Isolated VLAN setup question on AC68U

[drummer914]

This is the first time I've messed around with VLANs so I would appreciate some assistance.
I have an 8 port switch and an AC68U running merlin's 380.64_2. On the switch I have 2 VLANS:
VLAN 1: ports 1,2,3
VLAN 2: ports 4,5,6,7,8

I'm trying to isolate VLAN 2 from the rest of my network, wired and wireless, but still be connected to WAN. To do this, I figure I need to connect each VLAN to its own port on router's switch. I have port 1 from the router connected to port 1 on the switch, and port 2 on the router connected to port 4 on the switch.

I found this script in an old thread:

# force LAN port 2 to use the Guest Network for RT-AC68U
robocfg vlan 1 ports "1 3 4 5t"
robocfg vlan 10 ports "2 5t"
vconfig add eth0 10
ifconfig vlan10 up
brctl addif br0 vlan10
ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
ebtables -t filter -I FORWARD -i vlan10 -o ! eth0 -j DROP
ebtables -t filter -I FORWARD -i ! eth0 -o vlan10 -j DROP

After running that script I'm no longer able to reach the devices on VLAN2 from the wireless network, yay! Unfortunately I'm also no longer able to connect to devices on VLAN2 when connected directly to another port on VLAN 2, boo. I realize a guest network should have no internal network access. How do I alter the script so devices on VLAN2 can see each other, but still be a totally isolated network? I also noticed that the AC68U can't see the devices on VLAN 10 that the script sets up. Why is that? I figured it would still be controlling the IP addresses of those devices, and that I could still manage them myself with manual DHCP. What am I not understanding, and is there a right way to do this that will still allow me to control those devices from the router? Thanks!

 

[Fitz Mutch]

How do I alter the script so devices on VLAN10 can see each other, but still be a totally isolated network?

I think maybe put this as the last line?

/usr/sbin/ebtables -t filter -I FORWARD -i vlan10 -o vlan10 -j ACCEPT

I also noticed that the AC68U can't see the devices on VLAN 10 that the script sets up. Why is that?

I think the router can see devices on the Guest Network via ARP, UDP and ICMP. However, it cannot make TCP connections with them.

I figured it would still be controlling the IP addresses of those devices, and that I could still manage them myself with manual DHCP. What am I not understanding, and is there a right way to do this that will still allow me to control those devices from the router?

Yes, the router still manages the IP addresses for the Guest Network. I think devices on the Guest Network are allowed to talk with others via the UDP protocol. This provides DHCP, DNS and NTP services for these "isolated" devices.

 

[drummer914]

Excellent, thanks! Does that mean I wouldn't be able to port forward any TCP connections to the isolated VLAN then?

 

[Fitz Mutch]

Excellent, thanks! Does that mean I wouldn't be able to port forward any TCP connections to the isolated VLAN then?

I can't say if this is the exact rules needed. These rules should be inserted last so they appear at the top of the Ebtables FORWARD chain. I think the general idea is you want to allow the NAT-forwarded frames only between your host computer and the router, while dropping everything else to enforce the guest network rules. The IP address 192.168.1.100 is just an example host computer, and 192.168.1.1 is your router.

/usr/sbin/ebtables -t filter -I FORWARD -p IPv4 --ip-src 192.168.1.1 --ip-dst 192.168.1.100 --ip-proto tcp  -j ACCEPT
/usr/sbin/ebtables -t filter -I FORWARD -p IPv4 --ip-src 192.168.1.100 --ip-dst 192.168.1.1 --ip-proto tcp  -j ACCEPT

 

[Rai80]

This is the first time I've messed around with VLANs so I would appreciate some assistance.
I have an 8 port switch and an AC68U running merlin's 380.64_2. On the switch I have 2 VLANS:
VLAN 1: ports 1,2,3
VLAN 2: ports 4,5,6,7,8

I'm trying to isolate VLAN 2 from the rest of my network, wired and wireless, but still be connected to WAN. To do this, I figure I need to connect each VLAN to its own port on router's switch. I have port 1 from the router connected to port 1 on the switch, and port 2 on the router connected to port 4 on the switch.

I found this script in an old thread:

# force LAN port 2 to use the Guest Network for RT-AC68U
robocfg vlan 1 ports "1 3 4 5t"
robocfg vlan 10 ports "2 5t"
vconfig add eth0 10
ifconfig vlan10 up
brctl addif br0 vlan10
ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
ebtables -t filter -I FORWARD -i vlan10 -o ! eth0 -j DROP
ebtables -t filter -I FORWARD -i ! eth0 -o vlan10 -j DROP

After running that script I'm no longer able to reach the devices on VLAN2 from the wireless network, yay! Unfortunately I'm also no longer able to connect to devices on VLAN2 when connected directly to another port on VLAN 2, boo. I realize a guest network should have no internal network access. How do I alter the script so devices on VLAN2 can see each other, but still be a totally isolated network? I also noticed that the AC68U can't see the devices on VLAN 10 that the script sets up. Why is that? I figured it would still be controlling the IP addresses of those devices, and that I could still manage them myself with manual DHCP. What am I not understanding, and is there a right way to do this that will still allow me to control those devices from the router? Thanks!

Its easier and better to use a different subnet on Vlan 10, instead of bridging it to br0.

Setup IP address on vlan10
ifconfig vlan10 192.168.2.1 netmask 255.255.255.0 up

Than you need to add DHCP configuration in dnsmasq.conf for interface vlan10, so clients will receive an IP address with DHCP. You can copy the lines with lan/br0 and adjust for vlan10
You can skip the 3 ebtable lines above. Instead use iptables to permit/allow traffic between VLANs.

 

[drummer914]

Its easier and better to use a different subnet on Vlan 10, instead of bridging it to br0.

Setup IP address on vlan10
ifconfig vlan10 192.168.2.1 netmask 255.255.255.0 up

Than you need to add DHCP configuration in dnsmasq.conf for interface vlan10, so clients will receive an IP address with DHCP. You can copy the lines with lan/br0 and adjust for vlan10
You can skip the 3 ebtable lines above. Instead use iptables to permit/allow traffic between VLANs.

I found this thread while researching after your comment, and now have this script in jffs/scripts/nat-start

#!/bin/sh
# LAN Port 2 on separate VLAN and subnet
robocfg vlan 1 ports "1 3 4 5t"
robocfg vlan 10 ports "2 5t"
vconfig add eth0 10
ifconfig vlan10 192.168.2.1 netmask 255.255.255.0 up
iptables -I FORWARD -i vlan10 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan10 -o bro0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o vlan10 -m state --state NEW -j DROP
iptables -I INPUT -i vlan10 -j ACCEPT

And this in /jffs/configs/dnsmasq.conf.add

interface=vlan10
dhcp-range=vlan10,192.168.2.2,192.158.2.4,255.255.255.0,84600s
dhcp-option=vlan10,3,192.168.2.1
dhcp-option=vlan10,6,8.8.8.8,8.8.4.4,0.0.0.0

Unfortunately it isn't working. Devices connected to port 1/vlan 1 on the router, which ports 1-4 on my switch are connected to, aren't getting assigned an IP.

Any more assistance would be great!

 

[Fitz Mutch]

Here's the secret technique for creating a guest network subnet with DHCP. You'd just need to add support for your vlan10.
https://www.snbforums.com/threads/guest-networks-and-dhcp.14141/page-2#post-286748

 

[Martineau]

/jffs/configs/dnsmasq.conf.add

dhcp-range=vlan10,192.168.2.2,192.158.2.4,255.255.255.0,84600s

Well dnsmasq won't start with the current typo... 168 or 158 ?