1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Multiple Vlans can talk to each other

Discussion in 'Tomato Firmware' started by samisheikh, Nov 28, 2013.

  1. samisheikh

    samisheikh Reformed Router Member

    Hi,

    I have an Asus RT-N66U with Tomato Firmware 1.28.0000 MIPSR2-115 K26AC USB AIO-64K.
    Here is what I am trying to achieve:
    1. Have 2 SSIDs(one for office guests and one for myself) on separate network that don't talk to each other.
    SSID1(2.4): 10.254.253.0/24 on Vlan4
    SSID1(5ghz): 10.254.253.0/24 on Vlan4
    SSID2(2.4ghz): 10.254.254.0/24 on Vlan3
    SSID2(5ghz): 10.254.254.0/24 on Vlan3
    2. Ethernet traffic separated from all wireless traffic. so I have it on default VLAN1
    3. I would like to connect two access points on VLAN4 and one access point on VLAN3
    4. Captive portal with authentication on VLAN4 for guest access

    Now this is the setup I have:

    Br0(Vlan1)- DHCP - 192.168.1.0/24 DHCP:192.168.1.2-245
    BR1(VLAN3) - DHCP - 10.254.254.0/24 DHCP:10.254.254.2-245
    BR2(VLAN4) - DHCP - 10.254.253.0/24 DHCP:10.254.253.2-245

    VLAN 3 - Port 1 - BR1 - SSID2(Port1 to connect to other APs)
    VLAN 4 - Port 4 - BR2 - SSID1(Port 4 to connect to other APs)

    So here is my issue:
    All VLANs can talk to each and see devices on each Vlan so pointless to have VLans.

    If need by I can paste my NVram results and screenshot of my config.

    Also, I can point captive portal go to a PHP page and authenticate on a company website we have?

    Thanks in Advance.
     
  2. samisheikh

    samisheikh Reformed Router Member

    Actually, my question is rather how do I restrict VLANs from talking to each other using IPTABLES?

    EDIT: I tried the following and it didn't do anything.

    iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
    iptables -I FORWARD -i br1 -o br2 -m state --state NEW -j DROP
    iptables -I FORWARD -i br2 -o br0 -m state --state NEW -j DROP
    iptables -I FORWARD -i br2 -o br1 -m state --state NEW -j DROP
     
  3. darkknight93

    darkknight93 Networkin' Nut Member

    These are my firewall scripts I put under administration -> scripts -> firewall

    Code:
    iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
    iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
    ip6tables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
    ip6tables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
    
     
  4. samisheikh

    samisheikh Reformed Router Member

    I tried the following rules in the firewall section but still no dice... I can still ping br0 from br1 and br2
    iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
    iptables -I FORWARD -i br1 -o br2 -m state --state NEW -j DROP
    iptables -I FORWARD -i br2 -o br0 -m state --state NEW -j DROP
    iptables -I FORWARD -i br2 -o br1 -m state --state NEW -j DROP
     
  5. Malitiacurt

    Malitiacurt Networkin' Nut Member

    I thought by default TomatoUSB prevent devices on different vlans from accessing each other.

    If your simply only pinging the router at 192.168.1.1, 10.254.254.1, 10.254.253.1, that's a different ruleset.
     
    darkknight93 likes this.
  6. samisheikh

    samisheikh Reformed Router Member

    If I wanted to implement that rule, how can I go about doing that?
     
  7. Malitiacurt

    Malitiacurt Networkin' Nut Member

    Code:
    iptables -I INPUT -i br1 -m state --state NEW -j DROP
    iptables -I INPUT -i br1 -p udp -m multiport --dports 53,67 -j ACCEPT
    Do another set for br2.
     

Share This Page