out with iptables knowledge, you have to start somewhere so start reading. And no it will not take you forever to understand. Actually, it is pretty logical.
     
  7. SteveF

    SteveF Serious Server Member

    It may be logical but very complex. I already visited sites such as: http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html

    I know it would take me several weeks if not months to really understand the whole system. It would help if I had linux background which I do not have. Thanks for your suggestion but due to lack of time I have to find another solution rather than leaning everything about iptables. This is not the best way for me to utilize my time when I really just want to have a reasonable solution for one router which I currently have. I do not anticipate to become a router experts as some of you on this forum.

    Interestingly you made a more meaningful statement (for me anyway): "Most people are fine with the default/built-in rules". This tells me that the firmware out of the gate has some built in protection. This was really my first thing I wanted to know.
     
  8. Bird333

    Bird333 Network Guru Member

    Well I didn't have a linux background (still don't :)) actually my routers made me learn what I did (and continue to learn). I don't "understand the whole system". It's up to you but if you run into other issues, knowing something about iptables (knowing everything is not required :)) will help you solve your problems and be better able to understand and follow the advice that others give you.
     
  9. Monk E. Boy

    Monk E. Boy Network Guru Member

    Out of the box its fairly secure, though you have to change default passwords, implement wireless security, etc. to secure it.

    If you enable remote management or other features in Tomato that "listen" on the WAN port, like VPN, PPTP, etc. then it can lose some security since that's more executables that are available for people on the internet to attack. These aren't turned on by default but can be if you configure the router, which is why I said it depends on how its configured..

    Hell, Windows can be swiss cheese or it can be fairly locked down, it all depends on how its configured and what sacrifices in usability you're willing to live with. I used to work at a place that had no firewall and public IP addresses for every desktop PC and server. I still have nightmares...

    If all you have to worry about are standard NAT transform holes, which allow you to open up connections from a specific LAN/WLAN system to a system on the internet and allows traffic coming back from that internet system to reach the LAN/WLAN system (in other words, allow LAN/WLAN systems to contact servers on the internet and use what they offer, like browsing this website)... the router is almost as secure as any Linux system. You can still be attacked from the internet, but it won't be due to any fault of the router, it'll be a fault of the LAN/WLAN system.

    Convenience features, like universal Plug 'n Play (uPnP) and NAT-PMP, make it easier to use certain applications "through" the router but that ease comes with a lower security (since each time it opens a hole with uPnP you're basically opening the application on that LAN/WLAN system up to attack from the outside world). This doesn't compromise the router, since it's as secure as ever, but it opens up more avenues of attack for people on the internet - they can talk directly to the application running on your LAN/WLAN system(s) thanks to uPNP, exploiting any and all bugs with those applications. Again, though, the router itself is still quite secure, its your LAN/WLAN systems that are the worry.

    Now, with wireless, you have the spectre of someone parking in front of your house, or some neighbor's kid crafting a directional antenna, and getting onto your LAN/WLAN... they can only be defended against by using the only encryption option available that has no known vulnerabilities (WPA2) and a cryptographically strong passkey (so they can't just run a dictionary attack and get in).
     
  10. SteveF

    SteveF Serious Server Member

    OK, thanks for the reply. However, I am not sure that I want to spend a lot of time to learn about iptables for fixing the situation for this one router of mine. I do not plan to have several routers, like you, I have no need. I am just a user of one router, need a solution and move on. I am an electrical engineer by trade but now I do not have the desire to learn more about iptables, (at least not at this phase of my life) and to have several routers and play with them. I am just a user of one router because I have to provide Internet to two students. So I do not have the burning desire to learn about this stuff. I just need a solution and if I can not have it one way or another here on this forum or other forums then I may just have to hire someone and pay for it if it is necessary. This is why I wanted to find out if I need to fix something which may not be broken. It is a simple matter of priorities. I do not know if you can understand this, you come from a different angle - such as if I have an issue with the router I can fix it. I plan not to have an issue, once it is good enough, that is what I will have, no further improvements.

    Thanks again for responding. By the way I do understand your points, a few years ago I would have jumped on iptables.
     
  11. Bird333

    Bird333 Network Guru Member

    That's cool but in this post you seemed interested in learning.
     
  12. SteveF

    SteveF Serious Server Member

    Yes, that was before two things: (1) I have not looked at that iptables website - it actually discouraged me. Due to my profession, I know what it takes to learn this stuff (2) I have been rethinking the priorities in the meantime - I do not see very enticing to learn this stuff for one router. So, basically my thinking progressed to the point that I knew more clearly what I want. I hope this explains it.
     
  13. SteveF

    SteveF Serious Server Member

    You are spelling out how the firmware works out of the box and what I should not do to compromise security. Thanks, this is partly what I was looking for. I do not plan to enable or add any exotic stuff. I am basically interested to have 4 clients sending out requests to the Internet and get responses. No uPnP, no NAT-TEMP just a simple LAN/WLAN system with the restrictions that the two segments are isolated and br1 can not access the router internally. I do believe I have all these things. So what you are telling me, if I do not have those exotic features, I should be OK.

    One other thing: I changed to WPA2 Personal with AES encryption so from the point of view I should be OK as well.
     
  14. Monk E. Boy

    Monk E. Boy Network Guru Member

    It sounds like you're taking care of the other possibility, which is authenticated clients, with a password, gaining access to other LAN/WLAN devices on the router. Security is like an onion really... once you start peeling...
     
  15. gfunkdave

    gfunkdave LI Guru Member

    Steve, for what you're asking, you don't need to worry. Tomato is like any other NAT router. You needn't worry about people trying to hack your network from the internet, so long as any services you expose (VPN, remote access, etc) are reasonably protected by good passwords.

    There is no need for further firewall rules to prohibit access to your network from the internet. Tomato does that out of the box.

    The rules I posted earlier just prevent your renters from accessing the router via its web or telnet interfaces.
     
  16. SteveF

    SteveF Serious Server Member

    gfunkdave, thanks for the response. I appreciate it. It gives me positive and specific feedback regarding the external protection of the Tomato router. This is the type of response I expected, I know now that the router has built in protection what I did not know before. I just had a bit of a concern to use a piece of firmware which I did not know much about. In my past professional practice I was used to the fact that when I used or designed a part in, I had some sort of specification available and I did not have to do testing or discovery of the specification itself. I just had to do the application testing, that's all.

    Thanks again, Dave.

    Steve
     
  17. SteveF

    SteveF Serious Server Member

    Dave, I read more about NAT and I understand more about how it increases router security. The NAT router discard every communication from the outside if it was not originated from the inside. So, if my thinking is correct, this is why serves are more vulnerable because they are accepting outside requests without them initiating it. This NAT is fascinating stuff.
     
  18. Toastman

    Toastman Super Moderator Staff Member Member

    I know where SteveF is coming from. To put things into perspective, in a city with 7 million internet users, it is highly unlikely that anyone is going to sit outside your house trying to hack into a home router or PC .. sure, it theoretically might happen, but I ain't seen it yet. The most common problem you will have is your own user base leaking access codes to others...
     
  19. SteveF

    SteveF Serious Server Member

    Toastman, thanks for the reply. Yes this is indeed one of the most likely scenarios. Could you not use wireless filter, limited DHCP range and static IP address assignments - you suggested the 1-wide DHCP range while the rest of the clients would get assigned static IPs. That is, an unwanted intruder having the leaked key/encryption type and SSID simply would not be able to connect. In addition I would put in the QoS some rule(s) to disable source IP range(s) which are not staticly assigned. Would all these not solve the problem?
     
  20. gfunkdave

    gfunkdave LI Guru Member

    You're saying, if someone figures out the wireless password? If you're using WPA2+AES, that's virtually impossible. If one of your renters gives a friend the password, well, what's the harm? What can someone do besides surf the internet?

    Furthermore, the friend with the password can simply give themselves a static IP. DHCP not required. Restricting access to certain MACs might help, but it's pretty trivial to spoof your MAC address and overcome that.

    I wouldn't worry about it.
     
  21. SteveF

    SteveF Serious Server Member

    Actually I agree with you 100% regarding your first statement. I was just saying that that is a possibility. Figuring out the wireless password is not practically possible. If a guy gets it from my renter he would not be able to connect to the router due to the wireless filter based on MAC address. But even if he connects, his segment is separated so he can not access my segment.

    Regarding the second paragraph, a person can give himself a static IP only if, as you say, spoofs the MAC address if I have a MAC filter which I have. If I am suspicious, I can always check the MAC's manufacturer which I have but I am not worried about spoofing either. It was only an academic discussion. The bottom line: I am fine, I am not concerned and if I still talk about various aspects it is due to my fascination with the Tomato firmware.

    Thanks Dave!
     
  22. fubdap

    fubdap Addicted to LI Member

    The way I understand it, if every device in your network is assigned static IP and you check the feature in the attached image. No one will be able to login to your network because the router will not issue any IP address.
    [​IMG]
     
  23. jerrm

    jerrm Network Guru Member

    Wrong - all the user has to do is manually assign an IP to the adapter.
     
  24. fubdap

    fubdap Addicted to LI Member

    Please educate me. How can you get to the adapter if you are trying to login wirelessly?
     
  25. jerrm

    jerrm Network Guru Member

    Just like you would do with a wired adapter. Set the IP address in the adapter's TCP/IP settings and then connect. Think of establishing the wireless connection as no different than plugging in a cable. The wireless connection to the router is essentially at the hardware/ethernet level, anything involving IP is just software on top of that hardware connection.
     
  26. SteveF

    SteveF Serious Server Member

    jerrm, you are correct when you say that the client can have an IP manually assigned to it and then he can connect. However, if you use the Wireless Filter method in the router AND specify a group AND the members of the group the only ones allowed to connect wireless AND the client's MAC address is not on the list, then the client can not connect unless he spoofs the MAC address. Is this not correct?
     
  27. jerrm

    jerrm Network Guru Member

    Right - a "permit only" mac filter is about as tight as you can get. It won't stop spoofing, but at that point they have to be pretty persistent if they don't already know a valid mac.

    For my home network, where I want to allow guests, I statically assign all my known devices and have a cron job to send alerts if an unknown mac joins the net. It's no where near perfect as a real security tool, but lets me keep tabs on the kids. They can't figure out how I know who was over and when - it's fun to be big brother sometimes.
     
  28. philess

    philess Networkin' Nut Member

    I dont want to go too much offtopic here, but would you mind sharing that cron job setup with us?
    I managed to get growl notifications sent from the router working, and now a setup that sends the message
    when a unknown MAC joins the network is just what i need.
     
  29. SteveF

    SteveF Serious Server Member

    jerrm, I second philess' request. Could you share with us how you do the cron job? Thanks in advance.
     
  30. SteveF

    SteveF Serious Server Member

    Do you use MAC wireless filtering? If you do, you can not have an unknown MAC joining via wireless connection.
     
  31. philess

    philess Networkin' Nut Member

    I am aware of that. For my Guest-Network i have to disable MAC filtering.But since it is seperated from all
    my other devices through a VLAN that is a "risk" i am willing to take. And the Guest-Network is only turned on
    when i have visitors.
     
  32. SteveF

    SteveF Serious Server Member

    Thanks. What build/version are you using (Toastman, Victek, etc.) and what is your router?
     
  33. philess

    philess Networkin' Nut Member

    I am using a E4200v1 with Tomato v1.28.9013 MIPSR2-R1.0--RAF K26 USB VLAN-VPN-NOCAT Victek Mod.
     
  34. jerrm

    jerrm Network Guru Member

    OK, this is the script. It should be relatively harmless, but does delete some files it creates. Use at your own risk.

    Script assumes all known macs are assigned static IPs so arp entries are marked PERM. Only dependency is entware/optware msmtp for mail. This could easily be replaced with the busybox sendmail available in most Tomato builds.

    The script assumes any new mac is attempting to use the router. It uses the basic arp table. It does not do any sort of sniffing. It is entirely possible a device could connect, only access devices on the LAN and not show up in the router's arp table. It is not meant to detect any sort of serious hack attempt.

    I call "arpcheck.sh cron" from init after the system is up. It schedules itself to check arp every 5 minutes, and to reset once a day. You won't repeatedly get spammed every 5 minutes about a single unkown mac, but will get a message once a day if the questionable mac hangs around that long.

    Parameters:
    cron - schedules cron entries​
    reset - removes the list of found macs​
    stop - removes cron jobs and found mac list​

    Variables:
    localnet is the most likely to need changing - a regexp to match the nets you want to monitor. Could just as easily be interfaces.​

    Code:
    #!/bin/sh
     
    localnet="192\.168\.[0|1]\."
    me=/opt/bin/arpcheck.sh
    cronid=arpcheck
    hour=11
    interval=5
    msg=/tmp/unknownarp.txt.$$
    newmacs=/tmp/newmacs.txt.$$
    foundmacs=/tmp/foundmacs.txt
    histmacs=/opt/var/log/foundmacs.txt
    sendmsg=false
    rtr=`nvram get router_name`
     
    if [ ! -f $foundmacs ] ; then
      touch $foundmacs
    fi
     
    for p in $@
    do
      case "$p" in
        "cron" )
          cru a "$cronid"reset "03 $hour * * * $me reset"
          cru a $cronid  "*/$interval * * * * $me"
          echo cron ;;
        "reset" )
          echo foundmacs> $foundmacs
          echo reset ;;
        "stop" )
          cru d "$cronid"reset
          cru d $cronid
          rm -f $foundmacs
          echo stop 
          exit ;;
      esac
    done
     
     
    if arp -a | grep "$localnet" | grep -vw PERM > $newmacs  ; then
      while read line
      do
        rt=$(grep -cF "$line"  $foundmacs)
        if [ $rt -gt 0 ]
        then
          echo FOUND: "$line"
        else
          sendmsg=true
          echo "$line" >> $foundmacs
          echo $(date +"%F %T") "$line" >> $histmacs
        fi
      done < $newmacs
      if $sendmsg ; then
        echo "To: 2125551212@vtext.com" > $msg
        echo "To: mymail@myisp.com" >> $msg
        echo "Subject: $rtr UNKNOWN MACHINE" $(date +"%F %T") >> $msg
        echo " " >> $msg
        echo "" >> $msg
        cat $newmacs >> $msg
        cat $msg | msmtp -t --syslog=on
        cat $msg | logger -t ARPCHECK 
        rm -f $msg
      fi
    fi
    rm -f $newmacs
    
     
  35. SteveF

    SteveF Serious Server Member

    Thanks.
     
  36. SteveF

    SteveF Serious Server Member

    jerrm, thanks, I have to mull over this. I want to minimize the extra stuff.
     
  37. SteveF

    SteveF Serious Server Member

    What is extensive UDP traffic the indication of? What kind of traffic it might mean? I believe P2P is mostly based on UDP protocol. Is this a true statement? How about Internet games? Do Internet games require a lot of download or upload in general? I qosdetails I see a large number (maybe up to 100 at times) of unclassified UDP connections open.

    In addition, if under qosdetails-->Class the classification is Unclassified, what does that mean? I do not think it means Default classification. If it did the name of the Default would show. So, I do not understand what the Unclassified class means.

    Thanks for your explanation in advance.
     
  38. frojnd

    frojnd Networkin' Nut Member

    I'll borrow this topic because I have similar problem and I have follow this thread since beginning.

    I've successfully set up br0 and br1 so that clients on br0 and br1 cant can't ping/see each other.
    However I am not successfull when trying to limit br1 (my virtual lan) from accessing web interface / (or ssh for that matter) of router and in my case since I have bridged modem to routers I'd also like for guests (br1) not being able to access web interface of modem when they are on guest ssid (wl0.1).

    General info:

    Basic -> Network -> Route modem IP: 10.6.0.1
    Basic-> Network -> LAN:
    [​IMG]

    Current set up: Administration -> Scripts -> Firewall:
    Code:
    iptables -I INPUT -p udp -m multiport --dports 53,67 -j ACCEPT
    iptables -I INPUT -i br1 -d 192.168.1.1 -j DROP
    iptables -I INPUT -i br1 -d 192.168.2.1 -j DROP
    Print screen for making it clear:
    [​IMG]


    iptables -L -v --line-numbers (I'm all running from Tools -> System -> Execute System Commands)
    Code:
    Chain INPUT (policy DROP 30 packets, 4815 bytes)
    num  pkts bytes target    prot opt in    out    source              destination         
    1        0    0 ACCEPT    tcp  --  br1    any    anywhere            anywhere            tcp dpt:domain 
    2      32  1940 ACCEPT    udp  --  br1    any    anywhere            anywhere            udp dpt:domain 
    3        1  353 ACCEPT    udp  --  br1    any    anywhere            anywhere            udp dpt:bootps 
    4      768 46080 DROP      all  --  br1    any    anywhere            anywhere            state NEW 
    5        1    56 DROP      all  --  any    any    anywhere            anywhere            state INVALID 
    6    1416  221K ACCEPT    all  --  any    any    anywhere            anywhere            state RELATED,ESTABLISHED 
    7        2  138 ACCEPT    all  --  lo    any    anywhere            anywhere           
    8    1575  126K ACCEPT    all  --  br0    any    anywhere            anywhere           
    9        0    0 ACCEPT    all  --  br1    any    anywhere            anywhere           
     
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    num  pkts bytes target    prot opt in    out    source              destination         
    1        0    0 DROP      all  --  br1    !ppp0  anywhere            anywhere           
    2    121K  62M            all  --  any    any    anywhere            anywhere            account: network/netmask: 10.6.1.0/255.255.255.0 name: lan 
    3    2271  444K            all  --  any    any    anywhere            anywhere            account: network/netmask: 10.6.2.0/255.255.255.0 name: lan1 
    4        0    0 ACCEPT    all  --  br0    br0    anywhere            anywhere           
    5        0    0 ACCEPT    all  --  br1    br1    anywhere            anywhere           
    6        0    0 DROP      all  --  any    any    anywhere            anywhere            state INVALID 
    7    2763  164K TCPMSS    tcp  --  any    any    anywhere            anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU 
    8    65314  55M L7in      all  --  ppp0  any    anywhere            anywhere           
    9    122K  63M ACCEPT    all  --  any    any    anywhere            anywhere            state RELATED,ESTABLISHED 
    10      3  252 DROP      all  --  br0    br1    anywhere            anywhere           
    11      0    0 DROP      all  --  br1    br0    anywhere            anywhere           
    12      0    0 wanin      all  --  ppp0  any    anywhere            anywhere           
    13    1864  120K wanout    all  --  any    ppp0    anywhere            anywhere           
    14    1749  112K ACCEPT    all  --  br0    any    anywhere            anywhere           
    15    115  8452 ACCEPT    all  --  br1    any    anywhere            anywhere           
    16      0    0 upnp      all  --  ppp0  any    anywhere            anywhere           
     
    Chain OUTPUT (policy ACCEPT 2857 packets, 557K bytes)
    num  pkts bytes target    prot opt in    out    source              destination         
     
    Chain L7in (1 references)
    num  pkts bytes target    prot opt in    out    source              destination         
    1        0    0 RETURN    all  --  any    any    anywhere            anywhere            LAYER7 l7proto flash 
    2        0    0 RETURN    all  --  any    any    anywhere            anywhere            LAYER7 l7proto httpvideo 
    3        0    0 RETURN    all  --  any    any    anywhere            anywhere            LAYER7 l7proto shoutcast 
    4      601  188K RETURN    all  --  any    any    anywhere            anywhere            LAYER7 l7proto skypetoskype 
    5    2411 1988K RETURN    all  --  any    any    anywhere            anywhere            LAYER7 l7proto skypeout 
    6        0    0 RETURN    all  --  any    any    anywhere            anywhere            LAYER7 l7proto irc 
     
    Chain upnp (1 references)
    num  pkts bytes target    prot opt in    out    source              destination         
     
    Chain wanin (1 references)
    num  pkts bytes target    prot opt in    out    source              destination         
    1        0    0 ACCEPT    tcp  --  any    any    anywhere            alarmpi            tcp dpt:https 
    2        0    0 ACCEPT    tcp  --  any    any    anywhere            alarmpi            tcp dpt:www 
    3        0    0 ACCEPT    tcp  --  any    any    anywhere            alarmpi            tcp dpt:10020 
    4        0    0 ACCEPT    tcp  --  any    any    anywhere            alarmpi            tcp dpt:60001 
    5        0    0 ACCEPT    tcp  --  any    any    anywhere            rpi2                tcp dpt:https 
    6        0    0 ACCEPT    tcp  --  any    any    anywhere            rpi2                tcp dpt:www 
    7        0    0 ACCEPT    tcp  --  any    any    anywhere            rpi2                tcp dpt:10020 
    8        0    0 ACCEPT    tcp  --  any    any    anywhere            rpi2                tcp dpt:60001 
     
    Chain wanout (1 references)
    num  pkts bytes target    prot opt in    out    source              destination          
    Screen shot for making this clear CLICK

    Any help would be appreciated. I think the problem is with iptables rules.
     
  39. SteveF

    SteveF Serious Server Member

    Dave, this is non-related to the above message. When I look at my or my wife's qosdetails, I can see the open connections and I can click the box to autoresolve address. This way I can see the complete web address the client in question connected to. This is on br0. When I look at the renters' qosdetails (remember they are on br1) I can only see gateway accesses and of course web names can not be resolved, they are not even showed. The only open connections I can see there is between their clients and the gateway. So, I guess this is how it is, right? Is there any way to see their destinations? Or, because of the complete 2-way separation, this data on br1 can not be seen from br0 where I am.

    Also, can I use QoS and bandwidth Limiter for clients on br1? When I tried, Tomato accepted it but gave a message something like this: "It is outside of LAN" or to that extent. I guess it might have meant that it is outside of br0 where I initiated the action from.


    Thanks for your answer in advance.

    Steve
     
  40. SteveF

    SteveF Serious Server Member

    frojnd, I think you are right, I can see a potential problem in the 3 iptables code. I think these are your rules:

    iptables -I INPUT -p udp -m multiport --dports 53,67 -j ACCEPT
    iptables -I INPUT -i br1 -d 192.168.1.1 -j DROP
    iptables -I INPUT -i br1 -d 192.168.2.1 -j DROP

    In these rules br0 has the IP of 192.168.1.1, and br1 has the IP of 192.168.2.1.

    However, your bridges have the IPs of 10.6.1.1 and 10.6.2.1.

    So your rules should look like:

    iptables -I INPUT -p udp -m multiport --dports 53,67 -j ACCEPT
    iptables -I INPUT -i br1 -d 10.6.1.1 -j DROP
    iptables -I INPUT -i br1 -d 10.6.2.1 -j DROP

    By the way, I am just curious, can you add shots how the VLAN, LAN Access and Virtual Wireless are set up?

    Steve
     
  41. frojnd

    frojnd Networkin' Nut Member

    Wow Steve :) I totally misslooked ips :D
    Code:
    iptables -I INPUT -p udp -m multiport --dports 53,67 -j ACCEPT
    iptables -I INPUT -i br1 -d 10.6.0.1 -j DROP
    iptables -I INPUT -i br1 -d 10.6.1.1 -j DROP
    iptables -I INPUT -i br1 -d 10.6.2.1 -j DROP
    Now clients on br1 can't access 10.6.1.1 and 10.6.2.1 routers IP but they can still access 10.6.0.1 which is bridged modem. Thank you Steve for reminding me I set up wrong netmask.

    How do I restrict br1 from accessing bridged modem (modem's IP: 10.6.0.1)

    Steve here are my settings:
    VLAN
    LAN Access
    Virtual Wireless
     
  42. SteveF

    SteveF Serious Server Member

    Thanks for your response and for adding those pages.

    Would your second line in the rules: "iptables -I INPUT -i br1 -d 10.6.0.1 -j DROP" not do the job, that is, stopping br1 to access the modem? Have you tested it?

    Interestingly I looked at your LAN Access page and you added a rule and unchecked the 'On' box. I did not add the rule (you can have a look at my LAN Access page in this thread earlier represented by a link). My LAN Access page looks like yours except your second line is really my first line. So there is no rule in place for me, that line in my LAN Access page is just a template to add a rule. In any case I assume your br0 and br1 segment are completely separated. It looks to me that the default (if you do not add a rule) is separating the two segments.
     
  43. frojnd

    frojnd Networkin' Nut Member

    Steve,

    Yes. Default rules in LAN Accesss are for spearating br0 from br1, I simply tested it if I can reach from br0 to br1 and then disabled it.
    And you are correct on LAN Access page is just a template to add a rule.

    I can still reach when I'm on 10.6.2.0/24 network (guest) my modem (modem is bridged). So what is wrong with iptables rules I have?
     
  44. SteveF

    SteveF Serious Server Member

    Hi frojnd, my knowledge regarding iptables stops here. Maybe gfunkdave can help you. He helped me a great deal. Address a post to him, describe your problem, ask him for help and hopefully he will help.

    One last question: you have two wireless LANs, wl0 and wl0.1. Do they both coexists, that is multiplexed into the radio, or only one can operate at any one time? My gut feel is that the two wireless LAN are multiplexed into the one radio and they coexist, but I need confirmation for that.

    Thanks for your response and clarification.

    Steve
     
  45. Bird333

    Bird333 Network Guru Member

    You need to change your INPUT rule to a FORWARD rule. INPUT rules are for packets destined for the router itself.
     
  46. frojnd

    frojnd Networkin' Nut Member

    They both coexists on the same Channel. Virtual ssid wl0.1 regularly changes it's mac address by default. I've also setup both for wpa2 personal aes encryption.

    Bird333,

    what rule did you have in mind, iptables -I INPUT -p udp -m multiport --dports 53,67 -j ACCEPT <-this one? I tried to replace INPUT with FORWARD but clients on virtual ssid (10.6.2.0/24) where still able to access modem's ip through web interface on 10.6.0.1
     
  47. Bird333

    Bird333 Network Guru Member

    No the rule you had that had 10.6.0.
    1 in it.
     
  48. SteveF

    SteveF Serious Server Member

    I have a question regarding 2 VLANs, LAN(br0) and LAN1(br1). The two are separated both directions. I am on LAN(br0), when I look at qosdetails (open connections) for a client PC1A1 which is on LAN1(br1), I can only see a lot of Unclassified UDP connections from LAN1 to the client, such as:

    UDP unknown-lan1 (192.168.2.1) [Hide] 8905 PC1A1 (192.168.2.53) [Hide] 60064 Unclassified 0 125

    Is this because the two segments are separated and br0 does not see br1 so it can only see the internal (Unclassified) connections for client PC1A1? If this is the case, is there a way to show the Classified connections of client PC1A1 on br1?

    Thank you in advance

    Steve
     
  49. frojnd

    frojnd Networkin' Nut Member

    So this one: iptables -I INPUT -i br1 -d 10.6.0.1 -j DROP

    I've changed it to iptables -I FORWARD -i br1 -d 10.6.0.1 -j DROP but it's not working. br1 clients can access 10.6.0.1
     
  50. Bird333

    Bird333 Network Guru Member

    Paste the output of iptables -L -nv Please use the "code" tags.
     
  51. frojnd

    frojnd Networkin' Nut Member

    Here it is:
    Code:
    Chain INPUT (policy DROP 315 packets, 19380 bytes)
    pkts bytes target    prot opt in    out    source              destination         
    1204 74305 DROP      all  --  br1    *      0.0.0.0/0            10.6.2.1           
        0    0 DROP      all  --  br1    *      0.0.0.0/0            10.6.1.1           
      509 38483 ACCEPT    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          multiport dports 53,67 
        0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID 
      417 63671 ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED 
        0    0 ACCEPT    all  --  lo    *      0.0.0.0/0            0.0.0.0/0           
      418 58348 ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0           
        0    0 ACCEPT    all  --  br1    *      0.0.0.0/0            0.0.0.0/0           
     
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target    prot opt in    out    source              destination         
    230K  192M            all  --  *      *      0.0.0.0/0            0.0.0.0/0          account: network/netmask: 10.6.1.0/255.255.255.0 name: lan 
      137 15457            all  --  *      *      0.0.0.0/0            0.0.0.0/0          account: network/netmask: 10.6.2.0/255.255.255.0 name: lan1 
        0    0 ACCEPT    all  --  br0    br0    0.0.0.0/0            0.0.0.0/0           
        0    0 ACCEPT    all  --  br1    br1    0.0.0.0/0            0.0.0.0/0           
        0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID 
    2975  178K TCPMSS    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x02 TCPMSS clamp to PMTU 
    140K  184M L7in      all  --  ppp0  *      0.0.0.0/0            0.0.0.0/0           
    228K  192M ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED 
        0    0 DROP      all  --  br0    br1    0.0.0.0/0            0.0.0.0/0           
        0    0 DROP      all  --  br1    br0    0.0.0.0/0            0.0.0.0/0           
        0    0 wanin      all  --  ppp0  *      0.0.0.0/0            0.0.0.0/0           
    2309  167K wanout    all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           
    2261  160K ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0           
      53  7680 ACCEPT    all  --  br1    *      0.0.0.0/0            0.0.0.0/0           
        0    0 upnp      all  --  ppp0  *      0.0.0.0/0            0.0.0.0/0           
     
    Chain OUTPUT (policy ACCEPT 1052 packets, 126K bytes)
    pkts bytes target    prot opt in    out    source              destination         
     
    Chain L7in (1 references)
    pkts bytes target    prot opt in    out    source              destination         
    8497  12M RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto flash 
      14 17866 RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto httpvideo 
        0    0 RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto shoutcast 
    5440  905K RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto skypetoskype 
    1463  348K RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto skypeout 
        0    0 RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto irc 
     
    Chain upnp (1 references)
    pkts bytes target    prot opt in    out    source              destination         
     
    Chain wanin (1 references)
    pkts bytes target    prot opt in    out    source              destination         
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            10.6.1.102          tcp dpt:443 
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            10.6.1.102          tcp dpt:80 
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            10.6.1.102          tcp dpt:10020 
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            10.6.1.102          tcp dpt:60001 
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            10.6.1.104          tcp dpt:443 
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            10.6.1.104          tcp dpt:80 
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            10.6.1.104          tcp dpt:10020 
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            10.6.1.104          tcp dpt:60001 
     
    Chain wanout (1 references)
    pkts bytes target    prot opt in    out    source              destination          
     
  52. Bird333

    Bird333 Network Guru Member

    I don't see this rule
    Code:
     iptables -I FORWARD -i br1 -d 10.6.0.1 -j DROP
    How did you try to add it?
     
  53. frojnd

    frojnd Networkin' Nut Member

    Like this:
    Code:
    # for preventing clients on interface br1 to access router's web interface and modem's web interface
    iptables -I INPUT -p udp -m multiport --dports 53,67 -j ACCEPT
    iptables -I FORWARD -i br1 -d 10.6.0.1 -j DROP
    iptables -I INPUT -i br1 -d 10.6.1.1 -j DROP
    iptables -I INPUT -i br1 -d 10.6.2.1 -j DROP
    [​IMG]
     
  54. Bird333

    Bird333 Network Guru Member

    Did you save and reboot afterwards?
     
  55. frojnd

    frojnd Networkin' Nut Member

    No, I didn't reboot. I just saved and everything worked fine except for the modem's ip was still richable. Now I have rebooted and clients on br1 can't access any page, as a matter of fact the only thing they can ping is 8.8.8.8

    Here is iptables -L -nv after reboot:
    Code:
    Chain INPUT (policy DROP 2380 packets, 133K bytes)
    pkts bytes target    prot opt in    out    source              destination       
      516 31973 DROP      all  --  br1    *      0.0.0.0/0            10.6.2.1         
        2  168 DROP      all  --  br1    *      0.0.0.0/0            10.6.1.1         
      13  3394 ACCEPT    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          multiport dports 53,67
        0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
    9056 2376K ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
        0    0 ACCEPT    all  --  lo    *      0.0.0.0/0            0.0.0.0/0         
    1175 71214 ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0         
        0    0 ACCEPT    all  --  br1    *      0.0.0.0/0            0.0.0.0/0         
     
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target    prot opt in    out    source              destination       
      44  2688 DROP      all  --  br1    *      0.0.0.0/0            10.6.0.1         
    70482  59M            all  --  *      *      0.0.0.0/0            0.0.0.0/0          account: network/netmask: 10.6.1.0/255.255.255.0 name: lan
      75 11647            all  --  *      *      0.0.0.0/0            0.0.0.0/0          account: network/netmask: 10.6.2.0/255.255.255.0 name: lan1
        0    0 ACCEPT    all  --  br0    br0    0.0.0.0/0            0.0.0.0/0         
        0    0 ACCEPT    all  --  br1    br1    0.0.0.0/0            0.0.0.0/0         
        0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
      122  7308 TCPMSS    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    40210  57M L7in      all  --  ppp0  *      0.0.0.0/0            0.0.0.0/0         
    70410  59M ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
        0    0 DROP      all  --  br0    br1    0.0.0.0/0            0.0.0.0/0         
        0    0 DROP      all  --  br1    br0    0.0.0.0/0            0.0.0.0/0         
        0    0 wanin      all  --  ppp0  *      0.0.0.0/0            0.0.0.0/0         
      147 14688 wanout    all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0         
      126 13380 ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0         
      21  1308 ACCEPT    all  --  br1    *      0.0.0.0/0            0.0.0.0/0         
        0    0 upnp      all  --  ppp0  *      0.0.0.0/0            0.0.0.0/0         
     
    Chain OUTPUT (policy ACCEPT 11275 packets, 5309K bytes)
    pkts bytes target    prot opt in    out    source              destination       
     
    Chain L7in (1 references)
    pkts bytes target    prot opt in    out    source              destination       
        0    0 RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto flash
        0    0 RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto httpvideo
        0    0 RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto shoutcast
      209 34564 RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto skypetoskype
      105 29792 RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto skypeout
        0    0 RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto irc
     
    Chain upnp (1 references)
    pkts bytes target    prot opt in    out    source              destination       
     
    Chain wanin (1 references)
    pkts bytes target    prot opt in    out    source              destination       
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            10.6.1.102          tcp dpt:443
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            10.6.1.102          tcp dpt:80
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            10.6.1.102          tcp dpt:10020
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            10.6.1.102          tcp dpt:60001
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            10.6.1.104          tcp dpt:443
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            10.6.1.104          tcp dpt:80
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            10.6.1.104          tcp dpt:10020
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            10.6.1.104          tcp dpt:60001
     
    Chain wanout (1 references)
    pkts bytes target    prot opt in    out    source              destination          
    This line is new line: 44 2688 DROP all -- br1 * 0.0.0.0/0 10.6.0.1
    Again here is the Administration -> Scripts -> Firewall rules:
    Code:
    # for preventing clients on interface br1 to access router's web interface and modem's web interface
    iptables -I INPUT -p udp -m multiport --dports 53,67 -j ACCEPT
    iptables -I FORWARD -i br1 -d 10.6.0.1 -j DROP
    iptables -I INPUT -i br1 -d 10.6.1.1 -j DROP
    iptables -I INPUT -i br1 -d 10.6.2.1 -j DROP
     
  56. Bird333

    Bird333 Network Guru Member

    I don't see anything wrong with your rules. That rule works for me. So br1 can't access the internet at all? Not even Google? Your output shows that some packets were accepted from br1. Maybe those were only the 88.8.8 packets? I am not sure at this point. I'll look at my rules later.
     
  57. frojnd

    frojnd Networkin' Nut Member

    Yes, br1 can't access the internet at all, only ping 8.8.8.8
     
  58. SteveF

    SteveF Serious Server Member

    I found a way to slow down my renter who started again his shenanigans, downloading large volume of data. I found out that he was using UDP protocol (it might have been games or P2P) and he was using high port addresses such as 5xxxx. I have been using Toastman QoS rules, a rather large set of about 41 of them, and the last one was used to disable ports 1-65535 with UDP protocol no other parameter defined. This for some reason did not seem to work. So what I did I went through all the rules to find out what was the largest port number used for UDP protocol. It was 22555. So I updated the last UDP rule for ports 22556-65535, added his IP address, assigned the classification as Crawl and moved the rule up to the top to have it as rule No. 1. I think this might have done the job and it did not seem to interfere with other operations in the rules having ports lower than 22555. The only think I need to evaluate if he could change his port designation in his software to a port lower than port number 25556. Torrent and other P2P software can do it, I have to wait and see if the software he uses could do it or not. In fact to test this out whether this rule would interfere with other operations, I created a similar rule for myself as rule No. 2. Can anybody see anything questionable with this scheme?

    So the test is ongoing. I will let report back later.
     
  59. Bird333

    Bird333 Network Guru Member

    Post output of 'iptables -L -nv -t nat'
     
  60. frojnd

    frojnd Networkin' Nut Member

    Code:
    Chain PREROUTING (policy ACCEPT 11496 packets, 894K bytes)
    pkts bytes target    prot opt in    out    source              destination         
    2209  275K WANPREROUTING  all  --  *      *      0.0.0.0/0            31.147.122.118     
        0    0 DROP      all  --  ppp0  *      0.0.0.0/0            10.6.1.0/24         
        0    0 DROP      all  --  ppp0  *      0.0.0.0/0            10.6.2.0/24         
    2206  275K upnp      all  --  *      *      0.0.0.0/0            31.147.122.118     
     
    Chain POSTROUTING (policy ACCEPT 1 packets, 67 bytes)
    pkts bytes target    prot opt in    out    source              destination         
        0    0 MASQUERADE  all  --  *      vlan2  0.0.0.0/0            10.6.0.1           
    6086  376K MASQUERADE  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           
        1  355 SNAT      all  --  *      br0    10.6.1.0/24          10.6.1.0/24        to:10.6.1.1 
        0    0 SNAT      all  --  *      br1    10.6.2.0/24          10.6.2.0/24        to:10.6.2.1 
     
    Chain OUTPUT (policy ACCEPT 1082 packets, 70074 bytes)
    pkts bytes target    prot opt in    out    source              destination         
     
    Chain WANPREROUTING (1 references)
    pkts bytes target    prot opt in    out    source              destination         
        3    88 DNAT      icmp --  *      *      0.0.0.0/0            0.0.0.0/0          to:10.6.1.1 
        0    0 DNAT      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:443 to:10.6.1.102 
        0    0 DNAT      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:80 to:10.6.1.102 
        0    0 DNAT      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:10020 to:10.6.1.102 
        0    0 DNAT      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:60001 to:10.6.1.102 
        0    0 DNAT      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:443 to:10.6.1.104 
        0    0 DNAT      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:80 to:10.6.1.104 
        0    0 DNAT      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:10020 to:10.6.1.104 
        0    0 DNAT      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:60001 to:10.6.1.104 
     
    Chain upnp (1 references)
    pkts bytes target    prot opt in    out    source              destination  
     
  61. Bird333

    Bird333 Network Guru Member

    I'm stumped. I don't see any rules that should stop br1 from accessing the internet. You could try to start a continuous ping to google.com and run the each of the iptables commands over and over to see what rule the ping is hitting by watching the packet count increase. Also, you may want to just clear the NVRAM and configure from scratch. Maybe something got corrupted somehow. Well a couple more thoughts. Do you have any access restrictions set? Also can you post a screen capture of your 'advanced>routing page?
     
  62. SteveF

    SteveF Serious Server Member

    frojnd, is it not true that if you stop br1 accessing the modem with the following statement

    iptables -I FORWARD -i br1 -d 10.6.0.1 -j DROP

    then it is logical that br1 can not access the Internet because all of br1 Internet traffic goes through the modem. That is what modems are doing. Try this: remove the above statement and if you can access the Internet then the iptables statement above works but in this case works too well. I am not sure so please let me know.

    Steve
     
  63. Bird333

    Bird333 Network Guru Member

    No. The rule only matches packets destined for that specific address.
     
  64. SteveF

    SteveF Serious Server Member

    OK Bird, I hear you. However, would it not be a valid test for him to remove the statement and see what happens? Just to verify.

    I have another question for you if you can and willing to answer. In my situation, from br0 I can see all the open connections on a client on the same segment and can resolve the web addresses so I can see what client connects to what website. However, when I look at the connections of a client on br1 (from br0), I can see only Unclassified small-packet UDP traffic from the bridge (192.168.2.1) to that client on the br1 segment. Is this because the two segments are completely isolated so from one segment I can only monitor the Unclassified inside traffic on the other one?

    Thanks for your reply in advance.

    Steve
     
  65. frojnd

    frojnd Networkin' Nut Member

    No, I don't have any access restrictions set, here is Advanced -> Routing:
    [​IMG]

    I've commented out all IPTABLES roules in Administraction -> Scripts -> Firewall and clients still can't access anything except for pinging 8.8.8.8 pinging google (dns) does not work.
    Do I have to clear NVRAM and start configuring from scratch or I can restore settings?
     
  66. Bird333

    Bird333 Network Guru Member

    Sure, it doesn't hurt to test, but if it works I would say that there is a bug somewhere. Iptables works on matches.
    That rule only matches packets destined for his modem. I can't answer your other question.
     
  67. Bird333

    Bird333 Network Guru Member

    Do you have any special dns changes in firmware? You can try a restore but you run the risk of putting the 'bug' back in the router.
     
  68. Monk E. Boy

    Monk E. Boy Network Guru Member

    Normally if you restore the config you restore all the same variables in use, so as a result if you're having a problem before the erase, you'll have the exact same problem after the restore. And understand that when I say normally, I've never actually seen it do anything except that, so it's just a CYA position for maybe some router/firmware combination that doesn't do it.
     
  69. SteveF

    SteveF Serious Server Member

    frojnd, you have a similar setup what I have so you might be able to help me. When from a br0 client (which is the router administrator) I view the connections of a br1 client on 'qosdetails' I see only small Unclassified internal UDP packets from the router(192.168.1.1) to the client without name resolution. I do not know what the br1 client connects on the internet, that is to what website. On the other hand, if I view a br0 client's traffic, I can see what websites are connected on the outside - providing I click on 'auto resolve addresses'. If a connect my administration client to br1, the same thing. It seems that on br1 only Unclassified internal traffic is shown and the packets leaving the network are not shown.

    How do I get to 'qosdetails'? IPTraffic-->Daily-->click on 'show shortcuts'-->click on 'qosdetails' under the name of client-->you are now in Details (for connections).

    The bottom line: for br1 client I can only see internal Unclassified UDP packets with no name resolution, while for br0 client I can see WAN destination showing the web names because it seems that it does name resolution.

    Can you verify that this is what you see? And if so, do you know why we can not see outgoing packets with name resolution on br1?

    Thanks,

    Steve
     
  70. frojnd

    frojnd Networkin' Nut Member

    I've erased NVRAM thoroughly but I didn't have chance to set VLAN yet. I'll report when I have time (read clients aren't connected to the routee)
     
  71. Livin

    Livin Serious Server Member

    I read this thread and a few others, and am pretty confused on the shortest path to my goal... Most threads talk about setting up VLANs for wireless but I don't need that.
    -- I need to isolate a DeviceV (a 'problem' device) from DeviceO.
    -- Currently I have the default Tomato settings... everything (LAN & WAN) is on the same subnet.
    -- I cannot remove DeviceV completely since several other devices (wired, wireless, internet via NAT) need to communicate with it.

    Can someone help walk me through what I need to do block comms between DeviceV <-> DeviceO while still allowing both DeviceV & DeviceO to talk to all other devices on the network?

    thx!
     
  72. SteveF

    SteveF Serious Server Member

    So DeviceO is what you want to isolate, right?

    1. DeviceV need to be communicated by other devices
    2. DeviceV and DeviceO can not see each other and communicate with each other;can not even send emails to each other?
    3. DeviceO should be standalone on its own segment?

    If I were you I would create two LAN segments (LAN and LAN1), put DeviceO on LAN1 and the rest of the devices on LAN.

    What type of devices do you have? Wired or wireless? DeviceV and DeviceO types?
     
  73. Livin

    Livin Serious Server Member

    DeviceV is the problem child, it needs to be isolated.

    My network w/ devices...
    Internet
    |-- Router/Firewall: Belkin Play N600 (F7D4302/F7D8302) v1 w/ Toastman's latest Tomato
    ......|-- DeviceV (MiCasaVerde Vera 3); using Wired port
    ......|-- 2 Android phones; using Wifi N
    ......|-- 1 iPod Touch; using Wifi N
    ......|-- 2 Foscam IP cams; using Wifi N
    ......|-- Unmanaged 1GB switch 8 ports; using Wired port
    ............|-- 3 Windows PCs; using Wired port
    ............|-- Synology NAS; using Wired port
    ............|-- DeviceO (Onkyo receiver); using Wired port

    I can definitely create 2 LANs (subnets), if that is what you mean? What do I do to enable all the devices to communicate with DeviceV, while blocking DeviceO?
     
  74. SteveF

    SteveF Serious Server Member

    Livin, I guess I do not understand what you mean by blocking DeviceO. If you mean that nobody on LAN can ping DeviceO and DeviceO on LAN1 can not pin all other devices on LAN that VLAN is your solution. To LAN you could assign 3 wired port and the radio and to LAN1 you could assign the fourth wired port and that will be the port DeviceO would use. LAN and LAN1 would be isolated and no pings would go between the two LANs.

    Here is one possible configuration with 2 VLANs:

    Internet
    |-- Router/Firewall: Belkin Play N600 (F7D4302/F7D8302) v1 w/ Toastman's latest Tomato
    ......|-- DeviceV (MiCasaVerde Vera 3); using Wired port (LAN, port1 of router)
    ......|-- 2 Android phones; using Wifi N (bound to LAN)
    ......|-- 1 iPod Touch; using Wifi N (bound to LAN)
    ......|-- 2 Foscam IP cams; using Wifi N (bound to LAN)
    ......|-- Unmanaged 1GB switch 8 ports; using Wired port (LAN, port2 of router)
    ............|-- 3 Windows PCs; using Wired port (port1-3 of switch)
    ............|-- Synology NAS; using Wired port (port4 of switch)
    ............|-- DeviceO (Onkyo receiver); using Wired port (LAN1, port 3 or 4 of router depending on what port you assign to LAN1)

    In this configuration LAN/Wifi and LAN1/no Wifi will be completely isolated - but they still can communicate via email.
     
  75. Livin

    Livin Serious Server Member

    All devices need to have open/free communications with each other, except DeviceV (troublemaker device)<-> Device O must not communicate at all with each other.
    Hoping I could put DeviceV on a separate VLAN/Subnet and config the router to allow open comms with all devices except DeviceO
    ... Does that make it clearer?
     
  76. SteveF

    SteveF Serious Server Member

    Yes
    Yes it does. I mixed up DeviceO with DeviceV. In my previous post just switch DeviceO with DeviceV, so DeviceV will be on LAN1 isolated - I think. Good luck. If you need any help just post. I am not an expert but I have been through creating VLANs. By the way, do you need this isolation due to security reasons - maybe DeviceV is messing with the other clients? I have similar situation, I have a wireless LAN1 and a wired LAN, each having two clients but I do not want any of the LAN1 wireless clients mess with the 2 other wired clients on LAN.
     
  77. Livin

    Livin Serious Server Member

    DeviceV seems to cause problems with DHCP & uPnP, and maybe other things... several users and the manufacturer are trying to figure it out but until it gets fixed (which could be never) I need to isolate it from DeviceO.

    I actually tried this one earlier today and I hosed it up somehow so none of my devices could talk to the Internet, so I restored the config. Can you help me get the settings correct before I try it again...

    • Basic \ Network:
      • Create a new LAN bridge, br1.
        • Give it br1 an IP address range that is different from other LANs.
      • Click Save.
    • Advanced \ VLAN
      • Create a new VLAN for DeviceV
        • Bridge the new VLAN to br1/LAN1.
      • Select a VLAN that owns a port you want to use for your new VLAN
        • uncheck the port
        • Click OK
      • Select the new VLAN
        • check the port you just unchecked from the old VLAN
        • Click OK
      • Click Save - router will reboot
    • Advanced \ LAN Access
      • setup all IP addresses you want TO ALLOW to go between each LAN. Must do both ways.
    SteveF, Does this look right (DeviceO is 192.168.2.12)...
    [​IMG]
     
  78. SteveF

    SteveF Serious Server Member

    I have not used Src and Dst addresses since my segments 100% were in LAN and LAN1 respectively. I might have done it differently: have all devices on LAN both wired and wireless except DeviceV (I assume DeviceV is the offending device) - you are showing here DeviceO so I am a bit confused which device needs to be isolated, I thought it was DeviceV.

    Your creation process seems to be right with the addition of comments below.

    Here is what I thought I suggested:

    1. Have all devices (wired and wireless) except DeviceV on LAN.
    2. Check if the radio (eth1) is bound to LAN (on VLAN page).
    3. Have DeviceV on LAN1.
    4. In LAN Access 'On' is checked, Src is LAN, no SRC address needed, Dst is LAN1, no Dst address is needed. This way all LAN devices can access LAN1 (lone DeviceV) but not the other way around. This way you would need only one line instead of three.

    The key is that your isolated segment is LAN1, DeviceV is on this segment. LAN can access LAN1 but LAN1 can not access LAN. The default in LAN Access page if you do nothing is no access, so you do not have a line for LAN1 as Src and LAN as Dst - this means LAN1 can not access LAN.

    Remember I am not an expert, so once you finished implementation you need to check a few things such as Internet access, isolation - you may want to use pings.

    I hope it makes sense.
     
  79. Livin

    Livin Serious Server Member

    SteveF
    Thx for the help, I got it all working. I'll be posting a how-to later today.
     
  80. SteveF

    SteveF Serious Server Member

    Livin, I am glad that you got it all working according to your expectations.
     
  81. Livin

    Livin Serious Server Member

    It was working fine for over a week and now it does not. I cannot figure it after hours of rebooting, redoing the configs, verifying the ARP cache and ROUTE is correct, etc.

    VLAN 1 & VLAN 3 both talk to the internet but not to each other. In LAN Access I've even set them to both be unrestricted.

    Ideas?
     
  82. JJack

    JJack Serious Server Member

    How do you determine what to use for your firewall rules?
     
    Last edited: Nov 30, 2013

Share This Page