[SOLVED] Tomato shibby VLAN's forwarding

[FB29]

Hey all,

I have none experience with firewallrules.
I hope that someone can and will help me.

In my router Asus RT-AC66U with the latest tomato shibby fw i have create 3 VLAN's

VLAN 0/1 = my normal home network
VLAN 2 = my guest network
VLAN 3 = my IOT network.

I like to have acces from VLAN0/1 to VLAN3, but VLAN3 can't have acces to VLAN0/1 and VLAN2.

How can i create this ?

Regard's

 

[CaptainSTX]

Hey all,

I have none experience with firewallrules.
I hope that someone can and will help me.

In my router Asus RT-AC66U with the latest tomato shibby fw i have create 3 VLAN's

VLAN 0/1 = my normal home network
VLAN 2 = my guest network
VLAN 3 = my IOT network.

I like to have acces from VLAN0/1 to VLAN3, but VLAN3 can't have acces to VLAN0/1 and VLAN2.

How can i create this ?

Regard's

First things first: In Tomato

VLAN1 = LAN
VLAN2 = WAN
VLAN3 = LAN1 (Can assign some other number if you choose)

I use VLANS in Tomato but I have never tried to configure them the way you are requesting. Unless someone can give you the exact answer to your question I would go to the setting tab called VLAN ACCESS and experiment to see if you can get the routing options you want to work. If you can't get it to work using the GUI then you will have to create specific rules in the iptables.

 

[coxhaus]

I don't know with Tomato but in the Cisco world you would turn on inter-VLAN routing so all the VLANs can talk to each other. Then to limit the access you would create ACL, access lists to limit buy IP, network, protocol, MAC and probably others which don't come to mind right now.

 

[roguetr]

First things first: In Tomato

VLAN1 = LAN
VLAN2 = WAN
VLAN3 = LAN1 (Can assign some other number if you choose)

As mentioned by CaptainSTX, some VLANs are reserved for switch functionality. You have to be mindful of how you want the switch to fuction if you adjust them.

If Tomato is anything like OpenWRT, you will just have to ensure there is an allowed forwarding rule (controlled by iptables) between the networks that you wish to intercommunicate, and that you don't have a default policy between them of deny or reject. OpenWRT calls these "zones" and most, if not everything, can be configured from the web interface.

Otherwise, some custom iptables rules would definitely accomplish what you need as suggested by CaptainSTX. Depending on the default config maybe in just one or two lines.

*Edit* FYI, rather than leave you hanging, something like:

iptables -A FORWARD -i $int1 -o $int2 -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT
iptables -A FORWARD -i $int2 -o $int1 -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT

Obviously modify to suit. You may need to use predefined variables already provided by the firmware when specifying custom rules.

Sent from my MI 5 using Tapatalk

 

[FB29]

Thank you for this information.
The solution is simple..

Advanced/LAN Acces add a rule :

Src : LAN -- Src adress : 192.168.2.0 -- Dst : LAN1 -- Dst adress : 10.0.10.0

This does the trick.