Subnetting LAN isolation

[Pixwert]

Hi!

I've used subnetting to divide my LAN into 2 networks using the mask 255.255.255.128 and I wanted to use one subnet for my NAS and the other one for the rest of the devices in the house. The NAS should not be able to access any devices from the "home network" but all the devices from the "home network" should be able to access the NAS.

I have an ASUS RT-AC86U and got some inspiration from this other post: https://www.snbforums.com/threads/lan-port-isolation-on-asus-merlin-example.73704/ since it explains how to do something similar without having to use a vlan switch.

What I did works, but I'm not sure if I did it the right way, so I was wondering if someone could point out any issues with this approach.

This is what I did to make it work:

First network ID: 192.168.1.0/25
Second network ID: 192.168.1.128/25
NAS IP address: 192.168.1.150, default gateway: 192.168.1.129

Since my router can only have one IP address (which is in the first network), I created a bridge to use as the default gateway for the second network and set its IP address to 192.168.1.129 (not sure if there's a better way to create a "virtual" default gateway for a subnet). And then I forwarded all the packages from the "virtual default gateway" to the eth0 interface (WAN).

# Physical port to interface map for RT-AC86U:
# eth0   WAN
# eth1   LAN 4
# eth2   LAN 3
# eth3   LAN 2
# eth4   LAN 1 (THIS IS WHERE THE NAS IS CONNECTED)
# eth5   2.4 GHz Radio
# eth6   5 GHz Radio

# Delete the interface with the NAS from br0 (the default bridge in the router)
brctl delif br0 eth4

# Create a new bridge br1 for the NAS
brctl addbr br100
brctl stp br100 on # STP to prevent bridge loops
brctl addif br100 eth4
brctl setfd br100 2 # STP Forward Delay 2 sec (Default: 15 sec)

# Set up the IPv4 address for br100
ifconfig br100 192.168.1.129 netmask 255.255.255.128
ifconfig br100 up

Then the firewall rules:

# Forbid packets from br100 to be forwarded to other interfaces
iptables -I FORWARD -i br100 -j DROP

# There's no need to add a rule to allow incoming traffic from the "home network" to my NAS network
# And I think it might be because one of the existing iptable rules in my router is the following:
# -A FORWARD -i br0 -j ACCEPT

# Allow packet forwarding between br100 and eth0 (WAN) to have internet in my NAS
iptables -I FORWARD -i br100 -o eth0 -j ACCEPT

And that's it, with those commands, I get the following working:

- My NAS is isolated in a secondary network and it can't reach out to any other device in the house.
- My NAS has internet access.
- All of the devices in the primary network can access the NAS.

 

[coxhaus]

You should be able to do that in a firewall. Allow home devices to initiate access to the NAS which will allow a return response but not allow the NAS to initiate a request. It is easy to do in an ACL. I am not sure how your firewall works.

 

[Pixwert]

Thanks @coxhaus - It turns out that there was a cleaner way of doing this without having to create network interfaces, however, in my case, I didn't have ACLs available so I had to use iptables for the firewall. I've explained it all in detail in this other post: https://www.snbforums.com/threads/subnetting-isolation-without-a-vlan-switch.90153/