1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

VLAN rule to access IP from other VLAN on Tomato

Discussion in 'Tomato Firmware' started by Laz59, Oct 2, 2013.

  1. Laz59

    Laz59 Serious Server Member

    So I'm new to the forums, but have been lurking on and off for a while and have been using Tomato for a few years too. This is the first time I've needed the functionality of VLANs and have already set one up on my RT-N16 running a Shibby mod of Tomato and it seems to be working as designed. I set it up like this:

    1. In Basic->Network I have br0 as 192.168.11.0 and br1 as 192.168.22.0 with DHCP enabled on both but for the range of one IP only for br1.
    2. In Advanced->VLAN I have VID 0 as port 2-4 checked with br0 assigned, VID 1 as WAN checked with WAN assigned, and VID 2 as port 1 checked with br1 assigned.

    Port 1 (br1) is connected to another router's WAN port running Tomato as the guest wireless network, it gets an IP assigned by the RT-N16 and has a basic setup on it.

    Everything is working as it should, where the guest router gets internet access but nothing else. I can ping the RT-N16 from both sides as well, so I tried to disable that on the guest router by adding these iptables rules to the firewall script page (some rules for denying too many connections are there as well):

    Code:
    iptables -I FORWARD -p tcp -s 192.168.22.0/24 -m connlimit --connlimit-above 50 -j DROP
    iptables -I FORWARD -p ! tcp -s 192.168.22.0/24 -m connlimit --connlimit-above 25 -j DROP
    
    iptables -I INPUT -p udp -m multiport --dports 53,67 -j ACCEPT
    iptables -I INPUT -i br1 -d 192.168.11.1 -j DROP
    iptables -I INPUT -i br1 -d 192.168.22.1 -j DROP
    I haven't had a chance to test them out yet, but I don't think those might have a problem.

    So, my QUESTION is: How and what rule can I add to be able to access the guest router from br0 (the default LAN on the RT-N16), but not let br1 have any other access than it already does? I'd like to be able to manage the guest router from br0.

    I assume an iptables rule would work, but I tried these 2 rules that I found elsewhere in the firewall script (not at the same time), and they didn't do anything: (192.168.22.2 is the guest router's IP)

    Code:
    iptables -I FORWARD -p tcp -o br0 -d 192.168.22.2 -m state --state NEW -j ACCEPT
    OR
    Code:
    iptables -I FORWARD -p tcp -i br0 -s 192.168.11.0/24 -o br1 192.168.22.2 -j ACCEPT
    The second rule didn't even show up in the iptables.

    Any help would be appreciated, iptables are a bit foreign to me.
     
  2. koitsu

    koitsu Network Guru Member

    Syntax of this command is wrong (iptables should have given you an error -- please do all of your work via the CLI, not via Tools / System):

    Code:
    iptables -I FORWARD -p tcp -i br0 -s 192.168.11.0/24 -o br1 192.168.22.2 -j ACCEPT
    
    You've forgotten the -d before 192.168.22.2.

    I cannot help past this point.
     
  3. Laz59

    Laz59 Serious Server Member

    Thank you koitsu. As a matter of fact, when I tried to add that rule as I had written it in the CLI, it gave an error. With your correction, I was able to add it. But, even when I add this rule in the CLI as the first or last rule in the FORWARD tables, I still cannot ping the guest router IP. I don't know what the rule is missing so that it actually forwards the request correctly.
    Even when I change the rule to all ports and the source IP to just the RT-N16 router and try to ping the guest router from the CLI, I get no response.
     
  4. Laz59

    Laz59 Serious Server Member

    After googling a bit to see if I can find anyone that has asked about something similar, I stumbled on a post of someone adding an SNAT rule to the POSTROUTING table, and it seems like it might work as I found these entries already there, seemingly to route requests to my main router from both LANs:

    Code:
    Chain POSTROUTING (policy ACCEPT 375 packets, 98678 bytes)
    pkts bytes target            prot opt in    out    source              destination
    544 45265 MASQUERADE     all  --  any    vlan2  anywhere            anywhere
      28  5204 SNAT                all  --  any    br0    192.168.11.0/24      192.168.11.0/24    to:192.168.11.1
         1  333 SNAT                all  --  any    br1    192.168.22.0/24      192.168.22.0/24    to:192.168.22.1
    
    The problem is that I don't know how to add a similar rule to route the NAT from br0 to the router at br1. I think this might be a good start, but I'm not sure about the syntax and would rather not break my router, so some guidance would be great:

    Code:
    iptables -t nat -I POSTROUTING -p all -j SNAT -o br0 -s 192.168.11.0/24 -d 192.168.22.0/24 --to 192.168.22.2
    EDIT: I was feeling adventurous, so I tried it, but it won't work, even with the previous FORWARD rule that was corrected by koitsu. I also tried br1 as the out, but the rule seems to do nothing. Not sure where to go from here, any suggestions?
     
    Last edited: Oct 2, 2013
  5. gfunkdave

    gfunkdave LI Guru Member

    I don't understand why you're using two routers with an oddly complex setup when you could have one router do the main wireless and guest wireless. It's very easy to set up with just one router.
     
  6. Laz59

    Laz59 Serious Server Member

    I know that I can use just one router for this setup now, but when I looked up solutions for a guest wireless network, I only found solutions with 2 separate routers (no doubt based off older routers and builds of Tomato). So I bought a cheap Belkin router for this project and later found out about 2 separate vlans and virtual wlans on the same router. I decided to go with my original plan to just have that wireless load off my main router anyway.
    I really don't see it as much more complex than a one-router setup though, except for what I'm trying to accomplish, which is to access the guest router over the main router's network. I really do think that it shouldn't take very much to do this, as it is just accessing one IP on the other separate vlan. But, I may be wrong about that since all I've tried hasn't worked yet. I have tried the LAN access page on Tomato as well , by the way. IPTables still seem odd to me since the rules I've added don't do what I've expected them to do, I guess I just don't understand it very well yet.
     
  7. gfunkdave

    gfunkdave LI Guru Member

    So you'd rather go with the needlessly complex setup that you can't get to work, rather than do it the easy way?
     
  8. Bird333

    Bird333 Network Guru Member

    First are you just trying to access the router itself or other devices that might be connected to the guest router also?

    Let's start with a simple rule. This goes on your main router
    Code:
    /usr/sbin/iptables -I FORWARD -i br0 -o br1 -j ACCEPT
    Also, since the second router is connected by the WAN port you might have to allow remote administration on the second router. However try this rule on the guest router
    Code:
    /usr/sbin/iptables -I PREROUTING -i vlan2 -j ACCEPT
    I find that it is best to start with more simple rules to see if things work and then make the rules more tailored/restricted if you want. The first rule on your main router allows connections from 'br0' to 'br1'. The second rule which is on the guest router allows ALL connections to the router coming in on 'vlan2' which I am assuming is the interface for your WAN port. Run 'ifconfig' from the CLI on the guest router to verify this. Once you get the functionality you want, you can make the rules a little more restrictive if you want.
     
    Last edited: Oct 3, 2013
  9. Laz59

    Laz59 Serious Server Member

    gfunkdave: Well I'm going with this setup because I have the equipment and I have the opportunity to remove some wireless load from my main router. I doubt that this setup is clunkier in the performance aspect than the single-router option, but that being said, I am here to learn.

    Bird: thank you for the help. First off, I have completely ignored the fact that the guest router is connected to the WAN port, so it might in fact need to have that the remote admin option enabled. As soon as I implement your suggestions, I'll report back.

    EDIT: I forgot to add, I am only trying to have access to the guest router's IP from br0. Even though not a big problem to have full br0 to br1 access, I would prefer to have the two bridges as isolated from each other as possible, except for that guest router.

    Also, this setup is working as designed, I just have some requirements beyond the scope of the GUI options (which just keep getting better might I add, a few short years ago even vlans were CLI-only).
     
    Last edited: Oct 3, 2013
  10. Laz59

    Laz59 Serious Server Member

    Alright, I tried it as you specified Bird, but no-go. I did notice that the rule I added on the guest router is definitely getting packets. On the other hand, the rule on the main router is neither getting nor receiving packets through it. I did set the guest router to allow remote administration.

    The rule I added through the guest router's CLI was the following, as I kept getting an error when adding it the way you posted:
    Code:
    iptables -t nat -I PREROUTING -i vlan2 -j ACCEPT
    What I have tried is pinging through the main router's CLI as well as trying to connect through my browser, both with and without specifying the remote port.
     
  11. Bird333

    Bird333 Network Guru Member

    Yeah sorry I forgot to add the '-t nat'. I don't understand how there are no packets shown through the main router but they are hitting the guest. Post the output of 'iptables -t nat -L -nv' and 'iptables -L -nv' from both routers. Please use the 'code' tags when you do.
     
  12. Laz59

    Laz59 Serious Server Member

    The main router's output:
    Code:
    root@AsusAP:/tmp/home/root# iptables -t nat -L -nv
    Chain PREROUTING (policy ACCEPT 29 packets, 14280 bytes)
    pkts bytes target    prot opt in    out    source              destination
        0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp dpt:XX
      141 24047 WANPREROUTING  all  --  *      *      0.0.0.0/0            XX.XXX.XXX.XXX
        0    0 DROP      all  --  vlan2  *      0.0.0.0/0            192.168.11.0/24
        0    0 DROP      all  --  vlan2  *      0.0.0.0/0            192.168.22.0/24
      141 24047 upnp      all  --  *      *      0.0.0.0/0            XX.XXX.XXX.XXX
    
    Chain POSTROUTING (policy ACCEPT 41 packets, 2747 bytes)
    pkts bytes target    prot opt in    out    source              destination
        0    0 SNAT      all  --  *      br0    192.168.11.0/24      192.168.22.0/24    to:192.168.22.2
    18626 1123K MASQUERADE  all  --  *      vlan2  0.0.0.0/0            0.0.0.0/0
      534 82071 SNAT      all  --  *      br0    192.168.11.0/24      192.168.11.0/24    to:192.168.11.1
      10  768 SNAT      all  --  *      br1    192.168.22.0/24      192.168.22.0/24    to:192.168.22.1
    
    Chain OUTPUT (policy ACCEPT 62 packets, 4007 bytes)
    pkts bytes target    prot opt in    out    source              destination
    
    Chain WANPREROUTING (1 references)
    pkts bytes target    prot opt in    out    source              destination
        0    0 DNAT      icmp --  *      *      0.0.0.0/0            0.0.0.0/0          to:192.168.11.1
    
    Chain upnp (1 references)
    pkts bytes target    prot opt in    out    source              destination
        0    0 DNAT      udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp dpt:63467 to:192.168.11.54:63467
        0    0 DNAT      udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp dpt:64725 to:192.168.11.54:64725
        0    0 DNAT      udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp dpt:64739 to:192.168.11.54:64739
        0    0 DNAT      udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp dpt:49518 to:192.168.11.54:49518
        0    0 DNAT      udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp dpt:63451 to:192.168.11.54:63451
        0    0 DNAT      udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp dpt:54968 to:192.168.11.54:54968
        0    0 DNAT      udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp dpt:58646 to:192.168.11.54:58646
    
    Code:
    root@AsusAP:/tmp/home/root# iptables -L -nv
    Chain INPUT (policy DROP 2 packets, 84 bytes)
    pkts bytes target    prot opt in    out    source              destination
        0    0 ACCEPT    all  --  tap21  *      0.0.0.0/0            0.0.0.0/0
        0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp dpt:XX
    2296  149K DROP      all  --  br1    *      0.0.0.0/0            192.168.22.1
        0    0 DROP      all  --  br1    *      0.0.0.0/0            192.168.11.1
    34853 2341K ACCEPT    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          multiport dports 53,67
      110 20800 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
    1288K 1028M ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
        5  240 shlimit    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:XX state NEW
    1342 88435 ACCEPT    all  --  lo    *      0.0.0.0/0            0.0.0.0/0
    3341 1300K ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0
        0    0 ACCEPT    all  --  br1    *      0.0.0.0/0            0.0.0.0/0
      55 18315 ACCEPT    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp spt:67 dpt:68
        5  240 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:XX
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:51515
    
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target    prot opt in    out    source              destination
        0    0 ACCEPT    tcp  --  br0    br1    192.168.11.0/24      192.168.22.2
        0    0 ACCEPT    all  --  br0    br1    0.0.0.0/0            0.0.0.0/0
        0    0 ACCEPT    all  --  tap21  *      0.0.0.0/0            0.0.0.0/0
        0    0 DROP      !tcp  --  *      *      192.168.22.0/24      0.0.0.0/0          #conn/32 > 25
        0    0 DROP      tcp  --  *      *      192.168.22.0/24      0.0.0.0/0          #conn/32 > 50
    101K  83M            all  --  *      *      0.0.0.0/0            0.0.0.0/0          account: network/netmask: 192.168.11.0/255.255.255.0 name: lan
      225 18217            all  --  *      *      0.0.0.0/0            0.0.0.0/0          account: network/netmask: 192.168.22.0/255.255.255.0 name: lan1
        0    0 ACCEPT    all  --  br0    br0    0.0.0.0/0            0.0.0.0/0
        0    0 ACCEPT    all  --  br1    br1    0.0.0.0/0            0.0.0.0/0
      22  880 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
    3196  162K TCPMSS    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    60993  79M L7in      all  --  vlan2  *      0.0.0.0/0            0.0.0.0/0
    40125 3873K monitor    all  --  *      vlan2  0.0.0.0/0            0.0.0.0/0
    99360  82M ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
        0    0 DROP      all  --  br0    br1    0.0.0.0/0            0.0.0.0/0
        0    0 DROP      all  --  br1    br0    0.0.0.0/0            0.0.0.0/0
        0    0 wanin      all  --  vlan2  *      0.0.0.0/0            0.0.0.0/0
    1758 92054 wanout    all  --  *      vlan2  0.0.0.0/0            0.0.0.0/0
    1669 86134 ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0
      89  5920 ACCEPT    all  --  br1    *      0.0.0.0/0            0.0.0.0/0
        0    0 upnp      all  --  vlan2  *      0.0.0.0/0            0.0.0.0/0
    
    Chain OUTPUT (policy ACCEPT 5142 packets, 4159K bytes)
    pkts bytes target    prot opt in    out    source              destination
    
    Chain L7in (1 references)
    pkts bytes target    prot opt in    out    source              destination
        0    0 RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto flash
        0    0 RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto httpvideo
        0    0 RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto youtube-2012
        0    0 RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto irc
        0    0 RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto bittorrent
        0    0 RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto skypetoskype
        0    0 RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto rtp
        0    0 RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto rtmp
        0    0 RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto rtmpt
        0    0 RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto shoutcast
    
    Chain monitor (1 references)
    pkts bytes target    prot opt in    out    source              destination
        0    0 RETURN    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          WEBMON --max_domains 300 --max_searches 300
    
    Chain shlimit (1 references)
    pkts bytes target    prot opt in    out    source              destination
        5  240            all  --  *      *      0.0.0.0/0            0.0.0.0/0          recent: SET name: shlimit side: source
        0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: sour          ce
    
    Chain upnp (1 references)
    pkts bytes target    prot opt in    out    source              destination
        0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            192.168.11.54      udp dpt:63467
        0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            192.168.11.54      udp dpt:64725
        0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            192.168.11.54      udp dpt:64739
        0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            192.168.11.54      udp dpt:49518
        0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            192.168.11.54      udp dpt:63451
        0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            192.168.11.54      udp dpt:54968
        0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            192.168.11.54      udp dpt:58646
    
    Chain wanin (1 references)
    pkts bytes target    prot opt in    out    source              destination
    
    Chain wanout (1 references)
    pkts bytes target    prot opt in    out    source              destination

    The guest router's output:
    Code:
    root@BelkinGuest:/tmp/home/root# iptables -t nat -L -nv
    Chain PREROUTING (policy ACCEPT 3677 packets, 346K bytes)
    pkts bytes target    prot opt in    out    source              destination
      24  1992 ACCEPT    all  --  vlan2  *      0.0.0.0/0            0.0.0.0/0
      513 30670 WANPREROUTING  all  --  *      *      0.0.0.0/0            192.168.22.2
        0    0 DROP      all  --  vlan2  *      0.0.0.0/0            192.168.22.0/24
      513 30670 upnp      all  --  *      *      0.0.0.0/0            192.168.22.2
    
    Chain POSTROUTING (policy ACCEPT 147 packets, 60112 bytes)
    pkts bytes target    prot opt in    out    source              destination
      354 23078 MASQUERADE  all  --  *      vlan2  0.0.0.0/0            0.0.0.0/0
      206 47797 SNAT      all  --  *      br0    192.168.22.0/24      192.168.22.0/24    to:192.168.22.2
    
    Chain OUTPUT (policy ACCEPT 570 packets, 117K bytes)
    pkts bytes target    prot opt in    out    source              destination
    
    Chain WANPREROUTING (1 references)
    pkts bytes target    prot opt in    out    source              destination
        0    0 DNAT      icmp --  *      *      0.0.0.0/0            0.0.0.0/0          to:192.168.22.2
    
    Chain upnp (1 references)
    pkts bytes target    prot opt in    out    source              destination
    
    Code:
    root@BelkinGuest:/tmp/home/root# iptables -L -nv
    Chain INPUT (policy DROP 23 packets, 1932 bytes)
    pkts bytes target    prot opt in    out    source              destination
        0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
    2563  372K ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
        3  924 shlimit    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:22 state NEW
        5  696 ACCEPT    all  --  lo    *      0.0.0.0/0            0.0.0.0/0
    4378 1194K ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0
        0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp spt:67 dpt:68
        1    60 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:8080
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:22
    
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target    prot opt in    out    source              destination
      137  9644            all  --  *      *      0.0.0.0/0            0.0.0.0/0          account: network/netmask: 192.168.22.0/255.255.255.0 name: lan
        0    0 ACCEPT    all  --  br0    br0    0.0.0.0/0            0.0.0.0/0
        0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
      12  624 TCPMSS    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x02 TCPMSS clamp to PMTU
      66  4880 ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
        0    0 wanin      all  --  vlan2  *      0.0.0.0/0            0.0.0.0/0
      71  4764 wanout    all  --  *      vlan2  0.0.0.0/0            0.0.0.0/0
      71  4764 ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0
        0    0 upnp      all  --  vlan2  *      0.0.0.0/0            0.0.0.0/0
    
    Chain OUTPUT (policy ACCEPT 6084 packets, 1723K bytes)
    pkts bytes target    prot opt in    out    source              destination
    
    Chain shlimit (1 references)
    pkts bytes target    prot opt in    out    source              destination
        3  924            all  --  *      *      0.0.0.0/0            0.0.0.0/0          recent: SET name: shlimit side: source
        0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source
    
    Chain upnp (1 references)
    pkts bytes target    prot opt in    out    source              destination
    
    Chain wanin (1 references)
    pkts bytes target    prot opt in    out    source              destination
    
    Chain wanout (1 references)
    pkts bytes target    prot opt in    out    source              destination
    I replaced some IPs and ports with 'XX' for safety.
    Also, I did add the two other rules I had tried before on the main router just to see if it would make any difference, they didn't. I can reboot them both to have a clean slate as I did all the rules in the CLI, other than the ones I outlined in my first post.
    Thank you for all the help so far Bird!
     
    Last edited: Oct 3, 2013
  13. Bird333

    Bird333 Network Guru Member

    Also post 'iptables -L -nv' from both routers and 'ifconfig' from both.

    Question: What is the first POSTROUTING rule used for? It says everything that is destined for 192.168.22.0/24 change the source to the guest router IP.
     
    Last edited: Oct 3, 2013
  14. Laz59

    Laz59 Serious Server Member

    I had posted 'iptables -L -nv', the two commands you asked me to run were just posted together on each router's code block. I edited the post above to separate the two commands, sorry about that.

    ifconfig for the main router:
    Code:
    br0        Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
              inet addr:192.168.11.1  Bcast:192.168.11.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:164438 errors:0 dropped:0 overruns:0 frame:0
              TX packets:169984 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:23320182 (22.2 MiB)  TX bytes:166446041 (158.7 MiB)
    
    br1        Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
              inet addr:192.168.22.1  Bcast:192.168.22.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:4046 errors:0 dropped:0 overruns:0 frame:0
              TX packets:466 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:262465 (256.3 KiB)  TX bytes:29224 (28.5 KiB)
    
    eth0      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:3302078 errors:0 dropped:0 overruns:0 frame:0
              TX packets:3151758 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:2786129163 (2.5 GiB)  TX bytes:2666977372 (2.4 GiB)
              Interrupt:4 Base address:0x2000
    
    eth1      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
              UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
              RX packets:65986 errors:0 dropped:0 overruns:0 frame:7377633
              TX packets:112748 errors:1 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:6285565 (5.9 MiB)  TX bytes:68558415 (65.3 MiB)
              Interrupt:3 Base address:0x1000
    
    imq0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
              UP RUNNING NOARP  MTU:1500  Metric:1
              RX packets:3166072 errors:0 dropped:0 overruns:0 frame:0
              TX packets:3166072 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:30
              RX bytes:2689163623 (2.5 GiB)  TX bytes:2689163623 (2.5 GiB)
    
    lo        Link encap:Local Loopback
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
              RX packets:201341 errors:0 dropped:0 overruns:0 frame:0
              TX packets:201341 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:22855835 (21.7 MiB)  TX bytes:22855835 (21.7 MiB)
    
    tap21      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
              UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:68877 errors:0 dropped:3 overruns:0 carrier:0
              collisions:0 txqueuelen:100
              RX bytes:0 (0.0 B)  TX bytes:11053168 (10.5 MiB)
    
    vlan1      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
              UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
              RX packets:102344 errors:0 dropped:0 overruns:0 frame:0
              TX packets:169747 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:18940741 (18.0 MiB)  TX bytes:113283108 (108.0 MiB)
    
    vlan2      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
              inet addr:XX.XXX.XXX.XXX Bcast:XX.XXX.XXX.XXX  Mask:XXX.XXX.XXX.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:3195688 errors:0 dropped:0 overruns:0 frame:0
              TX packets:2981545 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:2707472369 (2.5 GiB)  TX bytes:2553663176 (2.3 GiB)
    
    vlan3      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
              UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
              RX packets:4046 errors:0 dropped:0 overruns:0 frame:0
              TX packets:466 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:278649 (272.1 KiB)  TX bytes:31088 (30.3 KiB)

    And for the guest router:
    Code:
    br0        Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
              inet addr:192.168.22.2  Bcast:192.168.22.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:55893 errors:0 dropped:0 overruns:0 frame:0
              TX packets:77079 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:6641151 (6.3 MiB)  TX bytes:35166644 (33.5 MiB)
    
    br0:0      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
              inet addr:192.168.11.10  Bcast:192.168.11.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
    
    eth0      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:21186 errors:0 dropped:0 overruns:0 frame:0
              TX packets:119403 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:11552035 (11.0 MiB)  TX bytes:41867280 (39.9 MiB)
              Interrupt:4 Base address:0x2000
    
    eth1      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
              UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
              RX packets:49934 errors:92 dropped:0 overruns:0 frame:37890160
              TX packets:107295 errors:238 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:6766366 (6.4 MiB)  TX bytes:39230393 (37.4 MiB)
              Interrupt:3 Base address:0x1000
    
    lo        Link encap:Local Loopback
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
              RX packets:6576 errors:0 dropped:0 overruns:0 frame:0
              TX packets:6576 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:1062385 (1.0 MiB)  TX bytes:1062385 (1.0 MiB)
    
    vlan1      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
              UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
              RX packets:2036 errors:0 dropped:0 overruns:0 frame:0
              TX packets:94981 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:294181 (287.2 KiB)  TX bytes:36122188 (34.4 MiB)
    
    vlan2      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
              inet addr:192.168.22.2  Bcast:192.168.22.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:8032 errors:0 dropped:0 overruns:0 frame:0
              TX packets:14051 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:3884406 (3.7 MiB)  TX bytes:1588428 (1.5 MiB)
    MAC addresses and WAN IP have been X'd out.


    That POSTROUTING rule is something I derived from another issue posted on the tomatousb forums. It's supposed to route NAT requests to the guest IP range, at least that was my intention. It was more or less a shot in the dark as I am not 100% sure of iptables syntax and how it ends up working. I can remove it if it's a bad rule.
     
    Last edited: Oct 3, 2013
  15. Bird333

    Bird333 Network Guru Member

    On the guest router, how do br0 and vlan2 have the same ip address? I'm about out of ideas. Assign vlan2 a different ip (e.g. 192.168.22.3). Adjust the iptables rules accordingly. You can try to add this rule to the guest router but I don't think it will matter
    Code:
    iptables -I INPUT -i vlan2 -j ACCEPT
     
  16. koitsu

    koitsu Network Guru Member

    It looks more like to me that he screwed up a copy/paste while trying to hide information, because I don't see how else it'd work -- his routing table and ARP table would be beyond broken.

    Again I will say this on this forum: if you want support at the networking level, STOP HIDING INFORMATION. I firmly believe all reports of issues where users hide IP addresses (and MACs as well) should be ignored by the community; you are gaining absolutely no form of security by omitting this information, and by editing the information you very likely make things worse (case in point).

    Absolutely nobody in the professional networking world operates this way. By hiding/editing information, network administrators immediately delete the Email and go on. It's a waste of their time.
     
  17. Laz59

    Laz59 Serious Server Member

    Bird, I changed the br0 to 192.168.22.3 and the vlan2 did in fact stay at 192.168.22.2.
    I'm not sure why this is the case, as the initial setup on the guest router is a very simple default setup. In any case, with just the rules you provided (1 on the main router, 2 on the guest router), the main router still cannot ping the guest router IP from the CLI. I'll be trying the other rules, but I have to say there must be something else not allowing any communication between the bridges. Is there any way to delete this rule on the main router?

    Code:
    0    0 DROP      all  --  br0    br1    0.0.0.0/0            0.0.0.0/0
    From what I understand, it drops all the packets coming from br0 and going to br1, is that correct?

    koitsu, I have a hard time understanding your hostility towards me. I blank out my MACs and WAN IP for the google crawlers and such. If it would make you feel better about the correctness of my logs, I can PM you the unadulterated logs. Frankly, it would be a waste of time as I manually edited ONLY the MACs and WAN IP, and am 100% sure of what I did. It's not as if I don't know what a MAC address looks like or what my public IP is. The vlan2 was in fact getting the same IP as br0 and now it isn't. If you can't believe that, then I'm sorry, I don't know what to say. Remember, I'm not posting in a forum on an intranet, this is the internet, and I'd rather have some semblance of security from a random person trying to send unwarranted packets to my IP just for fun, even if it's unlikely for him to get anywhere.
    Sorry, but in the end, these output logs are entirely correct, and I am only looking for some help on my issue (as specific as it may be), which I always thought was the point of forums such as these.

    EDIT: As a matter of fact, after a reboot of the guest router with the different IP on br0, vlan2 says that its IP is the same (in this case 192.168.22.3). It seems this is default behavior. Same ifconfig command on the CLI to get this info.
     
    Last edited: Oct 5, 2013
  18. Laz59

    Laz59 Serious Server Member

    So, I've tried a few things. The big thing is that I can access the guest router now. But, I find everything a little odd.
    So Bird, with all your help I got access, because these 2 commands were required on the guest router:

    Code:
    iptables -t nat -I PREROUTING -i vlan2 -j ACCEPT
    iptables -I INPUT -i vlan2 -j ACCEPT
    After trying a few things, specifically after deleting that rule I posted previously, is when I got access. But the weird thing is that now, after a few reboots on both routers and setting everything up again as it needs to be, rule by rule, I need no new rules on the main router to get access. Also, even after a couple of reboots on the guest router, the vlan2 IP still stays at 192.168.22.3 even after changing all the settings back to what they were before. I did leave DHCP on the main router for br1 to 2 addresses (22.2-22.3) rather than the single 22.2 address I had before, which may have something to do with it. Note that even though I removed those rules I had in my first post and rebooted the main router so I had a clean slate, after the first reboot I was still having trouble accessing the guest router, but after another reboot, it worked. In any case, there was a rule in there that clashed with accessing the guest router, namely:

    Code:
    iptables -I INPUT -i br1 -d 192.168.22.1 -j DROP 
    So I added these rules (as in my first post) to the guest router instead, which should also block connections in the same way, the main router is just not handling those rules. I need to test it properly later to make sure they do what I think they will.

    Code:
    iptables -I FORWARD -p tcp -s 192.168.22.0/24 -m connlimit --connlimit-above 50 -j DROP
    iptables -I FORWARD -p ! tcp -s 192.168.22.0/24 -m connlimit --connlimit-above 25 -j DROP
    
    iptables -I INPUT 7 -p udp -m multiport --dports 53,67 -j ACCEPT
    iptables -I INPUT 8 -i br1 -d 192.168.11.1 -j DROP
    iptables -I INPUT 9 -i br1 -d 192.168.22.1 -j DROP
    I just have one question: Would the rules about vlan2 on the guest router be too open to be secure, or are they alright for normal use? I have a feeling they're fine especially since it just allows incoming connections on the vlan2, which is from the main router, but I just wanted to clear that doubt.

    Bird, thanks again for your help, and sorry about not removing those rules I had in first before trying anything.
     
    Last edited: Oct 5, 2013
  19. Bird333

    Bird333 Network Guru Member

    The last thing I was going to recommend was starting from scratch. :) I'm glad you got things working. I think the vlan2 rules will be fine as long as the only thing you have plugged into the guest WAN is the main router. Can you post your working iptables rules and ifconfig info from both routers?
     
  20. Laz59

    Laz59 Serious Server Member

    Sounds good then, I'm quite happy with the functionality now.

    Here are the iptables and ifconfig:

    Main router:
    Code:
    root@AsusAP:/tmp/home/root# iptables -t nat -L -nv
    Chain PREROUTING (policy ACCEPT 4592 packets, 1663K bytes)
    pkts bytes target    prot opt in    out    source              destination
        1  131 ACCEPT    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp dpt:XX
    71148 8024K WANPREROUTING  all  --  *      *      0.0.0.0/0            XX.XXX.XXX.XXX
        0    0 DROP      all  --  vlan2  *      0.0.0.0/0            192.168.11.0/24
        0    0 DROP      all  --  vlan2  *      0.0.0.0/0            192.168.22.0/24
    71148 8024K upnp      all  --  *      *      0.0.0.0/0            XX.XXX.XXX.XXX
    
    Chain POSTROUTING (policy ACCEPT 5813 packets, 540K bytes)
    pkts bytes target    prot opt in    out    source              destination
    60207 5792K MASQUERADE  all  --  *      vlan2  0.0.0.0/0            0.0.0.0/0
      321 64114 SNAT      all  --  *      br0    192.168.11.0/24      192.168.11.0/24    to:192.168.11.1
      120  8792 SNAT      all  --  *      br1    192.168.22.0/24      192.168.22.0/24    to:192.168.22.1
    
    Chain OUTPUT (policy ACCEPT 4390 packets, 299K bytes)
    pkts bytes target    prot opt in    out    source              destination
    
    Chain WANPREROUTING (1 references)
    pkts bytes target    prot opt in    out    source              destination
        0    0 DNAT      icmp --  *      *      0.0.0.0/0            0.0.0.0/0          to:192.168.11.1
    
    Chain upnp (1 references)
    pkts bytes target    prot opt in    out    source              destination
      619 32736 DNAT      tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:20138 to:192.168.11.30:20138
    2300  302K DNAT      udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp dpt:20138 to:192.168.11.30:20138
    Code:
    root@AsusAP:/tmp/home/root# iptables -L -nv
    Chain INPUT (policy DROP 23 packets, 1335 bytes)
    pkts bytes target    prot opt in    out    source              destination
        0    0 ACCEPT    all  --  tap21  *      0.0.0.0/0            0.0.0.0/0
        0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp dpt:XX
      119 19901 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
    245K  194M ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
        2    96 shlimit    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:1637 state NEW
    8269  559K ACCEPT    all  --  lo    *      0.0.0.0/0            0.0.0.0/0
    5601 1584K ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0
      101  9380 ACCEPT    all  --  br1    *      0.0.0.0/0            0.0.0.0/0
      154 51282 ACCEPT    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp spt:67 dpt:68
        2    96 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:XX
        0    0 ACCEPT    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:51515
    
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target    prot opt in    out    source              destination
        0    0 ACCEPT    all  --  tap21  *      0.0.0.0/0            0.0.0.0/0
      14M 9443M            all  --  *      *      0.0.0.0/0            0.0.0.0/0          account: network/netmask: 192.168.11.0/255.255.255.0 name: lan
    7264 6118K            all  --  *      *      0.0.0.0/0            0.0.0.0/0          account: network/netmask: 192.168.22.0/255.255.255.0 name: lan1
      35  3865 ACCEPT    all  --  br0    br0    0.0.0.0/0            0.0.0.0/0
        0    0 ACCEPT    all  --  br1    br1    0.0.0.0/0            0.0.0.0/0
      96  9978 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
    74194 3853K TCPMSS    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    7135K 8183M L7in      all  --  vlan2  *      0.0.0.0/0            0.0.0.0/0
    6894K 1266M monitor    all  --  *      vlan2  0.0.0.0/0            0.0.0.0/0
      14M 9434M ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
        0    0 DROP      all  --  br0    br1    0.0.0.0/0            0.0.0.0/0
        0    0 DROP      all  --  br1    br0    0.0.0.0/0            0.0.0.0/0
    72465 8173K wanin      all  --  vlan2  *      0.0.0.0/0            0.0.0.0/0
    71653 6477K wanout    all  --  *      vlan2  0.0.0.0/0            0.0.0.0/0
    71527 6469K ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0
      126  7720 ACCEPT    all  --  br1    *      0.0.0.0/0            0.0.0.0/0
    72465 8173K upnp      all  --  vlan2  *      0.0.0.0/0            0.0.0.0/0
    
    Chain OUTPUT (policy ACCEPT 109K packets, 76M bytes)
    pkts bytes target    prot opt in    out    source              destination
    
    Chain L7in (1 references)
    pkts bytes target    prot opt in    out    source              destination
        5  951 RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto flash
        0    0 RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto httpvideo
        0    0 RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto youtube-2012
        0    0 RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto irc
    1614K 1778M RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto bittorrent
    1298  399K RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto skypetoskype
    1191  517K RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto rtp
      261 66836 RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto rtmp
        0    0 RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto rtmpt
        0    0 RETURN    all  --  *      *      0.0.0.0/0            0.0.0.0/0          LAYER7 l7proto shoutcast
    
    Chain monitor (1 references)
    pkts bytes target    prot opt in    out    source              destination
        0    0 RETURN    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          WEBMON --max_domains 300 --max_searches 300
    
    Chain shlimit (1 references)
    pkts bytes target    prot opt in    out    source              destination
        2    96            all  --  *      *      0.0.0.0/0            0.0.0.0/0          recent: SET name: shlimit side: source
        0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source
    
    Chain upnp (1 references)
    pkts bytes target    prot opt in    out    source              destination
      627 33156 ACCEPT    tcp  --  *      *      0.0.0.0/0            192.168.11.30      tcp dpt:20138
    2424  317K ACCEPT    udp  --  *      *      0.0.0.0/0            192.168.11.30      udp dpt:20138
    
    Chain wanin (1 references)
    pkts bytes target    prot opt in    out    source              destination
    
    Chain wanout (1 references)
    pkts bytes target    prot opt in    out    source              destination
    Code:
    root@AsusAP:/tmp/home/root# ifconfig
    br0        Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
              inet addr:192.168.11.1  Bcast:192.168.11.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:6937246 errors:0 dropped:0 overruns:0 frame:0
              TX packets:7150626 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:1276031761 (1.1 GiB)  TX bytes:3987153596 (3.7 GiB)
    
    br1        Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
              inet addr:192.168.22.1  Bcast:192.168.22.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:4198 errors:0 dropped:0 overruns:0 frame:0
              TX packets:5710 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:1242864 (1.1 MiB)  TX bytes:6148759 (5.8 MiB)
    
    eth0      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:7460498 errors:0 dropped:0 overruns:0 frame:0
              TX packets:7210817 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:4277591229 (3.9 GiB)  TX bytes:1615896625 (1.5 GiB)
              Interrupt:4 Base address:0x2000
    
    eth1      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
              UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
              RX packets:6921965 errors:0 dropped:0 overruns:0 frame:4121321
              TX packets:7168565 errors:1 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:1367399406 (1.2 GiB)  TX bytes:4032572696 (3.7 GiB)
              Interrupt:3 Base address:0x1000
    
    imq0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
              UP RUNNING NOARP  MTU:1500  Metric:1
              RX packets:7413486 errors:0 dropped:0 overruns:0 frame:0
              TX packets:7413443 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:30
              RX bytes:4104018403 (3.8 GiB)  TX bytes:4103954247 (3.8 GiB)
    
    lo        Link encap:Local Loopback
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
              RX packets:17617 errors:0 dropped:0 overruns:0 frame:0
              TX packets:17617 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:1785093 (1.7 MiB)  TX bytes:1785093 (1.7 MiB)
    
    tap21      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
              UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:40375 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:100
              RX bytes:0 (0.0 B)  TX bytes:7561178 (7.2 MiB)
    
    vlan1      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
              UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
              RX packets:28434 errors:0 dropped:0 overruns:0 frame:0
              TX packets:67353 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:6359166 (6.0 MiB)  TX bytes:24332949 (23.2 MiB)
    
    vlan2      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
              inet addr:XX.XXX.XXX.XXX  Bcast:XX.XXX.XXX.XXX  Mask:255.255.252.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:7427866 errors:0 dropped:0 overruns:0 frame:0
              TX packets:7137754 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:4135683443 (3.8 GiB)  TX bytes:1585392077 (1.4 GiB)
    
    vlan3      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
              UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
              RX packets:4198 errors:0 dropped:0 overruns:0 frame:0
              TX packets:5710 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:1259656 (1.2 MiB)  TX bytes:6171599 (5.8 MiB)
    Continued on next post. (Character limit)
     
  21. Laz59

    Laz59 Serious Server Member

    Continued from last post:

    Guest router:
    Code:
    root@BelkinGuest:/tmp/home/root# iptables -t nat -L -nv
    Chain PREROUTING (policy ACCEPT 5 packets, 321 bytes)
    pkts bytes target    prot opt in    out    source              destination        
      13  780 ACCEPT    all  --  vlan2  *      0.0.0.0/0            0.0.0.0/0          
        0    0 WANPREROUTING  all  --  *      *      0.0.0.0/0            192.168.22.3      
        0    0 DROP      all  --  vlan2  *      0.0.0.0/0            192.168.22.0/24    
        0    0 upnp      all  --  *      *      0.0.0.0/0            192.168.22.3      
    Chain POSTROUTING (policy ACCEPT 9 packets, 3996 bytes)
    pkts bytes target    prot opt in    out    source              destination        
        4  256 MASQUERADE  all  --  *      vlan2  0.0.0.0/0            0.0.0.0/0          
        0    0 SNAT      all  --  *      br0    192.168.22.0/24      192.168.22.0/24    to:192.168.22.2
    Chain OUTPUT (policy ACCEPT 11 packets, 4132 bytes)
    pkts bytes target    prot opt in    out    source              destination        
    Chain WANPREROUTING (1 references)
    pkts bytes target    prot opt in    out    source              destination        
        0    0 DNAT      icmp --  *      *      0.0.0.0/0            0.0.0.0/0          to:192.168.22.2
    Chain upnp (1 references)
    pkts bytes target    prot opt in    out    source              destination          
    Code:
    root@BelkinGuest:/tmp/home/root# iptables -L -nv
    Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target    prot opt in    out    source              destination        
      93 10969 ACCEPT    all  --  vlan2  *      0.0.0.0/0            0.0.0.0/0          
        0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
        0    0 ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
        0    0 shlimit    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp dpt:22 state NEW
        0    0 ACCEPT    all  --  lo    *      0.0.0.0/0            0.0.0.0/0          
        0    0 ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0          
        0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          multiport dports 53,67
        0    0 DROP      all  --  br1    *      0.0.0.0/0            192.168.11.1      
        0    0 DROP      all  --  br1    *      0.0.0.0/0            192.168.22.1      
        0    0 ACCEPT    udp  --  *      *      0.0.0.0/0            0.0.0.0/0          udp spt:67 dpt:68
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target    prot opt in    out    source              destination        
        0    0 DROP      !tcp  --  *      *      192.168.22.0/24      0.0.0.0/0          #conn/32 > 25
        0    0 DROP      tcp  --  *      *      192.168.22.0/24      0.0.0.0/0          #conn/32 > 50
        0    0            all  --  *      *      0.0.0.0/0            0.0.0.0/0          account: network/netmask: 192.168.22.0/255.255.255.0 name: lan
        0    0 ACCEPT    all  --  br0    br0    0.0.0.0/0            0.0.0.0/0          
        0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          state INVALID
        0    0 TCPMSS    tcp  --  *      *      0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x02 TCPMSS clamp to PMTU
        0    0 ACCEPT    all  --  *      *      0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
        0    0 wanin      all  --  vlan2  *      0.0.0.0/0            0.0.0.0/0          
        0    0 wanout    all  --  *      vlan2  0.0.0.0/0            0.0.0.0/0          
        0    0 ACCEPT    all  --  br0    *      0.0.0.0/0            0.0.0.0/0          
        0    0 upnp      all  --  vlan2  *      0.0.0.0/0            0.0.0.0/0          
    Chain OUTPUT (policy ACCEPT 133 packets, 108K bytes)
    pkts bytes target    prot opt in    out    source              destination        
    Chain shlimit (1 references)
    pkts bytes target    prot opt in    out    source              destination        
        0    0            all  --  *      *      0.0.0.0/0            0.0.0.0/0          recent: SET name: shlimit side: source
        0    0 DROP      all  --  *      *      0.0.0.0/0            0.0.0.0/0          recent: UPDATE seconds: 60 hit_count: 4 name: shlimit side: source
    Chain upnp (1 references)
    pkts bytes target    prot opt in    out    source              destination        
    Chain wanin (1 references)
    pkts bytes target    prot opt in    out    source              destination        
    Chain wanout (1 references)
    pkts bytes target    prot opt in    out    source              destination        
    
    Code:
    root@BelkinGuest:/tmp/home/root# ifconfig
    br0        Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
              inet addr:192.168.22.2  Bcast:192.168.22.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:152 errors:0 dropped:0 overruns:0 frame:0
              TX packets:1587 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:16250 (15.8 KiB)  TX bytes:770783 (752.7 KiB)
    br0:0      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
              inet addr:192.168.11.10  Bcast:192.168.11.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
    eth0      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:1865 errors:0 dropped:0 overruns:0 frame:0
              TX packets:3213 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:1334979 (1.2 MiB)  TX bytes:1816315 (1.7 MiB)
              Interrupt:4 Base address:0x2000
    eth1      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
              UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
              RX packets:134 errors:10 dropped:0 overruns:0 frame:921967
              TX packets:1576 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000
              RX bytes:16223 (15.8 KiB)  TX bytes:775851 (757.6 KiB)
              Interrupt:3 Base address:0x1000
    lo        Link encap:Local Loopback
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
              RX packets:63 errors:0 dropped:0 overruns:0 frame:0
              TX packets:63 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:6990 (6.8 KiB)  TX bytes:6990 (6.8 KiB)
    vlan1      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
              UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:1488 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:0 (0.0 B)  TX bytes:756145 (738.4 KiB)
    vlan2      Link encap:Ethernet  HWaddr XX:XX:XX:XX:XX:XX
              inet addr:192.168.22.3  Bcast:192.168.22.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:1865 errors:0 dropped:0 overruns:0 frame:0
              TX packets:1725 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0
              RX bytes:1301409 (1.2 MiB)  TX bytes:1060170 (1.0 MiB) 

    As last time, I X'd out my WAN IP and MACs and some ports, for security purposes. By hand, so I didn't alter anything else.

    I haven't tested the rules from my first post that I put in the guest router yet, but at the very least I can't ping any addresses on the 192.168.11.0 subnet from the guest router, so that segregation of the 2 subnets still works and I can't see any reason why those rules might not work.
     
  22. koitsu

    koitsu Network Guru Member

    Output from brctl show ?

    Please do not XXX out any MAC IDs in the output of this command. If you want to XX out a couple octets in the middle of the values shown then that is fine, but please do not hide the entire addresses or the start/ends of them (especially the ends).


    Thanks.
     
  23. Laz59

    Laz59 Serious Server Member

    I'm not sure if you wanted it from both or from one of the routers, so I included both.

    Main router:
    Code:
    root@AsusAP:/tmp/home/root# brctl show
    bridge name    bridge id                 STP enabled    interfaces
    br0                8000.bcaeXXXXXX40      no                 vlan1
                                                                  eth1
                                                                  tap21
    br1                8000.bcaeXXXXXX40      no                 vlan3
    
    Guest router:
    Code:
    root@BelkinGuest:/tmp/home/root# brctl show
    bridge name        bridge id              STP    enabled    interfaces
    br0                    8000.9444XXXXXXa2    no                     vlan1
                                                                        eth1
    EDIT: Formatting corrected.
     
    Last edited: Oct 6, 2013
  24. Bird333

    Bird333 Network Guru Member

    I'm glad this is working for you but for the life of me I can't figure out how. :) You have a rule on the main router that drops packets from br0 to br1 which should stop traffic before it goes over to the guest router unless there is a match that I am not seeing before that rule.
     
  25. Laz59

    Laz59 Serious Server Member

    I agree, I don't really know why it's working because that rule to drop packets from br0 to br1 is still there. I did try it without that rule right after the post where I asked how to remove that rule (I figured it out by googling), which did work, but I also tried the other 2 rules on the guest router at the same time. That's when I just rebooted both routers and started applying rules one by one to see which ones were needed and not needed. After I added the 2 rules to the guest router(also tried each by themselves, which didn't work), it started working without any extra rules on the main router.
    I did restart both routers about 2 times after I got it working to make sure there was nothing residual left over from the experiments (unlikely, but I like to be sure). So, it definitely has me stumped as to why it actually works. I do have a feeling that it's because vlans on the main router are allowed on a lower level to have input and output access to the main router itself but not to anything else after the main router. I may be completely off, but it is what currently makes sense to me.
     
  26. Bird333

    Bird333 Network Guru Member

    But that's the point of vlans is to separate the ports. Is it possible that port 1 is still also in vlan1 with the rest of the ports? I guess it's possible that there is a firmware bug.
     
  27. Laz59

    Laz59 Serious Server Member

    That's not the case as per my configuration, but as you said, it could be a firmware bug. If you'd like I can screenshot my config, but it's pretty ordinary. Just as I outlined in my first post, it's br1 assigned to vlan2 and vlan2 on a different subnet added in the basic tab of the configuration. I can't see where I did anything out of the norm in that step.
     
  28. Bird333

    Bird333 Network Guru Member

    Yeah, if you don't mind post screenshots of your VLAN page for both routers.
     
  29. Laz59

    Laz59 Serious Server Member

    I just realized I mentioned vlan2 when I mean vlan3. In any case, when I used vlan2 to mean the vlan that was connected to br1, I actually meant vlan3, just clearing that up.

    Here are the screenshots.
    Main Router:
    Clipboard01.jpg

    Guest Router:
    Clipboard02.jpg
     
  30. Bird333

    Bird333 Network Guru Member

    I think I figured it out. The FORWARD rule on the main router
    Code:
    iptables -I FORWARD -br0 -j ACCEPT
    is what is allowing packets to reach the guest router. The packets are not going from br0 to br1 and then over to the guest router. That's why that rule doesn't match and drop the packets. You can test this by deleting the rule mentioned above with
    Code:
    iptables -D FORWARD -br0 -j ACCEPT
    . After you delete this you shouldn't be able to reach the guest router.
     
    Last edited: Oct 8, 2013
  31. Laz59

    Laz59 Serious Server Member

    What is that rule actually doing in its implementation, though? It's a default rule when a bridge is added from my understanding (since I didn't add it and br0 has one just like it).

    And on that note, I never really understood why these rules exist in the FORWARD chain, they seem contradictory to me:
    This set is 4 rules in:
    Code:
    35  3865 ACCEPT    all  --  br0    br0    0.0.0.0/0            0.0.0.0/0
        0    0 ACCEPT    all  --  br1    br1    0.0.0.0/0            0.0.0.0/0
    This set is 11 rules in:
    Code:
    0    0 DROP      all  --  br0    br1    0.0.0.0/0            0.0.0.0/0
        0    0 DROP      all  --  br1    br0    0.0.0.0/0            0.0.0.0/0
    
    Also, if you could clear up how a chain is applied (starting at bottom to top or starting at top to bottom), it would be great, as I still am not sure of this (what I've read has alluded to it but hasn't directly stated how).

    Oh and by the way, I'll test deleting the rule you mentioned tomorrow.
     
  32. Bird333

    Bird333 Network Guru Member

    Rules are followed from the top to the bottom. However, you can determine what order they get put in. What I mean is if you add a rule with the '-I' it gets added to the top of the list. If you use a '-A' it gets added to the bottom. Also you can put a number in the rule (1,2,3, etc) to tell iptables where you want it to appear. The rule I mentioned above accepts traffic coming in from br0 that is destined to someplace other than the router. The rules you mention here allow traffic coming in from br0 to other clients that are also in br0 and the same thing for br1. The other set of rules block traffic coming from br0 to br1 (first one) and from br1 to br0 (second one). The default policy of the FORWARD chain is to drop the packets so the system has to add the 'iptables -I -i br0 -j ACCEPT' rule when a bridge is created otherwise the packets would get dropped.
     
  33. Laz59

    Laz59 Serious Server Member

    Alright, that was some good info, it's helping me to better understand iptables and what I see in the logs.

    I did test the rule you mentioned, although you had missed the '-i', but I got it sorted. After I deleted it, i checked the iptables and saw it wasn't there. But, I could still access the guest router, which I found odd, since I understand what you said about the rule and find your explanation logical. I even tried to delete the similar br1 rule. I'm not sure what's going on, and maybe it is in fact a firmware issue (or feature, as the case may be).
     
  34. Bird333

    Bird333 Network Guru Member

    Sorry about the typo. You're right it isn't making sense. Run
    Code:
    iptables -L -nv
    and save the output and make note of the packet values of the FORWARD chains. The idea is to get a baseline. Then ping the guest router from one of the ports on the main router that is on br0. Then again run
    Code:
    iptables -L -nv
    to find which rules have increased packet counts to see which rule(s) the packets are hitting.

    EDIT: Oh I forgot to mention that I setup a separate bridge as a test and deleting that rule I mentioned stopped me from communicating with the second router. This really makes it strange that it doesn't stop yours.
     
    Last edited: Oct 12, 2013
  35. Laz59

    Laz59 Serious Server Member

    Bird, sorry for the delay in responding, I haven't had free time the past few days.

    I should start off first by saying that I've been doing all the testing through SSH via my main router. Reason was that I wasn't home and was administering the routers remotely. I believe I omitted this information throughout the thread. I had forgotten to mention it and it never hit me as particularly critical information, but it seems it is, and I realized it when I got home and tested connectivity within the network through a computer connected to the main router.

    Apparently, when you SSH to the router and use that connection to communicate with networked devices, you're acting as if you were the router in a way. As such, when using a networked computer, I can't access the guest router, because the main router is in fact blocking connections to br1 from br0. This makes a lot of sense now.
    I did try this rule (which you mentioned before) to see if it would solve the issue, but for some reason it doesn't:
    Code:
    iptables -I FORWARD -i br0 -o br1 -j ACCEPT
    I can test a bit more tomorrow, but before I test and analyze iptables again (and as you mentioned in the last post), what rule do you think I need to get communication from networked computers enabled to the guest router's admin page? And if it should in fact be the rule I mentioned, should I try that again?
     
  36. Bird333

    Bird333 Network Guru Member

    Just so I am clear. You want devices that are connected on br0 on the main router to be able to reach the gui on the guest router? If that is the case then the main router should have
    Code:
    iptables -I FORWARD -i br0 -j ACCEPT
    which should already exist. On the guest router you need a rule that accepts connections such as
    Code:
    iptables -I INPUT -i vlan2 -j ACCEPT
    . Make sure no other rule matches the packets before these rules. I still think it would be worthwhile to get the baseline I mentioned above and try to connect and see which rules the packets are hitting.
     
  37. Laz59

    Laz59 Serious Server Member

    Hello again guys. I hope that my absence on this topic hasn't been too long. At the time when Bird posted again, I was busy with other things and couldn't dedicate my time on this project I had going on, but I'm back. I hope that you can still find some time to help me out Bird, as thus far it has been greatly appreciated.

    The situation is as it was when I last posted, which is basically that I can access the Guest router through the Main router (as in via SSH) but I cannot do it through devices connected to the Main router.
    The goal is to be able to access the Guest router through these devices, but to not let devices from the Guest router access anything behind the main router.

    Bird, I have verified that the rules you mentioned are applied as you stated in your post.
     
  38. Laz59

    Laz59 Serious Server Member

    I don't really know what else to try here, so if anyone has an idea of what I could do next, I would highly appreciate it.
     

Share This Page