Posted: Tue Jan 09, 2018 18:52 Post subject: Network isolation seemingly not working
Hi everyone,
sorry .. for this not so advanced question.
I have a primary router (fritzbox) on a 192.168.178.0/24 I connect a secodary router to that router with 192.168.178.8 and the fritzbox as default GW. I then setup a VAP with a 192.168.10.0/24 network and IP Isolation. I connect to the at VAP via wireless on my windows machine (Ethernet deactivated).
The details of the wifi adapter show the correct subnet. The DNS suffix is fritz.box (don't know why) and fritzboxe is listed as DNS server. Strange but not really bad I think.
What happens is that I can not only connect to wifi (this is expected) .. but I can also access all network shares in the 192.168.178.0/24 and I can even access the primary router on 192.168.178.1.
Could anyone shed some light and maybe point me to the right direction? I expected to have a VAP (which should become a Guest Wifi) that has access to none of my local devices. Maybe something like NetBIOS or uPNP is conflicting .. but I couldn't tell.
Thanks .. everything is in place .. except for the firewall rules. New challenge (for me). If you have a rule that fits off the top of your head .. gladly
Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Posted: Wed Jan 10, 2018 11:09 Post subject: Re: Network isolation seemingly not working
daniello wrote:
Hi everyone,
sorry .. for this not so advanced question.
I have a primary router (fritzbox) on a 192.168.178.0/24 I connect a secodary router to that router with 192.168.178.8 and the fritzbox as default GW. I then setup a VAP with a 192.168.10.0/24 network and IP Isolation. I connect to the at VAP via wireless on my windows machine (Ethernet deactivated).
The details of the wifi adapter show the correct subnet. The DNS suffix is fritz.box (don't know why) and fritzboxe is listed as DNS server. Strange but not really bad I think.
What happens is that I can not only connect to wifi (this is expected) .. but I can also access all network shares in the 192.168.178.0/24 and I can even access the primary router on 192.168.178.1.
Could anyone shed some light and maybe point me to the right direction? I expected to have a VAP (which should become a Guest Wifi) that has access to none of my local devices. Maybe something like NetBIOS or uPNP is conflicting .. but I couldn't tell.
Best,
daniello
@Eibgrad's solutions works (his solutionss always do ), but if you only want to isolate the Guest wifi from the rest I think it is also possible when you have the Guest wifi on a WAP (I assume that that was your original setup: secondary router connected LAN<>LAN, DHCP off, same subnet as the fritzbox, POSTROUTING firewall rule to route traffic to internet )
Normally when the Guest wifi is on a primary router you just enable "Net Isolation" however on a WAP that does not work so just keep it enabled and add the following firewall rule:
Code:
iptables -I FORWARD -i wl0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j REJECT
If you have placed the Guest wifi on a separate bridge then substitute wl0.1 with br1, if you are using an ahteros router substitute with ath0.1 (or ath1.1 if you have placed the Guuest wifi on the 5Ghz)
Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Posted: Wed Jan 10, 2018 16:34 Post subject:
Yes It is somewhat confusion from the text I did get the impression that he wanted Net Isolation and not AP isolation
For other readers clarification from the wiki (https://www.dd-wrt.com/wiki/index.php/Guest_WiFi_%2B_abuse_control_for_beginners ):
Quote:
Instructions
For that purpose we will first create Virtual Access Point (VAP) for Guests .
On the Wireless->Basic Settings tab, click 'Add' in the 'Virtual Interfaces' section. Enable AP isolation so that guests can not see each others. AP Isolation drops all traffic between clients connected to the VAP. This is recommended if you want secure Guest WiFI to help mitigate Wi-Fi snooping attacks. Then go to the Wireless Security tab to set the security type and wireless network password.
Set Network Configuration to Unbridged, Enable NAT (so that guest can have internet), and enable Net isolation (this option creates a couple of firewall rules that blocks guest to reach your private network). Net isolation works ONLY on an unbridged interface on newer builds:
Broadcom starting from build 23020
Atheros starting from build 24759
Mediatek (Ralink) starting from build 25934.
AP Isolation = Guests can not hack each other on guest VAP
Net isolation = Guests can not hack your private LAN+WLAN
Sorry for any confusion I may have caused and thanks for being patient with me.
WAP (ath0) is the physical interface and VAP the virtual one (ath0.1)? Hope I got this right.
I'll try to describe what my goal is for my secondary router:
I want to set up the ath0 so that it has access to all LAN devices that are present on my home network (wifi & eth connections on the primary router). All Internet traffic on ath0 should go through OpenVPN including a Killswitch. No VPN - no Internet.
ath0.1 should be for guests, have no connection to my LAN (internet only) and also go through VPN (incl. Killswitch).
I started backwards .. so I wanted to get the isolated guests network running first (not there yet since I haven't tried the FW rules yet) .. then I want to get OpenVPN to work with the guest network .. then I want to tackle my ath0.
Probably I'm over complicating things. I will have time over the weekend to continue with my configuration until then (and even after that) any advice is appreciated.
Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Posted: Thu Jan 11, 2018 11:01 Post subject:
Take one step at a time
Your first consideration should be if you want your secondary router setup as a default gateway router (connect LAN from primary to WAN from secondary router), this is reffered as daisy chaining. Your routers are on different subnets.
Or if you want to setup your secondary router as a Wireless Acces Point: https://www.dd-wrt.com/wiki/index.php/Wireless_access_point
What you want: VPN from everything on your secondary router with Kill switch and still be able to reach your primary router/LAN from that secondary router but not from the Guest WIFI is perhaps better done by simple daisy chaining your routers, one drawback: you can only communicate from secondary to primary Router/LAN by IP address, windows discovery does not work between subnets (without a dedicated WINS server).
Since I didn't find the specific interface eigrab's fw commands I tried egc's first .. and locked myself out. So starting from scratch now .. won't take long.
@eibgrad .. are your commands specific for the quest network?
And one more thing unclear to me: Do I need to activate SPI Firewall for the commands in Diagnostics FW to get active (I assume this is the place where to put those).
As soon as I turn on SPI FW I cannot access my router via LAN .. so I turned it off again. I read a bit and it shouldn't be required .. just IPtables in Diagnostics.
I tried both solutions to no avail.
Neither
Code:
iptables -I FORWARD -i ath0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j REJECT
What did I do to test: I connected to my guest network via my smart phone and connected to a lan network share via File Explorer. Connected without an issue (and it shouldn't).
I assume I'm doing something fundamentally wrong.
Wan port 192.168.178.6 is daisy chained to my primary router (192.168.178.0/24) and guest wifi ath0.1 is on dd-wrt basic IP is 192.168.1.1/24 and Guest Wifi is on 192.168.2.1/24
Physical Wifi ath0 is bridged .. per default .. didn't bother about this one yet.
Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Posted: Sat Jan 13, 2018 13:20 Post subject:
OK so If I understand correctly you have daisy chained your routers and your secondary router is in default Gateway mode.
The First rule is for a WAP so that will not work
The second rule blocks your router and WLAN, the third rule should work but you have to define WAN_NET and STATE_NEW
As a quick test
Code:
iptables -I FORWARD -i ath0.1 -d $(nvram get wan_ipaddr)/$(nvram get wan_netmask) -m state --state NEW -j REJECT
Do not insert in firewall but use telnet to apply the rule, if there is a mistake in the rule you will get an error
(not always though) and if you lock yourself out a simple reboot will get you back
In the meantime I have a backup .. but nevertheless I entered by SSH .. and SUCCESS!
Thank you! Now I can continue my journey
Edit: As a second step I enabled OpenVPN and it works perfectly well. ath0.1 is limited to internet (no lan) via VPN. ath0 has internet via VPN and LAN access. No additional configuration required. Wonderful! Now I will look at a killswitch .. no internet traffic on any device when VPN is down.
Code:
iptables -I FORWARD ! -o tun1 -j DROP
looked promising but after adding that line directly after the working one .. everything is messed up. Just wanted to mention this while I search for other possiblities to get warned if I make another newbie error by just putting them after each other.
haven't continued with the killswitch yet but I thought it may be quite a good idea to only have dhcp leases routed through VPN. Since I have both networks with leases .100-.150 I calculated CIDR ranges for both subnets and entered those .. to no avail.
Then I thought the problem may be that it's not one consecutive region so I went from 192.168.1.100 to 192.168.2.255 to cover the first network only partially and the second one complete. So CIDR looked like this.
Joined: 18 Mar 2014 Posts: 12915 Location: Netherlands
Posted: Sun Jan 14, 2018 9:35 Post subject:
Post pictures of your settings: Basic setup, Networking, Wireless, VPN client and Addtitional Firewall rules from Administration/Commands not more than 600 pixels wide.
Question: how do you test if you are using VPN or ISP?
I tried with SFE on and off - with no difference. As soon as I have two networks in the VPN policy routing field it fails. I delete one it works perfect. I assume it's just not made for two subnets.
With the two networks I don't get Internet access when I connect with my handset. So it's not the question of testing wrong but rather .. it either works of fails.