ds25 DD-WRT Novice
Joined: 21 Aug 2016 Posts: 2
|
Posted: Sun Aug 21, 2016 0:44 Post subject: Ethernet isolation |
|
Hi all
The issue of port isolation seems to be reasonably well covered across this and other DD-WRT sites, so either I'm missing something obvious, or I'm just not fully understanding what is happening in the setup. I would rate my knowledge as average to good at best.
I'm trying to isolate a specific device on my router, so that it can access the internet but not the rest of my network, including the router (and also that the rest of my network cannot access the specific device). The device will always use a specific LAN port, so I'm happy to isolate using MAC, IP or port, whichever gets the job done.
I use a Lynksys WRT54GL running DD-WRT v24-sp2 (07/22/09) mini. I have successfully created a VLAN and a DHCPD dishes out addresses in the correct ranges for my private network (192.168.1.2-100) my guest wifi (192.168.2.1-100) and the port I want to isolate (192.168.3.1). When I try to isolate that port by using firewall commands, I get either one of two problems:
1) the device can see the internet, AND the rest of my network, or
2) the device cannot see the internet or anything on my network.
The commands I am using are:
#iptables -I FORWARD -i vlan2 -o vlan+ -j DROP
#iptables -I FORWARD -i vlan+ -o vlan2 -j DROP
#iptables -I FORWARD -i vlan2 -o vlan1 -j ACCEPT
#iptables -I FORWARD -i vlan1 -o vlan2-j ACCEPT
VLAN2 is the VLAN that the port I want to isolate resides in.
VLAN1 is, I believe, the VLAN that has access to the WAN (i.e. internet). I am basing that on the setting in the Setup -> Networking -> Port Setup section of the GUI. However, in the VLANS setup page I see that my other ethernet ports are set to VLAN0. On that same page, VLAN2 is set to bridge "none".
I have tried all combinations of bridging the VLAN and changing the firewall rule to allow VLAN0, but no joy.
Any ideas what I'm doing wrong here? Happy to post pictures of specific setup pages if that helps. Interestingly, my guest wifi is successfully isolated from my home network, but I cannot figure how I did that (some time ago).
Any help greatly appreciated! Thanks |
|