Network isolation seemingly not working

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
daniello
DD-WRT Novice


Joined: 03 Jul 2015
Posts: 33

PostPosted: Tue Jan 09, 2018 18:52    Post subject: Network isolation seemingly not working Reply with quote
Hi everyone,

sorry .. for this not so advanced question.

I have a primary router (fritzbox) on a 192.168.178.0/24 I connect a secodary router to that router with 192.168.178.8 and the fritzbox as default GW. I then setup a VAP with a 192.168.10.0/24 network and IP Isolation. I connect to the at VAP via wireless on my windows machine (Ethernet deactivated).

The details of the wifi adapter show the correct subnet. The DNS suffix is fritz.box (don't know why) and fritzboxe is listed as DNS server. Strange but not really bad I think.

What happens is that I can not only connect to wifi (this is expected) .. but I can also access all network shares in the 192.168.178.0/24 and I can even access the primary router on 192.168.178.1.

Could anyone shed some light and maybe point me to the right direction? I expected to have a VAP (which should become a Guest Wifi) that has access to none of my local devices. Maybe something like NetBIOS or uPNP is conflicting .. but I couldn't tell.

Best,
daniello
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 6598

PostPosted: Tue Jan 09, 2018 19:40    Post subject: Reply with quote
AP isolation does NOT prevent access to wired devices by wireless devices. It only prevents access between wireless devices.

If you want to prevent access to the wired devices, then daisy-chain the secondary router to the primary router, WAN to LAN respectively, thus giving that secondary router its own ethernet and IP networks, DHCP server, firewall, etc. Finally, block access to the primary network from the second router's network using firewall rules.
daniello
DD-WRT Novice


Joined: 03 Jul 2015
Posts: 33

PostPosted: Wed Jan 10, 2018 7:00    Post subject: Reply with quote
Thanks .. everything is in place .. except for the firewall rules. New challenge (for me). If you have a rule that fits off the top of your head .. gladly Smile
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 6598

PostPosted: Wed Jan 10, 2018 7:07    Post subject: Reply with quote
https://pastebin.com/1df1XsuK

It actually does a lot more than block access to the upstream network. It also limits guests' access on the guest router to only essential services. Whether you want or need that, it's up to you. The assumption is that you'll enable GUI access on the WAN (because it's facing your LAN) for administrative purposes. If you don't, you'll lock yourself out too!

The most essential rules are following:

Code:
# deny access to private network by guests (internet only)
iptables -I FORWARD        -i br0 -d $WAN_NET $STATE_NEW -j $REJECT
iptables -I FORWARD -p tcp -i br0 -d $WAN_NET $STATE_NEW -j $REJECT_TCP
daniello
DD-WRT Novice


Joined: 03 Jul 2015
Posts: 33

PostPosted: Wed Jan 10, 2018 7:15    Post subject: Reply with quote
Thanks .. will try this asap. The extensive script is probably an overdose since my next step is to (try and) pipe the guest wifi through openvpn.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 1496
Location: Netherlands

PostPosted: Wed Jan 10, 2018 11:09    Post subject: Re: Network isolation seemingly not working Reply with quote
daniello wrote:
Hi everyone,

sorry .. for this not so advanced question.

I have a primary router (fritzbox) on a 192.168.178.0/24 I connect a secodary router to that router with 192.168.178.8 and the fritzbox as default GW. I then setup a VAP with a 192.168.10.0/24 network and IP Isolation. I connect to the at VAP via wireless on my windows machine (Ethernet deactivated).

The details of the wifi adapter show the correct subnet. The DNS suffix is fritz.box (don't know why) and fritzboxe is listed as DNS server. Strange but not really bad I think.

What happens is that I can not only connect to wifi (this is expected) .. but I can also access all network shares in the 192.168.178.0/24 and I can even access the primary router on 192.168.178.1.

Could anyone shed some light and maybe point me to the right direction? I expected to have a VAP (which should become a Guest Wifi) that has access to none of my local devices. Maybe something like NetBIOS or uPNP is conflicting .. but I couldn't tell.

Best,
daniello


@Eibgrad's solutions works (his solutionss always do Smile ), but if you only want to isolate the Guest wifi from the rest I think it is also possible when you have the Guest wifi on a WAP (I assume that that was your original setup: secondary router connected LAN<>LAN, DHCP off, same subnet as the fritzbox, POSTROUTING firewall rule to route traffic to internet )
Normally when the Guest wifi is on a primary router you just enable "Net Isolation" however on a WAP that does not work so just keep it enabled and add the following firewall rule:
Code:
iptables -I FORWARD -i wl0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j REJECT

If you have placed the Guest wifi on a separate bridge then substitute wl0.1 with br1, if you are using an ahteros router substitute with ath0.1 (or ath1.1 if you have placed the Guuest wifi on the 5Ghz)

I am not 100% sure if this will work but @Eibgrad will know if this is a viable option

_________________
Router Netgear R6400, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide see Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 6598

PostPosted: Wed Jan 10, 2018 16:06    Post subject: Reply with quote
Configuration as a WAP makes sense if you want the physical AP to function an additional AP for the primary IP network, while making the VAP available to guests on the VAP's own IP network.

You might also do this if you want to unbridge the physical AP from the switch for the purposes of adding more LAN ports to the primary IP network. Now the physical AP can be dedicated to the guests. Just depends on what you want.

As far as Net Isolation, I'm not sure what that is. Sounds like a Kong invention. The OP was referring to AP isolation which should still work since it's a function of the wireless itself, not something dd-wrt is doing.

IMO, if you only want/need a guest AP, the router configuration is the more straightforward solution.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 1496
Location: Netherlands

PostPosted: Wed Jan 10, 2018 16:34    Post subject: Reply with quote
Yes It is somewhat confusion from the text I did get the impression that he wanted Net Isolation and not AP isolation

For other readers clarification from the wiki (https://www.dd-wrt.com/wiki/index.php/Guest_WiFi_%2B_abuse_control_for_beginners ):
Quote:
Instructions

For that purpose we will first create Virtual Access Point (VAP) for Guests .

On the Wireless->Basic Settings tab, click 'Add' in the 'Virtual Interfaces' section. Enable AP isolation so that guests can not see each others. AP Isolation drops all traffic between clients connected to the VAP. This is recommended if you want secure Guest WiFI to help mitigate Wi-Fi snooping attacks. Then go to the Wireless Security tab to set the security type and wireless network password.

Set Network Configuration to Unbridged, Enable NAT (so that guest can have internet), and enable Net isolation (this option creates a couple of firewall rules that blocks guest to reach your private network). Net isolation works ONLY on an unbridged interface on newer builds:

Broadcom starting from build 23020
Atheros starting from build 24759
Mediatek (Ralink) starting from build 25934.


AP Isolation = Guests can not hack each other on guest VAP
Net isolation = Guests can not hack your private LAN+WLAN


The above settings (NAT and Firewall rules) do not work when the guest wifi is set on a WAP, you need to insert the firewall rules yourself

_________________
Router Netgear R6400, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide see Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
daniello
DD-WRT Novice


Joined: 03 Jul 2015
Posts: 33

PostPosted: Thu Jan 11, 2018 5:33    Post subject: Reply with quote
Sorry for any confusion I may have caused and thanks for being patient with me.

WAP (ath0) is the physical interface and VAP the virtual one (ath0.1)? Hope I got this right.

I'll try to describe what my goal is for my secondary router:

I want to set up the ath0 so that it has access to all LAN devices that are present on my home network (wifi & eth connections on the primary router). All Internet traffic on ath0 should go through OpenVPN including a Killswitch. No VPN - no Internet.

ath0.1 should be for guests, have no connection to my LAN (internet only) and also go through VPN (incl. Killswitch).

I started backwards .. so I wanted to get the isolated guests network running first (not there yet since I haven't tried the FW rules yet) .. then I want to get OpenVPN to work with the guest network .. then I want to tackle my ath0.

Probably I'm over complicating things. I will have time over the weekend to continue with my configuration until then (and even after that) any advice is appreciated.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 1496
Location: Netherlands

PostPosted: Thu Jan 11, 2018 11:01    Post subject: Reply with quote
Take one step at a time Smile
Your first consideration should be if you want your secondary router setup as a default gateway router (connect LAN from primary to WAN from secondary router), this is reffered as daisy chaining. Your routers are on different subnets.
Or if you want to setup your secondary router as a Wireless Acces Point: https://www.dd-wrt.com/wiki/index.php/Wireless_access_point

What you want: VPN from everything on your secondary router with Kill switch and still be able to reach your primary router/LAN from that secondary router but not from the Guest WIFI is perhaps better done by simple daisy chaining your routers, one drawback: you can only communicate from secondary to primary Router/LAN by IP address, windows discovery does not work between subnets (without a dedicated WINS server).

You need expert help with firewall rules, to accomplish what you want though, because a standard kill switch does not allow acces to your primary router/LAN

_________________
Router Netgear R6400, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide see Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230


Last edited by egc on Fri Jan 12, 2018 10:36; edited 1 time in total
daniello
DD-WRT Novice


Joined: 03 Jul 2015
Posts: 33

PostPosted: Fri Jan 12, 2018 6:49    Post subject: Reply with quote
Since I didn't find the specific interface eigrab's fw commands I tried egc's first .. and locked myself out. So starting from scratch now .. won't take long.

@eibgrad .. are your commands specific for the quest network?

And one more thing unclear to me: Do I need to activate SPI Firewall for the commands in Diagnostics FW to get active (I assume this is the place where to put those).
daniello
DD-WRT Novice


Joined: 03 Jul 2015
Posts: 33

PostPosted: Sat Jan 13, 2018 10:09    Post subject: Reply with quote
As soon as I turn on SPI FW I cannot access my router via LAN .. so I turned it off again. I read a bit and it shouldn't be required .. just IPtables in Diagnostics.

I tried both solutions to no avail.

Neither
Code:
iptables -I FORWARD -i ath0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j REJECT

nor
Code:
iptables -I FORWARD        -i br0 -d $WAN_NET $STATE_NEW -j $REJECT
iptables -I FORWARD -p tcp -i br0 -d $WAN_NET $STATE_NEW -j $REJECT_TCP

or
Code:
iptables -I FORWARD        -i ath0.1 -d $WAN_NET $STATE_NEW -j $REJECT
iptables -I FORWARD -p tcp -i ath0.1 -d $WAN_NET $STATE_NEW -j $REJECT_TCP

worked for me.

What did I do to test: I connected to my guest network via my smart phone and connected to a lan network share via File Explorer. Connected without an issue (and it shouldn't).

I assume I'm doing something fundamentally wrong.

Wan port 192.168.178.6 is daisy chained to my primary router (192.168.178.0/24) and guest wifi ath0.1 is on dd-wrt basic IP is 192.168.1.1/24 and Guest Wifi is on 192.168.2.1/24

Physical Wifi ath0 is bridged .. per default .. didn't bother about this one yet.

Any advice is greatly appreciated.

btw .. why do you need an extra recect for tcp?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 1496
Location: Netherlands

PostPosted: Sat Jan 13, 2018 13:20    Post subject: Reply with quote
OK so If I understand correctly you have daisy chained your routers and your secondary router is in default Gateway mode.

The First rule is for a WAP so that will not work
The second rule blocks your router and WLAN, the third rule should work but you have to define WAN_NET and STATE_NEW

As a quick test
Code:
iptables -I FORWARD -i ath0.1 -d $(nvram get wan_ipaddr)/$(nvram get wan_netmask) -m state --state NEW -j REJECT


Do not insert in firewall but use telnet to apply the rule, if there is a mistake in the rule you will get an error
(not always though) and if you lock yourself out a simple reboot will get you back

I have not tested it so no guarantee

_________________
Router Netgear R6400, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide see Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
daniello
DD-WRT Novice


Joined: 03 Jul 2015
Posts: 33

PostPosted: Sat Jan 13, 2018 17:27    Post subject: Reply with quote
In the meantime I have a backup .. but nevertheless I entered by SSH .. and SUCCESS!
Thank you! Now I can continue my journey Smile

Edit: As a second step I enabled OpenVPN and it works perfectly well. ath0.1 is limited to internet (no lan) via VPN. ath0 has internet via VPN and LAN access. No additional configuration required. Wonderful! Now I will look at a killswitch .. no internet traffic on any device when VPN is down.
Code:
iptables -I FORWARD ! -o tun1 -j DROP

looked promising but after adding that line directly after the working one .. everything is messed up. Just wanted to mention this while I search for other possiblities to get warned if I make another newbie error by just putting them after each other.
daniello
DD-WRT Novice


Joined: 03 Jul 2015
Posts: 33

PostPosted: Sun Jan 14, 2018 6:38    Post subject: Reply with quote
haven't continued with the killswitch yet but I thought it may be quite a good idea to only have dhcp leases routed through VPN. Since I have both networks with leases .100-.150 I calculated CIDR ranges for both subnets and entered those .. to no avail.
Then I thought the problem may be that it's not one consecutive region so I went from 192.168.1.100 to 192.168.2.255 to cover the first network only partially and the second one complete. So CIDR looked like this.

192.168.1.100/30
192.168.1.104/29
192.168.1.112/28
192.168.1.128/25
192.168.2.0/24

Didn't work either. If anyone has a bright idea .. gladly Smile
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum