Tutorial LAN port isolation on Asus Merlin example

[dcballers]

@Markster, thanks for your help. I was able to load up the scripts as you suggested and rebooted the router without anything breaking. However, I don't seem to have any internet connectivity on my isolated LAN port. What might be causing the issue?

 

[eibgrad]

@Markster, thanks for your help. I was able to load up the scripts as you suggested and rebooted the router without anything breaking. However, I don't seem to have any internet connectivity on my isolated LAN port. What might be causing the issue?

Perhaps this rule.

# Allow packet forwarding between br100 and eth0 (WAN)
iptables -I FORWARD -i br100 -o eth0 -j ACCEPT

On some routers, perhaps eth0 is the WAN. But NOT on my RT-AC68U. It's vlan2.

I would double-check by dumping the routing table and seeing what the default route says.

ip route

That's why it would be better if the script instead referenced nvram variables. Just safer. Esp. if someone attempts to port this to other routers.

# Allow packet forwarding between br100 and WAN
iptables -I FORWARD -i br100 -o $(nvram get wan0_ifname) -j ACCEPT

Or given the fact this is called from the firewall-start script, which passes the WAN network interface as an argument ...

# Allow packet forwarding between br100 and WAN
WAN_IF="$1"
iptables -I FORWARD -i br100 -o $WAN_IF -j ACCEPT

 

[dcballers]

Perhaps this rule.

# Allow packet forwarding between br100 and eth0 (WAN)
iptables -I FORWARD -i br100 -o eth0 -j ACCEPT

On some routers, perhaps eth0 is the WAN. But NOT on my RT-AC68U. It's vlan2.

I would double-check by dumping the routing table and seeing what the default route says.

ip route

That's why it would be better if the script instead referenced nvram variables. Just safer. Esp. if someone attempts to port this to other routers.

# Allow packet forwarding between br100 and WAN
iptables -I FORWARD -i br100 -o $(nvram get wan0_ifname) -j ACCEPT

Or given the fact this is called from the firewall-start script, which passes the WAN network interface as an argument ...

# Allow packet forwarding between br100 and WAN
WAN_IF="$1"
iptables -I FORWARD -i br100 -o $WAN_IF -j ACCEPT

Thanks for your suggestion. I am aware about the different WAN and port naming conventions across router models, but they should be the same for a given model right? I have the same router, AC86U as the OP, which is why I decided to try his approach - no guess work adapting other scripts on these forums.

Nevertheless, I'd like to try your suggestion about checking via the ip route command. However, I am still learning, so could you please help with some more description? I know how to access the router log in the GUI and can clear it there. Is that the "dumping the routing table" you refer to? And then, where do I enter the ip route command? I'm doing it from terminal bash but no result - do I need to navigate somewhere? Thanks!

 

[eibgrad]

Thanks for your suggestion. I am aware about the different WAN and port naming conventions across router models, but they should be the same for a given model right? I have the same router, AC86U as the OP, which is why I decided to try his approach - no guess work adapting other scripts on these forums.

Nevertheless, I'd like to try your suggestion about checking via the ip route command. However, I am still learning, so could you please help with some more description? I know how to access the router log in the GUI and can clear it there. Is that the "dumping the routing table" you refer to? And then, where do I enter the ip route command? I'm doing it from terminal bash but no result - do I need to navigate somewhere? Thanks!

Every AC86U should be identical hardware-wise, but I can't guarantee that every one is identical as configured. Everyone is using different features, many times even other third-party scripts. All of this can create conflicts, esp. w/ the firewall. As I've said before, it's amazing that all these scripts work as well as they do considering how many there are, and that they come from different authors, all acting independently of the firmware developer. This is esp. worrisome when you start messing w/ VLANs and bridging.

Anyway, you need to use ssh (the shell) to issue commands like 'ip route'. It should result in output similar to the following (in this case, by RT-AC68U).

admin@lab-merlin1:/tmp/home/root# ip route
192.168.63.1 dev vlan2  proto kernel  scope link
10.8.0.0/24 dev tun21  proto kernel  scope link  src 10.8.0.1
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
192.168.63.0/24 dev vlan2  proto kernel  scope link  src 192.168.63.102
192.168.61.0/24 via 192.168.63.1 dev vlan2  metric 1

In fact, it may help to see the results of the script for *all* the affected system data structures, including ifconfig and iptables (assuming the script even got executed; sometimes users don't properly configure or place these user defined scripts in /jffs/scripts, or even have that feature enabled in Administration->System). Let's see if it all makes sense in the context of YOUR router's overall configuration.

ifconfig
ip route
brctl show
iptables -vnL INPUT
iptables -vnL FORWARD
iptables -t nat -vnL POSTROUTING

 

[Diver]

Hello! I have the same AC86U router as the OP, but I need something different. I need to use my WAN port as a LAN, can I get help with that?
I am connected to the internet via a USB modem (4G), but I need to connect 5 devices to one network using a wired cable.

 

[eibgrad]

Hello! I have the same AC86U router as the OP, but I need something different. I need to use my WAN port as a LAN, can I get help with that?
I am connected to the internet via a USB modem (4G), but I need to connect 5 devices to one network using a wired cable.

The only thing your problem seems to have in common w/ this thread is the make & model of router. If that's the case, you need to start a thread of your own. Not unless you're trying to employ the OP's changes in addition to your own.

 

[hervon]

Hello! I have the same AC86U router as the OP, but I need something different. I need to use my WAN port as a LAN, can I get help with that?
I am connected to the internet via a USB modem (4G), but I need to connect 5 devices to one network using a wired cable.

Buy a cheap 4 ports unmanaged switch. Solved.

 

[dcballers]

There's definitely an issue with the firewall script. I've checked the router log and I don't even see evidence that it has run.

The log does have evidence that services-start ran. Also including the couple lines after it in case that means something?

May 5 01:05:15 br100: services-start: creating br100 with LAN PORT 4 (eth1)
May 5 01:05:15 br100: services-start: setting up IPv4 address for br100
May 5 01:05:15 wsdd2[1840]: error: wsdd-mcast-v4: wsd_send_soap_msg: send
May 5 01:05:16 wsdd2[1840]: error: wsdd-mcast-v4: wsd_send_soap_msg: send

Nowhere in the log does "firewall-start" appear, even though that script is supposed to write to the log.

Here's where the script sits in JFFS, right next to everything else. Services-start script does run as evidenced by the log, as does nat-start because I have other iptables rules in there that are working. Anything wrong here:

XXXXXXX@RT-AC86U-3610:/jffs/scripts# ls
firewall-start nat-start services-start

and here's the script itself, is there anything wrong with it?

#!/bin/sh

# For isolating LAN4 (assigned to bridge br100 in services-start
logger -t "br100" “firewall-start: setting up firewall for br100"

# Forbid packets from br100 to be forwarded to other interfaces
iptables -I FORWARD -i br100 -j DROP

logger -t "br100" “firewall-start: allow internet access for br100”

# Allow packet forwarding between br100 and eth0 (WAN)
iptables -I FORWARD -i br100 -o eth0 -j ACCEPT

I ran the iproute command as you suggested and it does seem that eth0 is my WAN. Results below, specific IPs masked. Note I have a few VPN clients running (not currently tunneling isolated LAN port, but I do hope to if I can get this to work)

XXXXXXXX@RT-AC86U-3610:/# ip route
default via XX.XXX.XXX.X dev eth0
XX.XXX.XXX.X dev tun14 proto kernel scope link src XX.XXX.XXX.X
XX.XXX.XXX.X dev tun15 proto kernel scope link src XX.XXX.XXX.X
XX.XXX.XXX.X dev tun12 proto kernel scope link src XX.XXX.XXX.X
XX.XXX.XXX.0/21 dev eth0 proto kernel scope link src [MY PUBLIC IP ADDRESS]
XX.XXX.XXX..1 dev eth0 proto kernel scope link
XX.XXX.XXX.X/8 dev lo scope link
192.168.50.0/24 dev br0 proto kernel scope link src 192.168.50.1
192.168.150.0/24 dev br100 proto kernel scope link src 192.168.150.1

I also ran the more extended list of commands you suggested. The log is quite long, too much to paste here. What should I be looking out for in the results?
Thank you!

 

[eibgrad]

@dcballers

Is the firewall-start script marked executable? You should be able to just run it from the shell and have it execute. If there's a problem w/ the script, you should see some errors. I recommend using the -x option for debugging purposes.

sh -x /jffs/scripts/firewall-start

As far as the long list of commands, since I don't know what specifically went wrong, I need to see it all. You could always paste the output to Pastebin.com and provide a link.

 

[eibgrad]

I ran the iproute command as you suggested and it does seem that eth0 is my WAN. Results below, specific IPs masked. Note I have a few VPN clients running (not currently tunneling isolated LAN port, but I do hope to if I can get this to work)

XXXXXXXX@RT-AC86U-3610:/# ip route
default via XX.XXX.XXX.X dev eth0
XX.XXX.XXX.X dev tun14 proto kernel scope link src XX.XXX.XXX.X
XX.XXX.XXX.X dev tun15 proto kernel scope link src XX.XXX.XXX.X
XX.XXX.XXX.X dev tun12 proto kernel scope link src XX.XXX.XXX.X
XX.XXX.XXX.0/21 dev eth0 proto kernel scope link src [MY PUBLIC IP ADDRESS]
XX.XXX.XXX..1 dev eth0 proto kernel scope link
XX.XXX.XXX.X/8 dev lo scope link
192.168.50.0/24 dev br0 proto kernel scope link src 192.168.50.1
192.168.150.0/24 dev br100 proto kernel scope link src 192.168.150.1

Btw, there's no need to hide *private* IPs within your dumps. Those are NOT routable across the internet. And since everyone is using the same private IP networks, there's no particular advantage in anyone knowing this information. In fact, given you have *multiple* OpenVPN clients active at the same time, how do I know there's isn't some sort of conflict among all these IP networks, or between them and your latest addition (192.168.150.0/24)? Every network interface has to be unique wrt its assigned IP network. But you've masked all but the IP network specific to this script (br100) and the private network (br0). It perfectly fine to hide you *public* IP, but the hiding the *private* IPs just makes diagnosing problems that much more difficult.

 

[dcballers]

Thanks for your reply. I used this

sh -x /jffs/scripts/firewall-start

and it in fact threw an error. There was a mismatch with the type of quote used. In these forums, the double quote appears straight - so there is no difference between a starting and ending quote - whereas my text editor uses the curly quotes. My script was a combination of what I copy/pasted from here with some additional log messages I added and that introduced the inconsistency. I replaced all of the quotes and got them consistent and now the script ran! I rebooted the router and the "firewall-start" messages appear in the log.

However, still not having luck with internet connectivity on that port.

Thanks for the tip on which IP addresses are worth masking in the dump and which are not. Some of them I can identify as private but others I'm not sure, as they share the first two with my public IP but the last two segments are different. I have partially masked those ones in the dump below. The YY.YYY.YYY represents the same set of numbers in each of the 3 places it appears below, and the first two segments match the first two segments of my public IP.

ASUSWRT-Merlin RT-AC86U 386.3_2 Fri Aug  6 21:48:26 UTC 2021
XXXXXXXXX@RT-AC86U-3610:/tmp/home/root# ip route
default via YY.YYY.YYY.1 dev eth0
10.32.0.82 dev tun14 proto kernel scope link src 10.32.0.81
10.34.0.86 dev tun15 proto kernel scope link src 10.34.0.85
10.35.0.33 dev tun12 proto kernel scope link src 10.35.0.34
YY.YYY.YYY.0/21 dev eth0 proto kernel scope link src [MY PUBLIC IP]
YY.YYY.YYY.1 dev eth0 proto kernel scope link
127.0.0.0/8 dev lo scope link
192.168.50.0/24 dev br0 proto kernel scope link src 192.168.50.1
192.168.150.0/24 dev br100 proto kernel scope link src 192.168.150.1

The longer log from that other set of commands you suggested is here https://pastebin.com/LSvkj7Bn. Again, masked my public IP and a couple of ones I'm unsure of. YY.YYY.AAA matches the first 3 sections of my IP and YY.YYY.BBB matches just the first two. They are each consistent everywhere they appear. I also masked a couple of hardware Mac addresses (not sure if this is necessary) but kept the last two digits so that they could be identified as distinct.


I really can't thank you enough for the generosity of your time in helping me. I hope to be able to pay it forward one day once I have learned more.

 

[eibgrad]

@dcballers

Nothing specifically caught my eye from those dumps, except the fact there is no activity on the FORWARD chain of the filter table to indicate any attempt was made by a client of the br100 network to access the internet. The packet and byte counts are 0 (zero).

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
    ...
    0     0 ACCEPT     all  --  br100  eth0    0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  br100  *       0.0.0.0/0            0.0.0.0/0

Since the OP didn't describe how to include DHCP support for the new bridge, that requires you correctly configure the client for IP statically, on the client itself. That has to include an IP assignment from 192.168.150.x (e.g., 192.168.150.100), netmask (255.255.255.0), default gateway (192.168.150.1), and DNS server(s) (e.g., 8.8.8.8, 8.8.4.4 ). Did you do all that?

P.S. Or did you perhaps follow the DHCP instructions of prior posts?

 

[dcballers]

@eibgrad

Thanks, I was wondering about the consequences of the lack of DHCP support. I have static IPs setup for many devices on my main LAN but couldn't figure out how to do it for the new bridge LAN. When I go to the DHCP Server tab in the WebUI to manually add an IP I am stuck in two ways:
1) I do not know the MAC address of the device. In the past, my router picks up what's connected to it and I can just select it from a list.
2) The new LAN IP range is not within the IP Pool range, so even if I had the MAC address it tells me "invalid IP" if I try to add anything outside of the 192.168.50.x

I have not yet searched other posts for DHCP instructions to apply to my situation here. I will do so and if you have one in mind or additional guidance here it would be much appreciated.

UPDATE:

Found this above, will try it. Thank you for the tip:

If you will have only static IP's on the new LAN you dont need to do anything else. Just assign each client static IP in the new LAN subnet range. For example, if you have configured new segment with "
ifconfig br100 192.168.150.1 netmask 255.255.255.0", just assign clients IP within this IP range. This is all you need.

On the other hand, if you need DHCP for thie new LAN segment add the following code to /jffs/configs/dnsmasq.conf.add and restart dnsmasq.

interface=br100
# DHCPv4 range: 192.168.150.2 - 192.168.150.254, netmask: 255.255.255.0
# DHCPv4 lease time: 86400s (1 day)
dhcp-range=br100,192.168.150.2,192.168.150.254,255.255.255.0,86400s
# DHCPv4 router (option 3): 192.168.150.1
dhcp-option=br100,3,192.168.150.1

 

[eibgrad]

@dcballers (or anyone else interested)

If you prefer DHCP support, you can simply copy/paste the following script into an ssh window, then reboot.

CONFIGS_DIR='/jffs/configs'
CONFIG="$CONFIGS_DIR/dnsmasq.conf.add"

mkdir -p $CONFIGS_DIR

create_config() {
cat << "EOF" > $CONFIG
interface=br100
dhcp-range=br100,192.168.150.2,192.168.150.254,255.255.255.0,24h
dhcp-option=br100,3,192.168.150.1
dhcp-option=br100,6,8.8.8.8,8.8.4.4
EOF
}

if [ -f $CONFIG ]; then
    echo "error: $CONFIG already exists; requires manual installation"
else
    create_config
    echo 'Done.'
fi
:

 

[dcballers]

@dcballers (or anyone else interested)

If you prefer DHCP support, you can simply copy/paste the following script into an ssh window, then reboot.

CONFIGS_DIR='/jffs/configs'
CONFIG="$CONFIGS_DIR/dnsmasq.conf.add"

mkdir -p $CONFIGS_DIR

create_config() {
cat << "EOF" > $CONFIG
interface=br100
dhcp-range=br100,192.168.150.2,192.168.150.254,255.255.255.0,24h
dhcp-option=br100,3,192.168.150.1
dhcp-option=br100,6,8.8.8.8,8.8.4.4
EOF
}

if [ -f $CONFIG ]; then
    echo "error: $CONFIG already exists; requires manual installation"
else
    create_config
    echo 'Done.'
fi
:

Thanks for this. It ran without error:

XXXXXXXXXXX@RT-AC86U-3610:/tmp/home/root# CONFIGS_DIR='/jffs/configs'
XXXXXXXXXXX@RT-AC86U-3610:/tmp/home/root# CONFIG="$CONFIGS_DIR/dnsmasq.conf.add"
XXXXXXXXXXX@RT-AC86U-3610:/tmp/home/root#
XXXXXXXXXXX@RT-AC86U-3610:/tmp/home/root# mkdir -p $CONFIGS_DIR
XXXXXXXXXXX@RT-AC86U-3610:/tmp/home/root#
XXXXXXXXXXX@RT-AC86U-3610:/tmp/home/root# create_config() {
> cat << "EOF" > $CONFIG
> interface=br100
> dhcp-range=br100,192.168.150.2,192.168.150.254,255.255.255.0,24h
> dhcp-option=br100,3,192.168.150.1
> dhcp-option=br100,6,8.8.8.8,8.8.4.4
> EOF
> }
XXXXXXXXXXX@RT-AC86U-3610:/tmp/home/root#
XXXXXXXXXXX@RT-AC86U-3610:/tmp/home/root# if [ -f $CONFIG ]; then
>     echo "error: $CONFIG already exists; requires manual installation"
> else
>     create_config
>     echo 'Done.'
> fi
Done.

And I did a reboot but still no luck. I did the set of ip config commands and as you noted earlier, there's still no packets showing in br100.

I then thought to try and run the nat-start and services-start scripts manually as you had suggested I do with the firewall-start to see if any errors showed up. nat-start ran fine but services-start threw some errors below. What's not clear to me is, are these errors due to the operation already having been run at boot (can't delete eth1 from br0 because it's already been added to br100) or is there something else?

:/# sh -x /jffs/scripts/services-start
+ cal port to interface map for RT-AC86U:
/jffs/scripts/services-start: line 1: cal: not found
+ brctl delif br0 eth1
can't delete eth1 from br0: Operation not supported
+ logger -t br100 services-start: creating br100 with LAN PORT 4 (eth1)
+ brctl addbr br100
add bridge failed: Invalid argument
+ brctl stp br100 on
+ brctl addif br100 eth1
can't add eth1 to bridge br100: Operation not supported
+ brctl setfd br100 2
+ logger -t br100 services-start: setting up IPv4 address for br100
+ ifconfig br100 192.168.150.1 netmask 255.255.255.0
+ ifconfig br100 up

 

[eibgrad]

Thanks for this. It ran without error:

XXXXXXXXXXX@RT-AC86U-3610:/tmp/home/root# CONFIGS_DIR='/jffs/configs'
XXXXXXXXXXX@RT-AC86U-3610:/tmp/home/root# CONFIG="$CONFIGS_DIR/dnsmasq.conf.add"
XXXXXXXXXXX@RT-AC86U-3610:/tmp/home/root#
XXXXXXXXXXX@RT-AC86U-3610:/tmp/home/root# mkdir -p $CONFIGS_DIR
XXXXXXXXXXX@RT-AC86U-3610:/tmp/home/root#
XXXXXXXXXXX@RT-AC86U-3610:/tmp/home/root# create_config() {
> cat << "EOF" > $CONFIG
> interface=br100
> dhcp-range=br100,192.168.150.2,192.168.150.254,255.255.255.0,24h
> dhcp-option=br100,3,192.168.150.1
> dhcp-option=br100,6,8.8.8.8,8.8.4.4
> EOF
> }
XXXXXXXXXXX@RT-AC86U-3610:/tmp/home/root#
XXXXXXXXXXX@RT-AC86U-3610:/tmp/home/root# if [ -f $CONFIG ]; then
>     echo "error: $CONFIG already exists; requires manual installation"
> else
>     create_config
>     echo 'Done.'
> fi
Done.

And I did a reboot but still no luck. I did the set of ip config commands and as you noted earlier, there's still no packets showing in br100.

I then thought to try and run the nat-start and services-start scripts manually as you had suggested I do with the firewall-start to see if any errors showed up. nat-start ran fine but services-start threw some errors below. What's not clear to me is, are these errors due to the operation already having been run at boot (can't delete eth1 from br0 because it's already been added to br100) or is there something else?

:/# sh -x /jffs/scripts/services-start
+ cal port to interface map for RT-AC86U:
/jffs/scripts/services-start: line 1: cal: not found
+ brctl delif br0 eth1
can't delete eth1 from br0: Operation not supported
+ logger -t br100 services-start: creating br100 with LAN PORT 4 (eth1)
+ brctl addbr br100
add bridge failed: Invalid argument
+ brctl stp br100 on
+ brctl addif br100 eth1
can't add eth1 to bridge br100: Operation not supported
+ brctl setfd br100 2
+ logger -t br100 services-start: setting up IPv4 address for br100
+ ifconfig br100 192.168.150.1 netmask 255.255.255.0
+ ifconfig br100 up

The output from manually running that services-start script makes no sense. Even if those data structures existed prior to doing that, you would have received errors like "device br100 already exists; can't create bridge with the same name", or "device eth1 is already a member of a bridge; can't enslave it to bridge br100". The errors you're receiving are more like the script is borked somehow. "line 1: cal: not found" ???

 

[eibgrad]

Just like the dnsmasq changes, copy/paste the following into an ssh window to recreate the services-start script.

cat << "EOF" > /jffs/scripts/services-start
#!/bin/sh

# Physical port to interface map for RT-AC86U:
# eth0   WAN
# eth1   LAN 4
# eth2   LAN 3
# eth3   LAN 2
# eth4   LAN 1
# eth5   2.4 GHz Radio
# eth6   5 GHz Radio

# Delete those interfaces that we want to isolate from br0
brctl delif br0 eth1
brctl delif br0 eth2

# Create a new bridge br1 for isolated interfaces
logger -t "br100" "services-start: creating br100 with LAN PORTS 3 & 4 (eth1-2)"
brctl addbr br100
brctl stp br100 on # STP to prevent bridge loops
brctl addif br100 eth1
brctl addif br100 eth2
brctl setfd br100 2 # STP Forward Delay 2 sec (Default: 15 sec)

# Set up the IPv4 address for br100
# Here we set the subnet to be 192.168.150.0/24
logger -t "br100" "services-start: setting up IPv4 address for br100"
ifconfig br100 192.168.150.1 netmask 255.255.255.0
ifconfig br100 up
EOF
chmod +x /jffs/scripts/services-start
:

This is verbatim what the OP posted originally.

 

[eibgrad]

Same thing w/ the firewall-start script.

cat << "EOF" > /jffs/scripts/firewall-start
#!/bin/sh

# Make sure the script is indeed invoked
logger -t "br100" "firewall-start: applying fw rules for br100"

# Allow new incoming connections from br100
iptables -I INPUT -i br100 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

# Allow br100 access the web UI and SSH of the main router
iptables -I INPUT -i br100 -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -i br100 -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -i br100 -p tcp --dport [YOUR SSH PORT] -j ACCEPT

# Forbid packets from br100 to be forwarded to other interfaces
iptables -I FORWARD -i br100 -j DROP

# But allow packet forwarding inside br100
iptables -I FORWARD -i br100 -o br100 -j ACCEPT

# Allow packet forwarding between br100 and eth0 (WAN)
iptables -I FORWARD -i br100 -o eth0 -j ACCEPT

# Forbid packets from br0 to be forwarded to br100, isolating new br100 from default br0
iptables -I FORWARD -i br0 -o br100 -j DROP

# But allow one-way traffic from br0 to br100 only for restricted ports - Synology NAS and PLEX
iptables -I FORWARD -i br0 -o br100 -p tcp --match multiport --dports 32400,5001 -j ACCEPT
iptables -I FORWARD -i br100 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Drop icmp ping requests to br100
iptables -A OUTPUT -d 192.168.150.1/24 -p icmp --icmp-type echo-request -j DROP
EOF
chmod +x /jffs/scripts/firewall-start
:

You shouldn't need the nat-start script, as I indicated in a prior post.

Then reboot and see what you get.

 

[dcballers]

Thanks. I think I know what happened there, but I recreated the script as you suggested above. Only modification was to remove the eth2 stuff as OP is isolating two LAN ports and me only one. Final code was:

cat << "EOF" > /jffs/scripts/services-start
#!/bin/sh

# Physical port to interface map for RT-AC86U:
# eth0   WAN
# eth1   LAN 4
# eth2   LAN 3
# eth3   LAN 2
# eth4   LAN 1
# eth5   2.4 GHz Radio
# eth6   5 GHz Radio

# Delete those interfaces that we want to isolate from br0
brctl delif br0 eth1
# brctl delif br0 eth2

# Create a new bridge br1 for isolated interfaces
logger -t "br100" "services-start: creating br100 with LAN PORTS 4 (eth1)"
brctl addbr br100
brctl stp br100 on # STP to prevent bridge loops
brctl addif br100 eth1
# brctl addif br100 eth2
brctl setfd br100 2 # STP Forward Delay 2 sec (Default: 15 sec)

# Set up the IPv4 address for br100
# Here we set the subnet to be 192.168.150.0/24
logger -t "br100" "services-start: setting up IPv4 address for br100"
ifconfig br100 192.168.150.1 netmask 255.255.255.0
ifconfig br100 up
EOF
chmod +x /jffs/scripts/services-start
:

It ran fine and then I did a couple of reboots. Still no connectivity. I tried to run the script manually to see if there were any errors

XXXXX@RT-AC86U-3610:/tmp/home/root# sh -x /jffs/scripts/services-start
+ brctl delif br0 eth1
can't delete eth1 from br0: Operation not supported
+ logger -t br100 services-start: creating br100 with LAN PORTS 4 (eth1)
+ brctl addbr br100
add bridge failed: Invalid argument
+ brctl stp br100 on
+ brctl addif br100 eth1
can't add eth1 to bridge br100: Operation not supported
+ brctl setfd br100 2
+ logger -t br100 services-start: setting up IPv4 address for br100
+ ifconfig br100 192.168.150.1 netmask 255.255.255.0
+ ifconfig br100 up

I found a previous thread from OP and you where he describes his approach and I notice those scripts are not exactly the same as what he posted on this thread: http://www.snbforums.com/threads/lan-port-isolation.70989/post-671419. There, he ends with

ifconfig br100 allmulti up

whereas he has dropped the allmulti in this thread.

I really appreciate all your help. You've gone above and beyond. I'm running out of ideas and beginning to wonder if it just may not work with my setup for whatever reason :/

 

[dcballers]

Same thing w/ the firewall-start script.

cat << "EOF" > /jffs/scripts/firewall-start
#!/bin/sh

# Make sure the script is indeed invoked
logger -t "br100" "firewall-start: applying fw rules for br100"

# Allow new incoming connections from br100
iptables -I INPUT -i br100 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

# Allow br100 access the web UI and SSH of the main router
iptables -I INPUT -i br100 -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -i br100 -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -i br100 -p tcp --dport [YOUR SSH PORT] -j ACCEPT

# Forbid packets from br100 to be forwarded to other interfaces
iptables -I FORWARD -i br100 -j DROP

# But allow packet forwarding inside br100
iptables -I FORWARD -i br100 -o br100 -j ACCEPT

# Allow packet forwarding between br100 and eth0 (WAN)
iptables -I FORWARD -i br100 -o eth0 -j ACCEPT

# Forbid packets from br0 to be forwarded to br100, isolating new br100 from default br0
iptables -I FORWARD -i br0 -o br100 -j DROP

# But allow one-way traffic from br0 to br100 only for restricted ports - Synology NAS and PLEX
iptables -I FORWARD -i br0 -o br100 -p tcp --match multiport --dports 32400,5001 -j ACCEPT
iptables -I FORWARD -i br100 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Drop icmp ping requests to br100
iptables -A OUTPUT -d 192.168.150.1/24 -p icmp --icmp-type echo-request -j DROP
EOF
chmod +x /jffs/scripts/firewall-start
:

You shouldn't need the nat-start script, as I indicated in a prior post.

Then reboot and see what you get.

Thanks, I crossed posts with you here. Didn't see this until I already posted my reply. I'm not sure that I want all of the same traffic rules as him with the remote access and some interactions allowed between the bridges that he describes. I suppose I could try this verbatim as proof of concept, but I would like to limit this to just keeping the br100 without any intranet access.