VLAN's Still Able To Communicate Even After Firewall Rule

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
Breakingcustom
DD-WRT User


Joined: 11 Mar 2008
Posts: 51

PostPosted: Sun Feb 19, 2012 16:17    Post subject: VLAN's Still Able To Communicate Even After Firewall Rule Reply with quote
I'm trying to setup a test network and installed two additional Gigabit cards in my server. They are Rosewill RC-400.

I have a Cisco E3000 with the DD-WRT v24-sp2 (04/13/11) std-usb-nas - build 16785 installed.

I went into VLAN's and put Port 2&3 in VLAN3 and created a bridge with a 10.42.2.x network. I then assigned that bridge to the VLAN and create a DHCP server for it.

I also added "iptables -I FORWARD -i vlan+ -o vlan+ -j DROP" to the firewall to block communication between vlans (got this from another thread). The issue is I still can ping it from VLAN1 and when I go to the NIC card that has the cable plugged in it's not receiving an IP address.

My main reason for doing this is I want to create a test network. I currently running Server 2008 R2 with multiple VMs. I want to create a test network that I can setup as domain environment and all the roles, but I don't want it to effect my production network.

Am I going in the right direction with this or am I missing something?
Sponsor
Breakingcustom
DD-WRT User


Joined: 11 Mar 2008
Posts: 51

PostPosted: Tue Feb 21, 2012 3:30    Post subject: Reply with quote
Any ideas?
m00nman
DD-WRT User


Joined: 14 Jan 2009
Posts: 406
Location: AB, Canada

PostPosted: Tue Feb 21, 2012 11:06    Post subject: Reply with quote
What i used in my setup was a similar command, but i blocked traffic from a to b and then from b to a, specifically i used
Code:

iptables -I FORWARD -i br1 -o br0 -j logdrop
iptables -I FORWARD -i br0 -o br1 -j logdrop


change br interfaces to your vlans

As for the dhcp, domain controller will preferably need to be the dhcp server as well, when you set it up, else you will have to mess with dhcp configs on the router (if it is even supported).So disable the dhcp for vlans where you want your domain server setup

Also, depending on the NIC's chip manufacturer, you may not need 3 nics for different vlans. o
I know intel, broadcom and realtek have tools to make windows recognise multiple vlans on 1 nic. [it is so much easier with *nix]

_________________

Nethear R6300 v2 - Latest Kong dd-wrt always
Linksys E3000 - Latest dd-wrt always
Asus RT-N56U - OpenWRT trunk
Breakingcustom
DD-WRT User


Joined: 11 Mar 2008
Posts: 51

PostPosted: Thu Feb 23, 2012 3:13    Post subject: Reply with quote
I changed my firewall configs with what you listed.

br0 has eth2, eth1 and vlan 1 and br1 has vlan3. I'm going to test it out now.

EDIT: Nm my stupidity. I can ping the VLAN IP, but I'm unable to ping any hosts on VLAN1 from VLAN2. Not sure if that is a fluke or not.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum