1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[SOLVED] Need help with VLAN + LAN Access + iptables

Discussion in 'Tomato Firmware' started by vmixus, Dec 17, 2013.

  1. vmixus

    vmixus Serious Server Member

    Hi,
    I have 2 routers (primary + guest)

    modem --> [WAN] primary [LAN 4] --> [WAN] guest​

    They're connected using a vlan on the primary router on port 4 which is connected to the WAN port on the guest router. I've also posted the steps I followed to set it all up.

    I'd like to know if it's possible to accomplish the following:
    • Access clients connected to the guest network from the primary network while preventing guest clients from accessing clients on primary network.
    Below is outputs from both routers via ssh for the following commands:
    Code:
    ifconfig
    iptables -vnL --line-numbers
    route
    
     
    Last edited: Dec 18, 2013
  2. vmixus

    vmixus Serious Server Member

    Primary Router

    Code:
    ifconfig
    iptables -vnL --line-numbers
    route
    --- redacted ---
     
    Last edited: Dec 21, 2013
  3. vmixus

    vmixus Serious Server Member

    GUEST ROUTER

    Note:

    There's also a vlan setup on the guest router to isolate physical port LAN 4 for something else.
    Code:
    ifconfig
    iptables -vnL --line-numbers
    route
    --- redacted ---
     
    Last edited: Dec 21, 2013
  4. darkknight93

    darkknight93 Networkin' Nut Member

    You can do that via iptables rule on primary router prevent br1 devices establish links to br0 devices
    See
    http://www.linksysinfo.org/index.php?posts/238221/

    Furthermore you need a static route on main router pointing to guest lan via second router, in advanced -> routing you can set neccessary roules
     
  5. vmixus

    vmixus Serious Server Member

    I was able to restrict access from the guest vlan to my primary network using the following as posted in my original router setup post:

    Note:

    These would end up being applied in reverse order as they are pasted in my firewall scripts
    Code:
    # Restrict router access from VLAN
    iptables -I INPUT -i br1 -m state --state NEW -j DROP
    iptables -I INPUT -i br1 -p udp -m multiport --dports 53,67 -j ACCEPT
    
    Currently the 2 networks cannot ping each other including routers (only local routers and not the other router)

    Are you saying I need additional rules in the iptables forward chain on the primary router as well or is that just another way of isolating the two?

    Unfortunately, I have no experience with static routes so could please elaborate on what the static routes should look like on the primary router?

    Also, I'm assuming the guest router would try to block anything trying to 'come in' through the WAN by default so is there any additional config needed there as well?
     
  6. darkknight93

    darkknight93 Networkin' Nut Member

    Routing and static routes are like.. Paths the router processing incoming Pakets knows, where the desired subnet is reachable.
    If no route exists and there is set a default route, the router will forward this paket to this default route

    So imagine a packet from a device connected to main router with destination ip of guest lans scope arrives, the main router does not know this subnet in specific and uses default route --> your internet connection

    You have to tell main router that subnet 192.168.100.0/24 is reachable via 192.168.10.100 on br1

    IMG_20131217_185047.JPG
     
    Last edited: Dec 17, 2013
  7. darkknight93

    darkknight93 Networkin' Nut Member

    Im not sure what you mean here. These roules block access to the router itself but not to the devices behind him :s


    This is correct except for one thing: NAT. Connections initiated by devices on guest lan with destination private LAN will force the guest router to "listen" on the ports used for communcation and will allow an answer back although connections initated from outside/wan will be dropped (except for portforwarding)
    I think you will not need further config here - but im not sure due secind router is in router mode, whether firewall is allowing or not
    If not, try to disable firewall in advanced and retry
     
  8. vmixus

    vmixus Serious Server Member

    Thanks for pointing me in the right direction + the explanation on static routes.

    For the benefit of anyone else that might come across this thread I also found the following to be a helpful guide:
    I'm currently able to successfully ping clients on the guest network after removing rule 9 in the FORWARD chain from the primary router:
    Code:
    iptables -D FORWARD 9
    ...however, even though I can ping the guest router + guest clients I still can't access the guest router config gui.

    I suspect it's something with the firewall settings -- any suggestions?
     
  9. darkknight93

    darkknight93 Networkin' Nut Member

    Can you just clarify which router config gui you mean? Guest Routers GUI can only be reached from main router by activating in Administratrion -> Admin Access -> Remote Access "Enabled" with port 80 (what i would prefer) otherwise you have to enter http://router2:8080
    This behaivor is caused by Guest router seeing the main router as its WAN - so as a normal "Internet" endpoint like your ISP Routers e.g.
     
  10. vmixus

    vmixus Serious Server Member

    Thanks for your input, I finally got some time to sit down and play with it and was able to get it all solved! :D

    As I'd suspected the problem was with the firewall settings. I had to adjust rules on the FORWARD chain for the primary and the INPUT chain on the guest router. It was a little tricky to troubleshoot since I couldn't manage to find logs for everything the firewall was dropping. I was able to enable logging for INBOUND and OUTBOUND traffic via [Administration -> Logging -> Connection Logging] but data for the FORWARD chain wasn't ending up there.
    BTW, What is the best way to get at all the firewall log data in tomato?

    Another suggestion to troubleshoot firewall rules I read about was to look for higher packet counts / bytes around my test commands to see which rules were blocking my request.
    Code:
    # View iptables pkts / bytes for each rule
    iptables -vnL --line-numbers
    
    # Zero counters in chain or all chains
    iptables -Z <CHAIN>
    i.e. iptables -Z FORWARD
    
    # Run some test from a client to troubleshoot a connection
    ping 192.168.1.5
    
    # Run iptables again to see which rules have a higher pkts/bytes count
    iptables -vnL --line-numbers
    For the benefit of anyone else trying to chase down culprit firewall rule(s) I went with the following method instead. Insert a rule at the very top of a suspect rule chain (INPUT, OUTPUT, FORWARD) to accept everything and then keep adjusting the ACCEPT rules position to be lower in the chain (i.e. Rule 1 being at the top and a higher number resulting in a lower position in the chain), while testing your connection (like trying to ping a client), to find the culprit rule that might need to be replaced. This helped me determine very quickly which chain on which router I needed to look at.

    There's also a helpful write up on firewalls and iptables on the ddwrt wiki.
    Code:
    # View rules on all chains with rule numbers
    iptables -vnL --line-numbers
    
    # Insert a rule at a specific position to accept everything
    iptables -I <CHAIN NAME> <RULE NUM> -j ACCEPT
    i.e.  iptables -I FORWARD 1 -j ACCEPT
    
    # Delete a rule at a specific position to the specified chain
    iptables -D <CHAIN NAME> <LINE NUMBER>
    i.e. iptables -D FORWARD 1
    
     
    Last edited: Dec 21, 2013
  11. vmixus

    vmixus Serious Server Member

    After fixing the firewall rules on both routers I tested accessing the guest routers config gui on both the wan / lan ip while connected as a client on the primary router and toggling the the remote admin settings on the guest router and the results were as expected:
    • With the setting disabled I could access the config gui only via the guest routers LAN IP
    • With the setting enabled I could also access the guest router via the WAN IP in addition to the LAN
    So, even though my packets are technically traversing into the guest router through the physical WAN port; I can access the config gui with remote admin disabled via the guest routers LAN IP.
     
    Last edited: Dec 21, 2013
  12. vmixus

    vmixus Serious Server Member

    One final note regarding accessing clients connected to the guest network as a client on the primary network.
    Also remember to check the local firewall settings for each client, because by default most will not allow access to file shares etc. from another subnet.
     

Share This Page