Posted: Thu Nov 16, 2023 23:07 Post subject: Standard setup but with a separate isolated port inbound
Using a Netgear R7000P, r53939. We want to start with a pretty standard setup, WAN connects outbound (is assigned an IP), and run WiFi/wired connections in our office. All fine. We have a separate inbound wired IP which is on a different network. We'd like to isolate one of the router ports for this connection, assign a static IP (its a public IP) and use it for inbound only. We want the following:
- inbound connections only on specific ports, forwarded to specific machines on default VLAN (allowing ssh access)
- no outbound traffic to use this inbound connection
I've looked over the forums and found a few examples that are close but not quite what we want.
I guess I'd also like some help with iptables commands for above.
Hi - see attached diagram. So we have one default WAN where all outbound internet traffic goes. This is provided by the office services. The second WAN is not through that service, but is dedicated to us. We want that to go into port 1 on the router. Inbound ssh connections from that IP with specified ports should then be forwarded to one of the servers (1-3) depending on the inbound port. All other inbound traffic should be dropped. No outbound traffic should be routed through the inbound WAN.
Thanks for the reply. The dual WAN setup you refer to is not really the same thing. It describes multiple WAN (outbound), failover and source routing (from within). We need something much simpler - just the addition of the inbound WAN. We don't need DNS, DHCP, failover etc or anything else for that other WAN.
I have made an attempt to get this working by:
-creating a second bridge (br1), assigning a static IP
-removing port 1 from VLAN1 and br0 and adding it to VLAN3, add VLAN3 to br1
This isolates port 1 and now has a static IP. The missing part is the iptables rules to allow the inbound traffic on specific ports to be routed across to specific hosts on VLAN1, and rules to prevent any outbound traffic going to VLAN3.
I guess its a bit tricky but I wouldn't have thought that it was that advanced.
Joined: 18 Mar 2014 Posts: 12923 Location: Netherlands
Posted: Sat Nov 18, 2023 10:34 Post subject:
Like you described it port 1 is on a different subnet than the servers on port 2,3 and 4.
If this is the case then you need routing which means you actually create a second WAN (A WAN is nothing more than an interface and routing/firewall rules to route between subnets).
If the Office can use the same subnet as your outbound WAN/Firewall you can turn it around and use the WAN port for the inbound connection, connect port 1 for outbound connection and bridge with the wireless interfaces, they do not have DHCP from the router but from the firewall/outbound side. _________________ Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399 Install guide R7800/XR500:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614 Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
While a picture is worth a thousand words as conventional saying would have it, I fail to see the logic of the traffics as depicted by the diagram.
For a start, Firewall is typically placed on the traffic coming into (inbound) to a local network for obvious reason. The diagram throws that convention upside down by placing Firewall on the outgoing traffic.
Unless i miss something terribly convoluted in your desired setup.
The firewall is provided by the office services. All traffic on their network goes through their firewall.
There is no firewall inbound. We have to add that with our iptables rules. The traffic using that IP is open, hence the need to lock it down and route only the ssh traffic to the other servers.
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Mon Nov 20, 2023 9:49 Post subject:
all routers have SPI firewall that usually filters the traffic inbound...so only related , established connections are permitted...that was the previous post all about...if you disable the SPI firewall than you are on your own...no idea how the iptables rules will worn...SPI firewall works only WAN to LAN and opposite, but not LAN to LAN _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
