Isolating private network resources from public network

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
View previous topic :: View next topic  
Author Message
lch503
DD-WRT Novice


Joined: 13 Aug 2012
Posts: 19
PostPosted: Thu Sep 14, 2017 12:06    Post subject: Isolating private network resources from public network Reply with quote
Hello,

My network setup is below:

MAIN ROUTER - netgear R6250 - connected to internet
---------------
WAN IP: from ISP - LAN IP: 192.168.1.1 - Subnet: 255.255.255.0
---------------

SUB ROUTER 1 - dd-wrt build 21676 - connected to main router
---------------
WAN IP: 192.168.1.100 - LAN IP: 192.168.2.1 - Subnet: 255.255.255.0
---------------

SUB ROUTER 2 - dd-wrt build 21676 - connected to main router
---------------
WAN IP: 192.168.1.101 - LAN IP: 192.168.3.1 - Subnet: 255.255.255.0
---------------

Both sub routers run hotspotsystem for public wifi. The main netgear router is our private network.

When I am connected to the public wifi, I have noticed I am able to connect to resources such as backup drives on the private network.

I was wondering how I can isolate these from the dd-wrt routers so that the public are unable to access the private resources.

If you require more information please do not hesitate to ask.

Thanks,

Leon
Back to top View user's profile Send private message
Sponsor
sploit
DD-WRT User


Joined: 16 Apr 2016
Posts: 307
Location: California
PostPosted: Fri Sep 15, 2017 8:35    Post subject: Net Isolation and Access Point Isolation Reply with quote
VLANS and Network Segmentation.

BUT, you can also use Access Point Isolation and Net Isolation and make sure they use different IP ranges.

This stops the wireless clients from being able to see any network outside the ip range or each other for that matter.
_________________
My Karma ran over your Dogma
SploitWorks Custom Flashed Routers
Back to top View user's profile Send private message Visit poster's website
h8red
DD-WRT Guru


Joined: 28 Jun 2011
Posts: 580
Location: Vilnius, Lithuania
PostPosted: Fri Sep 15, 2017 14:04    Post subject: Re: Isolating private network resources from public network Reply with quote
lch503 wrote:
I was wondering how I can isolate these from the dd-wrt routers so that the public are unable to access the private resources

Save this line into sub routers firewall commands:
iptables -I FORWARD -s 192.168.1.0/255.255.255.0 -j REJECT
_________________
[Ramips] Nexx WT3020F Openwrt @kernel #4.14.167 (OpenVPN server, Wireguard server, AD blocking, SQM QOS, USB)
Back to top View user's profile Send private message
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6870
Location: Romerike, Norway
PostPosted: Fri Sep 15, 2017 16:56    Post subject: Reply with quote
On the R6250 create a separate VLAN where the sub routers are connected. Block access to your private lan from this lan with iptables.
Back to top View user's profile Send private message
lch503
DD-WRT Novice


Joined: 13 Aug 2012
Posts: 19
PostPosted: Sat Sep 16, 2017 10:17    Post subject: Block IP address range Reply with quote
I do like the suggestion using iptables

Quote:

iptables -I FORWARD -s 192.168.1.0/255.255.255.0 -j REJECT


I can get single IP to be blocked using commands

iptables -I FORWARD -d 192.168.1.102 -j DROP
iptables -I INPUT -d 192.168.1.102 -j DROP

but the address range I wish to block is 192.168.1.100 to 192.168.1.150. (This is the IP range of my private network) Can you suggest a command that will do this? I have tried using the IP range command for iptables in the wiki and this has not worked for me.
Back to top View user's profile Send private message
hubermania
DD-WRT User


Joined: 24 Aug 2012
Posts: 223
PostPosted: Sun Dec 31, 2017 18:08    Post subject: Re: Block IP address range Reply with quote
lch503 wrote:
I do like the suggestion using iptables

iptables -I FORWARD -s 192.168.1.0/255.255.255.0 -j REJECT

...but the address range I wish to block is 192.168.1.100 to 192.168.1.150. (This is the IP range of my private network) Can you suggest a command that will do this?

The command(s) will be much simpler if you first shift the address range of your private network. Idea Move it to a single subnet like 192.168.1.64 to 192.168.1.127, aka 192.168.1.64/26, aka 192.168.1.64/255.255.255.192 . Then your firewall command becomes simply:

iptables -I FORWARD -s 192.168.1.64/255.255.255.192 -j REJECT
_________________
[Broadcom] Asus rt-ac66u r35531 ('66 should only be factory reset through the DD UI)
Fix RT-AC66U "wl1 [2.4 GHz TurboQAM]". DD-WRT failsafe UI @ http|https://169.254.255.1/
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum