How to disable DMZ device to access Intranet

[krwy0330]

Hi:
I used a LAN port to connect the DMZ device and set the DMZ IP in WebUI.
However i don't want the DMZ device access internal.

So I want to add the LAN port to guest wifi network(br1) which is set disabled to access intranet.

I run the command:
brctl delif br0 eth4 && brctl addif br1 eth4

But it does not work.
Thanks in advance to anyone who replies.

 

[Deleted member 62525]

Hi:
I used a LAN port to connect the DMZ device and set the DMZ IP in WebUI.
However i don't want the DMZ device access internal.

So I want to add the LAN port to guest wifi network(br1) which is set disabled to access intranet.

I run the command:
brctl delif br0 eth4 && brctl addif br1 eth4

But it does not work.
Thanks in advance to anyone who replies.

You dont need DMZ for that. If you need to setup a separate LAN on one of the physical ports you can do the following

#!/bin/sh

# Physical port to interface map:
# eth0   WAN
# eth1   LAN 4
# eth2   LAN 3
# eth3   LAN 2
# eth4   LAN 1
# eth5   2.4 GHz Radio
# eth6   5 GHz Radio

# Delete those interfaces that we want to isolate from br0
brctl delif br0 eth1
brctl delif br0 eth2

# Create a new bridge br1 for isolated interfaces
logger -t "br100" "services-start: creating br100 with LAN PORTS 3 & 4 (eth1-2)"
brctl addbr br100
brctl stp br100 on # STP to prevent bridge loops
brctl addif br100 eth1
brctl addif br100 eth2
brctl setfd br100 2 # STP Forward Delay 2 sec (Default: 15 sec)

# Set up the IPv4 address for br100
# Here we set the subnet to be 192.168.150.0/24
logger -t "br100" "services-start: setting up IPv4 address for br100"
ifconfig br100 192.168.150.1 netmask 255.255.255.0
ifconfig br100 up

Call this script from /jffs/scripts/services-start script. This will create a separate LAN segment on ports 3 and 4 with IP segment 192.168.150.0/24.

Now, for the firewall rules

#!/bin/sh

# Make sure the script is indeed invoked
logger -t "br100" "firewall-start: applying fw rules for br100"

# Forbid packets from br100 to be forwarded to other interfaces
iptables -I FORWARD -i br100 -j DROP

# Forbid packets from br0 to be forwarded to br100, isolating new br100 from default br0
iptables -I FORWARD -i br0 -o br100 -j DROP

# Drop icmp ping requests to br100
iptables -A OUTPUT -d 192.168.150.1/24 -p icmp --icmp-type echo-request -j DROP

Create your own rules and call this script from /jffs/scripts/firewall-start.
You will end up with the completly isolated LAN segment without access to WAN or other segments on your network.

 

[krwy0330]

You dont need DMZ for that. If you need to setup a separate LAN on one of the physical ports you can do the following

#!/bin/sh

# Physical port to interface map:
# eth0   WAN
# eth1   LAN 4
# eth2   LAN 3
# eth3   LAN 2
# eth4   LAN 1
# eth5   2.4 GHz Radio
# eth6   5 GHz Radio

# Delete those interfaces that we want to isolate from br0
brctl delif br0 eth1
brctl delif br0 eth2

# Create a new bridge br1 for isolated interfaces
logger -t "br100" "services-start: creating br100 with LAN PORTS 3 & 4 (eth1-2)"
brctl addbr br100
brctl stp br100 on # STP to prevent bridge loops
brctl addif br100 eth1
brctl addif br100 eth2
brctl setfd br100 2 # STP Forward Delay 2 sec (Default: 15 sec)

# Set up the IPv4 address for br100
# Here we set the subnet to be 192.168.150.0/24
logger -t "br100" "services-start: setting up IPv4 address for br100"
ifconfig br100 192.168.150.1 netmask 255.255.255.0
ifconfig br100 up

Call this script from /jffs/scripts/services-start script. This will create a separate LAN segment on ports 3 and 4 with IP segment 192.168.150.0/24.

Now, for the firewall rules

#!/bin/sh

# Make sure the script is indeed invoked
logger -t "br100" "firewall-start: applying fw rules for br100"

# Forbid packets from br100 to be forwarded to other interfaces
iptables -I FORWARD -i br100 -j DROP

# Forbid packets from br0 to be forwarded to br100, isolating new br100 from default br0
iptables -I FORWARD -i br0 -o br100 -j DROP

# Drop icmp ping requests to br100
iptables -A OUTPUT -d 192.168.150.1/24 -p icmp --icmp-type echo-request -j DROP

Create your own rules and call this script from /jffs/scripts/firewall-start.
You will end up with the completly isolated LAN segment without access to WAN or other segments on your network.

[Add: I've found my problem, Thanks @Markster]

I want the LAN segment can access to WAN but can't access to other segments on my network.
I've tried to do something similar to yours.

# create a new linux bridge
brctl addbr br-dmz

# move lan1 to the new bridge
brctl delif br0 eth4
brctl addif br-dmz eth4
brctl stp br-dmz on

# make the new bridge work
ip link set br-dmz up
ip addr add 192.179.110.1/24 dev br-dmz   # <- I entered the wrong IP range, which caused my error

# mimic br1 to configure the iptable
-A INPUT -i br-dmz -j DROP
-A FORWARD -i br-dmz -o ppp0 -j ACCEPT

In the moment, I can find DMZ device's mac in br-dmz by command "brctl showmacs br-dmz".
But the DMZ device can't access internet.
I use the tcpdump to catch packets.
There seems to be a problem with ARP.

09:05:08.055971 ARP, Request who-has 192.168.110.1 tell 192.168.110.161, length 46
09:05:09.055902 ARP, Request who-has 192.168.110.1 tell 192.168.110.161, length 46

 

[Deleted member 62525]

You dont need DMZ for that. If you need to setup a separate LAN on one of the physical ports you can do the following

#!/bin/sh

# Physical port to interface map:
# eth0   WAN
# eth1   LAN 4
# eth2   LAN 3
# eth3   LAN 2
# eth4   LAN 1
# eth5   2.4 GHz Radio
# eth6   5 GHz Radio

# Delete those interfaces that we want to isolate from br0
brctl delif br0 eth1
brctl delif br0 eth2

# Create a new bridge br1 for isolated interfaces
logger -t "br100" "services-start: creating br100 with LAN PORTS 3 & 4 (eth1-2)"
brctl addbr br100
brctl stp br100 on # STP to prevent bridge loops
brctl addif br100 eth1
brctl addif br100 eth2
brctl setfd br100 2 # STP Forward Delay 2 sec (Default: 15 sec)

# Set up the IPv4 address for br100
# Here we set the subnet to be 192.168.150.0/24
logger -t "br100" "services-start: setting up IPv4 address for br100"
ifconfig br100 192.168.150.1 netmask 255.255.255.0
ifconfig br100 up

Call this script from /jffs/scripts/services-start script. This will create a separate LAN segment on ports 3 and 4 with IP segment 192.168.150.0/24.

Now, for the firewall rules

#!/bin/sh

# Make sure the script is indeed invoked
logger -t "br100" "firewall-start: applying fw rules for br100"

# Forbid packets from br100 to be forwarded to other interfaces
iptables -I FORWARD -i br100 -j DROP

# Forbid packets from br0 to be forwarded to br100, isolating new br100 from default br0
iptables -I FORWARD -i br0 -o br100 -j DROP

# Drop icmp ping requests to br100
iptables -A OUTPUT -d 192.168.150.1/24 -p icmp --icmp-type echo-request -j DROP

Create your own rules and call this script from /jffs/scripts/firewall-start.
You will end up with the completly isolated LAN segment without access to WAN or other segments on your network.

 

[Deleted member 62525]

If you want to have this new segment (br100 - 192.168.150.0/24) access WAN you need this included in /jffs/script/nat-start

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.150.0/24 -j MASQUERADE

 

[krwy0330]

If you want to have this new segment (br100 - 192.168.150.0/24) access WAN you need this included in /jffs/script/nat-start

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.150.0/24 -j MASQUERADE

This is my whole script(create_br_dmz.sh):

#!/bin/bash -e

#set -x

/jffs/scripts/clear_br_dmz.sh

DMZ_IP_RANGE="192.168.110.1/24"

# Physical port to interface map:
# eth0   WAN
# eth1   LAN 4
# eth2   LAN 3
# eth3   LAN 2
# eth4   LAN 1
# eth5   2.4 GHz Radio
# eth6   5 GHz Radio

# Create a new bridge br1 for isolated interfaces
if ! ip link show br-dmz &> /dev/null
then
  brctl addbr br-dmz
fi
brctl stp br-dmz on # STP to prevent bridge loops
brctl setfd br-dmz 2 # STP Forward Delay 2 sec (Default: 15 sec)

# Set up the IPv4 address for br-dmz
ip link set br-dmz up
if ! ip addr show br-dmz | grep -wq ${DMZ_IP_RANGE}
then
  ip addr add ${DMZ_IP_RANGE} dev br-dmz
fi

for eth in $@
do
  if brctl show br0 | grep -wq $eth
  then
    brctl delif br0 $eth
  fi
  if ! brctl show br-dmz |grep -wq $eth
  then
    brctl addif br-dmz $eth
  fi
done

iptables -t filter -A INPUT -i br-dmz -j DROP
iptables -t filter -A FORWARD -i br-dmz -o ppp0 -j ACCEPT
iptables -t filter -A FORWARD -i br-dmz -o br0 -j DROP
#iptables -t nat -A POSTROUTING -o eth0 -s ${DMZ_IP_RANGE} -j MASQUERADE
iptables -t nat -A POSTROUTING -s ${DMZ_IP_RANGE} -d ${DMZ_IP_RANGE} -o br-dmz -j MASQUERADE


ip6tables -t filter -A INPUT -i br-dmz -m state --state NEW -j ACCEPT
ip6tables -t filter -A INPUT -i br-dmz -j DROP
ip6tables -t filter -A FORWARD -i br-dmz -o ppp0 -j ACCEPT
ip6tables -t filter -A FORWARD -i br-dmz -o br0 -j DROP

I run

create_br_dmz.sh eth1

to configure dmz and used tcpdump to catch packages.
I saw a lot of dns request and UDP packages without repsonse.
It seems that there are some errors still in my configuration

 

[krwy0330]

This is my whole script(create_br_dmz.sh):

#!/bin/bash -e

#set -x

/jffs/scripts/clear_br_dmz.sh

DMZ_IP_RANGE="192.168.110.1/24"

# Physical port to interface map:
# eth0   WAN
# eth1   LAN 4
# eth2   LAN 3
# eth3   LAN 2
# eth4   LAN 1
# eth5   2.4 GHz Radio
# eth6   5 GHz Radio

# Create a new bridge br1 for isolated interfaces
if ! ip link show br-dmz &> /dev/null
then
  brctl addbr br-dmz
fi
brctl stp br-dmz on # STP to prevent bridge loops
brctl setfd br-dmz 2 # STP Forward Delay 2 sec (Default: 15 sec)

# Set up the IPv4 address for br-dmz
ip link set br-dmz up
if ! ip addr show br-dmz | grep -wq ${DMZ_IP_RANGE}
then
  ip addr add ${DMZ_IP_RANGE} dev br-dmz
fi

for eth in $@
do
  if brctl show br0 | grep -wq $eth
  then
    brctl delif br0 $eth
  fi
  if ! brctl show br-dmz |grep -wq $eth
  then
    brctl addif br-dmz $eth
  fi
done

iptables -t filter -A INPUT -i br-dmz -j DROP
iptables -t filter -A FORWARD -i br-dmz -o ppp0 -j ACCEPT
iptables -t filter -A FORWARD -i br-dmz -o br0 -j DROP
#iptables -t nat -A POSTROUTING -o eth0 -s ${DMZ_IP_RANGE} -j MASQUERADE
iptables -t nat -A POSTROUTING -s ${DMZ_IP_RANGE} -d ${DMZ_IP_RANGE} -o br-dmz -j MASQUERADE


ip6tables -t filter -A INPUT -i br-dmz -m state --state NEW -j ACCEPT
ip6tables -t filter -A INPUT -i br-dmz -j DROP
ip6tables -t filter -A FORWARD -i br-dmz -o ppp0 -j ACCEPT
ip6tables -t filter -A FORWARD -i br-dmz -o br0 -j DROP

I run

create_br_dmz.sh eth1

to configure dmz and used tcpdump to catch packages.
I saw a lot of dns request and UDP packages without repsonse.
It seems that there are some errors still in my configuration

Ok, I resolve the problem!
Just modify all -A to -I with iptables scripts.
It can work now!

 

[eleVator]

Great info, was looking for this!
Before though i jump into unchartered terittory and pray to the nvram-save gods, do you know if vpn director would be able to route such a dmz device?