Vlan support

6 posts / 0 new
Last post
Accid
Accid's picture
Vlan support

Vlan support

Is there any way or commands to allow access from vlan 2 to vlan 3 but block access from vlan 3 to vlan 3.

I am running R7000 Nighthawk Router with the latest firmware (jan-09-2014).

I have successfully separated the 2 sets of vlans, Vlan 2 and Vlan 3.

I have several outdoor access points and other devices that have static or are assigned specific Ip address on my vlan 3. The reason for wanting access to them form vlan 2 is to be able to manage the devices through the remote management port (8080) for tweaks and troubleshooting.

Here is the setup

R7000 Nighthawk Router

Vlan3 192.168.2.1 Wired going to>>>>>>>>>

Ubiquiti Bullet M2 HP 192.168.2.9 (giving outdoor wireless Omni)>>>>>

(4)TPlink TL-WA5210G 192.168.2.10-14 these devices are acting as a receiver getting the signal>>>>>>>>>>>>

Client wireless router connected to the TPlink TL-WA5210G->>>>>>>>>

Client devices, PC, laptop tablets. etc

 

I can access everything from vlan 2 if I don’t have any firewall commands active.

My goal is 1 way traffic, I want to see the devices up to the TPlink TL-WA5210G but I don’t want the clients PC, laptop tablets to see the Vlan2.

Also the clients only connect to access the internet there are no other networking services being used at this time.

Any suggestion or ideas are welcome .

Kong
Kong's picture
Checkout Restricting Access

Checkout Restricting Access in the Wiki:

http://www.dd-wrt.com/wiki/index.php/Multiple_WLANs

Should give you all the commands you need in your case.

Accid
Accid's picture
Thanks

Thanks

I got it to work without using any firewall commands, your link helped.
My scenario was i was using the 2 vlans on the same bridge, as soon as I setup the other Bridge(br1)(30/30/30) I was able to connect to the nodes on br1 but br1 could not see anything except the routers IP on br0 and the 2 bridges had internet. I kept several pings (ping -t X.X.X.X) running on Google.com, and other devices on both bridges to test for any anomalies, setting up the second bridge was not hard, just had to setup 1 thing at a time and reboot after every change.
One thing i noticed while running the pings a PC (running DHCP) I had on br0 would drop with no response for about 1-4 pings and then start again. not sure but it was worth mentioning. The ping to Google.com is constant with no loss as well as the other devices.

Looking forward the the next firmware release.

Accid
Accid's picture
Hi everyone

Hi everyone
I wanted to share my experience.
I decided to upgrade to latest Kong build on my Nergear 1450.
Guess what my Vlans not working.
Something has changed from the 24345M to the current build.
Specifically the communication between vlans.
After upgrading I did the usual setup, 2 bridges, with a vlan each.(br0 with vlan 1 and br1 with vlan 3 and dhcp). With the 24345M build that was it, no more setup and no firewall commands. Vlan 3 could not see vlan 1 but vlan 1 could see vlan 3. That is what I wanted to achieve and it worked great. The only problem I had with build 24345M is the wireless causing the router to spontaneously reboot.

SO I then upgraded to the brainslyer release for the Netgear 1450
Index of ftp://ftp.dd-wrt.com/betas/2015/03-05-2015-r26446/
I got the same problem.
I tried the standard commands from
http://www.dd-wrt.com/wiki/index.php/Separate_LAN_and_WLAN
http://www.dd-wrt.com/wiki/index.php/Iptables_command
http://www.dd-wrt.com/wiki/index.php/Separate_LAN_and_WLAN
Note I did not have to with kong build 24345M.
SO I then started to mix and match the commands.
Here is what I came up with.
My scenario is Lan ports 1, 2, eth1 & eth2 are connected to Vlan1 on br0 DHCP is 13.13.13.1 (bridged)

Vlan 3 has Lan port 3 & 4 and is unbridged 192.168.2.1 but still on br0

This is the saved firewall command used to stop vlan 3 from accessing vlan 1.
iptables -I FORWARD -i vlan3 -d 13.13.13.1/24 -j DROP

Now here is a twist.
I have a Zyxel 320 NAS attached to vlan 1. The NAS has a Gigi bit connection and the Netgear 1450 also has gigabit connections. I do not want any one on vlan 3 to see the NAS file server files stored in it but I wanted to share my movie & games with vlan 3. Yesterday I discovered it has a Webserver function that can allow me to share a specific folder over a specific port both local and over the internet.
Currently I am sharing my movies and games via a external drive that is attached to the Netgear 1450.
1.This is just wasting drive space
2.I am duplicating the data
3.The more the shared drive is accessed the higher the CPU usage is on the Netgear 1450.
4.The access speed on the shared drive is at best 12 MBPS per connection.

Now you might be able to guess what I did.
This is the command I used to share the NAS(13.13.13.5) over port 2002 on vlan 3.

iptables -I FORWARD -i vlan3 -p tcp -d 13.13.13.5 --dport 2002 -j ACCEPT

I have tested this scenario using the netscan utility and ping.
Before the command Vlan 3 could access the all files on the NAS with ease via Windows explorer and the GUI of the NAS was also accessible.
After the command only the only the movies and games folder was accessible via a webpage. eg https://13.13.13.5:2002/games and movies.
No IP on Vlan 3 can ping the 13.13.13.5 address.

Here is an extra command
I was used this to block a specific MAC address from accessing Vlan3.
This can also be useful for blocking hardware connections on your network. Eg in an office where an employe has brought his own laptop/ device and has plugged it into your Ethernet network. He can now bypass access restrictions because his MAC address is not in any rules. The security of your entire network can be compromised.

iptables -I FORWARD -i vlan3 -m mac --mac-source c0:c1:c0:e8:31:96 -j DROP

The above ports/IP address/MAC addresses Vlans can be changed to suite your network. The ports/IP address/MAC addresses Vlans I used are for testing proposes only.

I plan to upgrade my Netgear 7000 to tomato some time soon.

bill1228
bill1228's picture
If you check over at the DD

If you check over at the DD-WRT forums you will find they are working thru some vlan and bridging issues since the latest drivers from Broadcom have been incorporated. Things seem to be getting better. If you want to see some of what they are working on you can look at their change log at

http://svn.dd-wrt.com/timeline

On the plus side, I had reboot issues with my R7000 until they added the latest drivers. I do not use guestnet or bridging so for me the latest firmware from Kong and BS just work. I do use the miniDLNA server.
--bill

Accid
Accid's picture
Update this The command

Update this The command

iptables -I FORWARD -i vlan3 -d 13.13.13.1/24 -j DROP

is not working, not sure why.I turned the router on yesterday and it was not working.

I downgraded to the 24345M Kong where the VLANS were working and tried the

iptables -I FORWARD -i vlan3 -p tcp -d 13.13.13.5 --dport 2002 -j ACCEPT

This command is working successfully punching a hole through the firewall on a specific port from vlan 3 to the IP located on vlan 1.

Looking forward to a Kong or brainslayer release where vlans are working.