Isolated Guest Network on the second Router?!

[Myronx]

I want to prevent Router 2 from pinging all my devices.
I want only internet access there.
(Router 1 My network)
(Router 2 Isolated/Guest Network)

I tried to apply some Firewall Rules like mentioned here in Post #7: Click here
but if I apply them on the Main Router (Router 1) my Internet connection will not work anymore.
I dont know why

I saw on the same Thread that I can apply some Network Services Filter but I dont know what fillters i need to apply.

My Setup:
Internet -> Modem -> My Main Router 1 (ASUS AX11000) -> Router 2 (AC86U)
(Both: AsusWRT-Merlin)

I Cascaded both Routers (WAN to LAN)
Router 1 IP: 192.168.188.1
Router 2 IP: 192.168.189.1

Based on this Thread: Click here (Post #55)
Router 1:
WAN Address: ISP provided address
WAN Network: ISP provided
WAN Subnet: ISP provided
LAN Address: 192.168.188.1
LAN Subnet: 255.255.255.0
DHCP server DNS: 192.168.188.1)

Router 2:
WAN Address: 192.168.188.2
WAN Subnet: 255.255.255.252
WAN Gateway: 192.168.188.1
WAN DNS: 192.168.188.1
LAN Address: 192.168.189.1
LAN Subnet: 255.255.255.0
DHCP Server DNS: 192.168.189.1

My current Situation is that I can still ping from Router 2 network to Router 1 devices.
And I cant Access the Intranet from Router 2 when Im in Router 1 Network.
but I can Access Router 1 when Im in Router 2 Network.

I hope someone can help me.
I know VLAN ist the best solution but I want to solve this with this setup if possible.

 

[CaptainSTX]

What you want to accomplish is much easier if you put your isolated guest network on router 1 and your more secure devices on router 2. Just double NAT your router 2 behind router 1.

 

[ColinTaylor]

Leave Router #2's WAN Subnet as 255.255.255.0. There's no reason to change it. Or just use a WAN Connection Type of Automatic IP (DHCP), there's no need for it to be configured statically.

Network Services Filter (Deny List) on Router #2:

 

[eibgrad]

Those rules you referred to that don't work? The ones I recommended, are NOT intended for the main/primary router. They go on the secondary router, the one hosting the guest/IOT network(s). You want that secondary router's firewall to block access to any private networks upstream on the primary router.

 

[Myronx]

Those rules you referred to that don't work? The ones I recommended, are NOT intended for the main/primary router. They go on the secondary router, the one hosting the guest/IOT network(s). You want that secondary router's firewall to block access to any private networks upstream on the primary router.

If I add this firewall rules in my second Router I dont have then any kind of internet connection from this network.
I have only then Intranet access to this Router?! Sry if im misunderstand something.

iptables -I FORWARD -d 192.168.0.0/16 -j REJECT
iptables -I FORWARD -d 172.16.0.0/12 -j REJECT
iptables -I FORWARD -d 10.0.0.0/8 -j REJECT

 

[Myronx]

Leave Router #2's WAN Subnet as 255.255.255.0. There's no reason to change it. Or just use a WAN Connection Type of Automatic IP (DHCP), there's no need for it to be configured statically.

Network Services Filter (Deny List) on Router #2:

View attachment 38888

I changed the WAN Subnet to 255.255.255.0 and applied 192.168.188.0/24 TCP/UDP I have now two separated Intranet Access I can only Access 192.168.188.1(Router 1) if im connected to this network and for the intranet Access for Router 2 im need to connect to 192.168.189.1 (Router 2) network.

But I can still ping from "Router 2 Network" my "Router 1 devices" How can I prevent this?

 

[ColinTaylor]

I changed the WAN Subnet to 255.255.255.0 and applied 192.168.188.0/24 TCP/UDP I have now two separated Intranet Access I can only Access 192.168.188.1(Router 1) if im connected to this network and for the intranet Access for Router 2 im need to connect to 192.168.189.1 (Router 2) network.

So it's working as intended.

But I can still ping from "Router 2 Network" my "Router 1 devices" How can I prevent this?

You can't block ICMP (ping) using the Network Services Filter. But it doesn't matter because you have to use TCP or UDP to create a connection to a device.

 

[Tech Junky]

Working with iptables is going to be easier than trying to get the GUI to make it work.

So, you can't reject/block/drop on the FORWARD section or you'll not have connectivity.

You need PSOTROUTING (NAT) statements to get out to the internet
You can block ICMP from N2 to N1 with a rule stating so.


Here's what I have setup in iptables for a single machine.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
ERMIT-FWD - [0:0]
ERMIT-IN - [0:0]
ERMIT-OUT - [0:0]
-A INPUT -j PERMIT-IN
-A PERMIT-IN -i lo -j ACCEPT
-A PERMIT-IN -i br0 -j ACCEPT
-A PERMIT-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-IN -j DROP

-A FORWARD -j PERMIT-FWD
-A PERMIT-FWD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-FWD -m conntrack --ctstate NEW -j ACCEPT
-A PERMIT-FWD -j DROP

-A OUTPUT -j PERMIT-OUT
-A PERMIT-OUT -o lo -j ACCEPT
-A PERMIT-OUT -o br0 -j ACCEPT
-A PERMIT-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-OUT -m conntrack --ctstate NEW -j ACCEPT
-A PERMIT-OUT -j DROP
COMMIT

*nat
REROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o nordlynx -j MASQUERADE
-A POSTROUTING -o bo0 -j MASQUERADE
COMMIT

I grouped rules based on the direction they flow.
PERMIT-IN - from the outside WAN
PERMIT-FWD - between WAN / LAN
PERMIT-OUT - egress to the internet

I have Br0 (LAN / Bo0 (WAN) to keep things simple being able to move interfaces around in /etc/network/interfaces w/o needing to change the rules or do tracking statements with IP's.

https://www.cyberciti.biz/tips/linux-iptables-9-allow-icmp-ping.html

So, you can block ICMP on R1 or R2 for the subnet and then permit any others using these.

R2:
-A OUTPUT -p icmp --icmp-type 8 -s 0/0 -d 192.168.188.0/24 -j DROP

For each section in BOLD you need to have those entries for iptables to match up to. If you don't then it will error before committing and things won't work until you fix it.

 

[Myronx]

Working with iptables is going to be easier than trying to get the GUI to make it work.

So, you can't reject/block/drop on the FORWARD section or you'll not have connectivity.

You need PSOTROUTING (NAT) statements to get out to the internet
You can block ICMP from N2 to N1 with a rule stating so.


Here's what I have setup in iptables for a single machine.

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
ERMIT-FWD - [0:0]
ERMIT-IN - [0:0]
ERMIT-OUT - [0:0]
-A INPUT -j PERMIT-IN
-A PERMIT-IN -i lo -j ACCEPT
-A PERMIT-IN -i br0 -j ACCEPT
-A PERMIT-IN -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-IN -j DROP

-A FORWARD -j PERMIT-FWD
-A PERMIT-FWD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-FWD -m conntrack --ctstate NEW -j ACCEPT
-A PERMIT-FWD -j DROP

-A OUTPUT -j PERMIT-OUT
-A PERMIT-OUT -o lo -j ACCEPT
-A PERMIT-OUT -o br0 -j ACCEPT
-A PERMIT-OUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A PERMIT-OUT -m conntrack --ctstate NEW -j ACCEPT
-A PERMIT-OUT -j DROP
COMMIT

*nat
REROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o nordlynx -j MASQUERADE
-A POSTROUTING -o bo0 -j MASQUERADE
COMMIT

I grouped rules based on the direction they flow.
PERMIT-IN - from the outside WAN
PERMIT-FWD - between WAN / LAN
PERMIT-OUT - egress to the internet

I have Br0 (LAN / Bo0 (WAN) to keep things simple being able to move interfaces around in /etc/network/interfaces w/o needing to change the rules or do tracking statements with IP's.

https://www.cyberciti.biz/tips/linux-iptables-9-allow-icmp-ping.html

So, you can block ICMP on R1 or R2 for the subnet and then permit any others using these.

R2:
-A OUTPUT -p icmp --icmp-type 8 -s 0/0 -d 192.168.188.0/24 -j DROP

For each section in BOLD you need to have those entries for iptables to match up to. If you don't then it will error before committing and things won't work until you fix it.

Haha this looks really complicated for me. I didnt understand anything. If im doing this i need a step by step tutorial for my setup

 

[Tech Junky]

iptables -I FORWARD -d 192.168.0.0/16 -j REJECT
iptables -I FORWARD -d 172.16.0.0/12 -j REJECT
iptables -I FORWARD -d 10.0.0.0/8 -j REJECT

How did you get to this?

 

[eibgrad]

iptables -I FORWARD -d 192.168.0.0/16 -j REJECT
iptables -I FORWARD -d 172.16.0.0/12 -j REJECT
iptables -I FORWARD -d 10.0.0.0/8 -j REJECT

How did you get to this?

The idea is very simple. As long as the secondary router's IP firewall is accessible, those rules prevent routing to *all* possible private IP networks upstream of that router, whether it's the one most obvious (i.e., the primary router's local IP network), or any other not so obvious ones (e.g., an established OpenVPN client or other gateway). The *only* routable IPs must be public (i.e., the internet).

 

[ColinTaylor]

Working with iptables is going to be easier than trying to get the GUI to make it work.

He has already achieved to isolation he wanted. There's no need to block ICMP.

So, you can't reject/block/drop on the FORWARD section or you'll not have connectivity.
:
R2:
-A OUTPUT -p icmp --icmp-type 8 -s 0/0 -d 192.168.188.0/24 -j DROP

This is wrong. We want to block traffic from the clients on R2's LAN. That traffic uses the FORWARD chain not the OUTPUT chain. The OUTPUT chain only effects traffic originating from the router itself.