Firewall Wireless from Wired

Discussion in 'Tomato Firmware' started by theamazingrando, Feb 1, 2007.

  1. I posted this in "Networking issues", that may have been the wrong place. I apologize, mods could you delete that other one please?

    For the last couple years, I've been running OpenWRT on my WRT54G v2. I liked the flexibility, but decided to give the Tomato a shot, cause it's so damn pretty.

    However, one thing I liked about OpenWRT was that I could have my wired and wireless networks on different subnets, and firewalled. I had an open access point because I hate messing with wireless security settings, and I don't mind sharing. For my own security, though, I firewalled the wireless from the wired, so that the wireless users couldn't get to my own machines.

    Anyone know if there are a few simple firewall lines I could use to accomplish this? AFAIK, the iptables rules only worked when I could segregate the interfaces onto different networks and route both to WAN, but I'm not an iptables expert. Is it possible to firewall by interface? Do I need to get my wired and wireless interfaces back on separate networks? Can I do that with Tomato?

    Thanks in advance.
  2. tievolu

    tievolu Network Guru Member

    I've never had any reason to try this myself, but it's definitely do-able.

    These instructions in the DD-WRT wiki may help:

    Be careful though - I'm not sure how much of that is DD-WRT specific.

    EDIT: actually, the first step is DD-WRT specific. As far as I know there's no way of modifying VLANs in the Tomato GUI.
  3. ntest7

    ntest7 Network Guru Member

    Isn't this what Advanced->Wireless->AP Isolation (enabled) does? Prevent wireless users from accessing other wireless clients or the LAN?
  4. njeske

    njeske Network Guru Member

    as far as i understand it, that's exactly what AP Isolation does. i've never had a reason to use it though, so i'm not sure how well it works.
  5. tievolu

    tievolu Network Guru Member

    I don't think so. I think AP isolation only prevents wireless clients from being able to see each other - they can still see wired machines on the same subnet as them.
  6. larsrya8

    larsrya8 LI Guru Member

    That's what I was going to say... but a Google search found too many mixed replies to this exact same question. Why don't you just try it and report back?
  7. larsrya8

    larsrya8 LI Guru Member

    Well, I just turned it on and the wireless machines can communicate with the wired machines and vice versa. The wireless machines can NOT see each other.
  8. njeske

    njeske Network Guru Member

    thanks for testing and clarifying the feature.
  9. glancep

    glancep Guest

    Uh... Okay, that's great.

    Well that solves what "AP Isolation" means, but how does anyone have an answer for the original question? How to secure the wired network against wireless clients?

  10. Devileyezz

    Devileyezz LI Guru Member

    I was looking for something like this, and basically everyone said this kind of VLANish feature isn't available on Tomato, and pointed me to routers by Linksys that do it, and the new beta of dd-wrt.
  11. Odin-60

    Odin-60 LI Guru Member

    It's not possible with DD-WRT, either, despite the (misleading)
    article in the wiki. And -- in contrast to DD-WRT -- Tomato does
    not even provide a VLAN settings page, so there is no user interface
    for this kind of configuration.
  12. Partizan

    Partizan Network Guru Member

    Any info if it's going to be implemented in futere tomato versions?
  13. kevanj

    kevanj LI Guru Member

    If you REALLY need to do it, buy a second wireless router, connect it to your current router using the new routers WAN port to a LAN port on the original router, set the new router with a WAN IP in the original routers LAN subnet, and a different LAN network. Switch wireless off on the original router, use the new router as your wireless access. The new routers LAN segment will be automatically firewalled from the original routers subnet by the SPI firewall in the new router. Then just apply an IPTables rule on the original router to deny the wireless clients access to the original routers LAN subnet.

    Wireless clients will receive DHCP leases from thier new router. Wired clients, from the original router...
    The wireless clients should use their router as their DNS server.

    You'll need a static route on the original router to point the Wireless router LAN subnet via the WAN interface IP on the new router.

    Exposure of gaping holes in my logic are welcome!!!!
  14. rhester72

    rhester72 Network Guru Member

    You can do the same thing on a single router with two subnets and two dnsmasqs (and a little iptables trickery), one for wired and one for wireless, but it is a little complicated to set up. I had this working on OpenWRT for some time, but I don't know if enough infrastructure is provided in Tomato to build the new subnet.

  15. HennieM

    HennieM Network Guru Member

    As roadkill says...
    the solution is here

    If it's not clear:
    - Get the Wired (LAN) and wireless (WLAN) on seperate subnets.
    - Once so done, just iptables to drop any packets originating on the WLAN and destined for the LAN, but allow any other packets from WLAN (destined for the internet (WAN)).

    See also for more specifics on the iptables rules.

    And Odin, it certainly is possible with dd-wrt (without using VLANs).
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice