Network Services Filter issue

[aphex]

I assume just because the Network Services Filter talks in terms of LAN --> WAN rules that I can still add rules essentially LAN --> LAN? I'm trying to block access to one IP on the same subnet on port 80 (any:any --> RFC1918 Class C IP address:80), but the rule does not work. Parental controls are not enabled so I assume it should work?

I'm on the latest Merlin firmware (much better than stock, many thanks), but I find it bizarre that after spending over $200 on an Asus RT-AC87U (an otherwise awesome router) that the Network Services Filter does not appear to work as standard. Having to SSH to the box & manipulate iptables is not what I was expecting, when you consider the Network Services Filter feature is meant to add custom fw rules for you.

Is there any possibility of Asus (or Merlin) activating the functionality of Network Services Filter?! Not sure what I'm doing wrong...did not expect my transition from a pfSense fw (don't ask) to this setup to be MORE complicated!

Any help would be most appreciated, thanks.

 

[mstombs]

LAN to LAN in same subnet usually doesn't touch the kernel netfilter code - it is handled by the switch driver or LAN bridge, so behaves much like a switch hub. To do what you want you have to split the 4-way LAN switch into vlans and add rules for connection between them, likely ssh/iptables I am afraid. I'm not sure you do this with asuswrt - certain dd-wrt ot tomato firmwares maybe.

 

[aphex]

LAN to LAN in same subnet usually doesn't touch the kernel netfilter code - it is handled by the switch driver or LAN bridge, so behaves much like a switch hub. To do what you want you have to split the 4-way LAN switch into vlans and add rules for connection between them, likely ssh/iptables I am afraid. I'm not sure you do this with asuswrt - certain dd-wrt ot tomato firmwares maybe.

I see! thanks for the quick reply. That's interesting, I was looking at this regarding setting up VLANs, so I'll look at the IPTV menu. I'm more used to using rules to restrict traffic between ints in pfsense that I've never used VLANs before (*cough*) but was considering VLANs on a single-subnet network now that my LAN is supposedly "simpler" without having to route between 5 different subnets as before, ha ha! Thanks again.

 

[mstombs]

I assume Asuswrt uses vlans for dualwan - in one mode it segregates a lan port for use as WAN2, but watch out there are internal physical port vlans which are Broadcom specific. External vlan tagging is something else.

 

[aphex]

I assume Asuswrt uses vlans for dualwan - in one mode it segregates a lan port for use as WAN2, but watch out there are internal physical port vlans which are Broadcom specific. External vlan tagging is something else.

Thanks again. I wanted to enable VLAN support on the RT-AC87U so I can route between VLANs on my D-Link smart switch. Sounds like it's possible.