Port Isolation

[Denna]

I'm interested in isolating ports on the router so they can't communicate with each other.

Below is an attempt to do so.

 

[Fitz Mutch]

Will there be any new bridge interfaces? What happens to the current bridge interface (br0)?

 

[Fitz Mutch]

If the "br0" interface was updated to use each Ethernet port's unique VLAN interface, wouldn't that work ?

DNSMasq/DHCP will create the subnets, based on what interfaces? Each VLAN interface (vlan1.x) or bridge interface (brX)? I would try figure out that piece first.

 

[Denna]

This will take a bit of time.

 

[Fitz Mutch]

@Fitz Mutch,

This solution is developing a little bit at a time.

In AsusWRT, netfilter/iptables only sees the bridge interface (br0), not the physical interfaces (vlanX). If you want to filter on the specific vlans, then you need ebtables brouting rules, then you can filter on the physical interfaces (vlanX). Or, have a separate bridge interface (br0, br1, br2, etc.) for each Ethernet port. That's about all I know for this stuff.

The following rules probably wouldn't do anything... unless you had corresponding ebtables brouting rules to unbridge the frames.

#Block communication between all private VLANs.
iptables -I FORWARD -i vlan+ ! -o vlan2 -j DROP
iptables -I FORWARD ! -i vlan2 -o vlan+ -j DROP

#Allow all private VLANs to communicate with vlan2.
iptables -I FORWARD -i vlan+ -o vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o vlan+ -j ACCEPT

How to configure Dnsmasq for each subnet?

/jffs/scripts/dnsmasq.postconf

#!/bin/sh
for N in 1 2 3 4 5 6 7 8; do
cat <<EOF >>"$1"
### configure DHCP subnet for Ethernet port ${N}?
interface=Eth_Port_${N}
dhcp-range=Eth_Port_${N},192.168.${N}0.2,192.168.${N}0.254,255.255.255.0,8h
dhcp-option=Eth_Port_${N},3,192.168.${N}0.1
dhcp-option=Eth_Port_${N},6,8.8.8.8,8.8.4.4
EOF
done

 

[Jack Yaz]

Some VLAN ids are already in use, better to start higher at say, 1000 to avoid conflicts I think

 

[Fitz Mutch]

How about this ?

Here's what I found while doing quick check of AsusWRT. Probably want to avoid stepping on reserved or known packet marks... these are marks that would "bit XOR modify" other marks that are currently in use by the firmware.

Asus uses packet marks for guest network QoS, which has not been finalized yet? Try to figure out which packet marks are reserved by following the source code. It's probably not documented anywhere.
https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/rc/qos.c#L1434
AND
https://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-22#post-229680

Merlin NAT loopback marks the packets too
https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/rc/firewall.c#L4334

 

[Fitz Mutch]

How could you come up with a unique packet mark ?

0000000001111111 = 0x007F = 127    ASUS QoS and bandwidth limiter
0000000010000000 = 0x0080 = 128    (ISIS) Ethernet Port 1
0000000100000000 = 0x0100 = 256    (ISIS) Ethernet Port 2
0000001000000000 = 0x0200 = 512    (ISIS) Ethernet Port 3
0000010000000000 = 0x0400 = 1024   (ISIS) Ethernet Port 4
0000100000000000 = 0x0800 = 2048   (ISIS) Ethernet Port 5
0001000000000000 = 0x1000 = 4096   (ISIS) Ethernet Port 6
0010000000000000 = 0x2000 = 8192   (ISIS) Ethernet Port 7
0100000000000000 = 0x4000 = 16384  (ISIS) Ethernet Port 8
1000000000000000 = 0x8000 = 32768  Merlin NAT Loopback

 

[Fitz Mutch]

Where did you find that ?

All these questions you have, can be answered by reading the AsusWRT source code.

 

[Fitz Mutch]

Just read your post at ...

I am sorry, I don't remember writing that. It seems he was just explaining how it works. It was probably my brother Jon.