One router, two segments desired.

Rombo · Jan 11, 2024

I have followed the Two Segment Lan Isolation Tutorial without success. I believe I am simply configuring all the network pieces wrong.
I would actually like to have two lan segments on the router without isolation (if there is a way to do this) and use a VLAN on the managed switch I have to isolate the segments.
I have enough network knowledge to shoot myself in the foot. I am just now trying to learn iptables.
i really need some help with this. I've spent hours and hours trying to figure this out and it seems to be beyond my technical knowledge.

I have an ASUS RT-AC86U running merlin 386.12_4 (latest version).
I have a TL-SG116E managed switch with ethernet cables to the AC86U.
My main segment is 192.168.1.0/24 (generally VPN routed) and I have a second segment for 192.168.2.0/24 (non-VPN going to WAN) such as cameras.
- My main laptop is 192.168.1.101 (I control everything from here)
- My BlueIris software laptop is 192.168.2.107 (I see all my cameras here)
- My AC86U router is 192.168.1.1 with subnet 255.255.252.0
- Tried both 255.255.252.0 and 255.255.255.0
I want to have two lan segments with WAN connected on the 192.168.2.0/24 segment and VPN connected on the 192.168.1.0/24 segment.

When I reboot the router to try new settings both my Windows 10 laptops change to unidentified network/public with no internet access.
When I update the subnet mask on the Windows 10 devices from whatever it happens to be to the other (see above), they (most of the time) reconnect to the Internet.
- 255.255.255.0 to 255.255.252.0 and vice versa
This seems to indicate I am configuring my network wrong somewhere.
I am using NordVPN and most traffic is going through that.

I have tried to use port based vlan and put TL-SG116E Port 2 in a VLAN to isolate 192.168.2.0/24.
Without the VLAN, I get
Jan 11 13:48:02 kernel: br100: received packet on eth3 with own address as source address
With the VLAN I no longer get that message but other things break.

I have a network cable running from Port 4 on the Router directly to my main laptop where I configure/run everything.
I have a network cable running from Port 2 to the TL-SG116E managed switch. (port 2)
192.168.2.0/24
I have a network cable running from Port 1 to the TL-SG116E managed switch (uplink/port 1).
192.168.1.0/24
I have 6 ethernet cables from various devices/managed & unmanaged switches to the TL-SG116E's other ports.
I have dozens of devices on my home network (phones, tablets, TV, cameras, ...)

Initially, I am trying to have two separate segments that can "see" each other (i will try to isolate them later).

I get different results. I run Amcrest Surveillance Pro on my main laptop (192.168.1.101)
- Depending on router/laptop subnet mask (I've tried 255.255.252.0 & 255.255.255.0), & my Asus scripts
I can see all my cameras on the 192.168.2.0/24 segment -or- not
- I want to be able to see all cameras using software on:
- my laptop (internet connected) Amcrest Surveillance Pro
- my cellphone (BlueIris App & Amcrest App) both when I am on cellular data & when I am Wifi Connected
- My BlueIris Laptop when Internet connected

SCRIPTS

C:

NAT-START

#!/bin/sh
# Make sure the script is indeed invoked
logger -s "br100" "nat-start: applying POSTROUTING rules for br100"
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.2.0/24 -j MASQUERADE

SERVICES-START

#!/bin/sh
# Physical port to interface map for RT-AC86U:
# eth0   WAN
# eth1   LAN 4
# eth2   LAN 3
# eth3   LAN 2 PORT CONNECTED TO TL-SG116E Port 2
# eth4   LAN 1 PORT CONNECTED TO TL-SG116E Uplink Port 1
# eth5   2.4 GHz Radio
# eth6   5 GHz Radio
# Delete those interfaces that we want to isolate from br0
logger -s "isolate_port" "services-start: deleting LAN 1 (eth3) from br0"
brctl delif br0 eth3
# Create a new bridge br100 for isolated interfaces
logger -s "br100" "services-start: creating br100 with LAN PORTS 2 (eth3)"
brctl addbr br100
brctl stp br100 on # STP to prevent bridge loops
brctl addif br100 eth3
brctl setfd br100 2 # STP Forward Delay 2 sec (Default: 15 sec)
# Set up the IPv4 address for br100
# Here we set the subnet to be 192.168.2.0/24
logger -s "br100" "services-start: setting up IPv4 address for br100"
ifconfig br100 192.168.2.1 netmask 255.255.255.0
ifconfig br100 up

FIREWALL-START
#!/bin/sh
# Make sure the script is indeed invoked
logger -s "br100" "firewall-start: applying fw rules for br100"
# Drop all incoming traffic to br100
iptables -I INPUT -i br100 -j drop
# Allow br100 access to various ports
iptables -I INPUT -i br100 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i br100 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br100 -p tcp --dport 5353 -j ACCEPT
iptables -I INPUT -i br100 -p udp --dport 5353 -j ACCEPT
iptables -I INPUT -i br100 -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -i br100 -p tcp --dport 81 -j ACCEPT
iptables -I INPUT -i br100 -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -i br100 -p tcp --dport 8890 -j ACCEPT
iptables -I INPUT -i br100 -p tcp --dport 8999 -j ACCEPT
iptables -I INPUT -i br100 -p tcp --dport 8099 -j ACCEPT
iptables -I INPUT -i br100 -p tcp --dport 8443 -j ACCEPT
iptables -I INPUT -i br100 -p tcp --dport 8554 -j ACCEPT
iptables -I INPUT -i br100 -p tcp --dport 44399 -j ACCEPT

# Allow established, related incoming connections from br100
iptables -INPUT -i br100 -m state RELATED, ESTABLISHED -j ACCEPT

# Forbid packets from br100 to be forwarded to other interfaces
# iptables -I FORWARD -i br100 -j DROP <-- Future Lan Isolation?
# But allow packet forwarding inside br100
iptables -I FORWARD -i br100 -o br100 -j ACCEPT

# Allow packet forwarding between br100 and eth0 (WAN)
iptables -I FORWARD -i br100 -o eth0 -j ACCEPT
# temporarily allow connection between segements
iptables -I FORWARD -i br100 -o br0 -j ACCEPT

# Forbid packets from br0 to be forwarded to br100, isolating new br100 from default br0
# iptables -I FORWARD -i br0 -o br100 -j DROP <-- Future Lan Isolation?
# But allow one-way traffic from br0 to br100 only for restricted ports - Synology NAS and PLEX
iptables -I FORWARD -i br0 -o br100 -p udp --dport 53 -j ACCEPT
iptables -I FORWARD -i br0 -o br100 -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD -i br0 -o br100 -p udp --dport 5353 -j ACCEPT
iptables -I FORWARD -i br0 -o br100 -p tcp --dport 5353 -j ACCEPT
iptables -I FORWARD -i br0 -o br100 -p tcp --dport 81 -j ACCEPT
iptables -I FORWARD -i br0 -o br100 -p tcp --dport 8443 -j ACCEPT
iptables -I FORWARD -i br0 -o br100 -p tcp --dport 8890 -j ACCEPT
iptables -I FORWARD -i br0 -o br100 -p tcp --dport 8999 -j ACCEPT
iptables -I FORWARD -i br0 -o br100 -p tcp --dport 8099 -j ACCEPT
iptables -I FORWARD -i br0 -o br100 -p tcp --dport 8443 -j ACCEPT
iptables -I FORWARD -i br0 -o br100 -p tcp --dport 8554 -j ACCEPT
iptables -I FORWARD -i br0 -o br100 -p tcp --dport 44399 -j ACCEPT
iptables -I FORWARD -i br100 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Drop icmp ping requests to br100
iptables -A OUTPUT -d 192.168.2.1/24 -p icmp --icmp-type echo-request -j DROP

Rombo · Jan 11, 2024

I commented out
# Drop all incoming traffic to br100
iptables -I INPUT -i br100 -j drop
and added
# Allow packet forwarding between br100 and eth0 (WAN)
iptables -I FORWARD -i br100 -o br0 -j ACCEPT

Here is some output from commands:

ifconfig
br0 Link encap:Ethernet HWaddr 3C:7C:3F:30:8C

8
inet addr:192.168.1.1 Bcast:192.168.3.255 Mask:255.255.252.0
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:47655 errors:0 dropped:294 overruns:0 frame:0
TX packets:43164 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:7674147 (7.3 MiB) TX bytes:35004980 (33.3 MiB)

br100 Link encap:Ethernet HWaddr 3C:7C:3F:30:8C

8
inet addr:192.168.2.1 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:2878 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:122854 (119.9 KiB)

eth0 Link encap:Ethernet HWaddr 9C:5C:8E:24:51:90
inet addr:ISPPUBLICIP Bcast:ISPPUBLICIP Mask:255.255.255.0
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:26997 errors:0 dropped:0 overruns:0 frame:0
TX packets:25249 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:13958838 (13.3 MiB) TX bytes:5759279 (5.4 MiB)
ip route
default via ISPPUBLICIP.1 dev eth0
VPN.0/24 dev tun12 proto kernel scope link src 10.8.3.2
ISPPUB.0/24 dev eth0 proto kernel scope link src ISPPUBLICIP
ISPPUB.1 dev eth0 proto kernel scope link
103.86.96.100 via ISPPUB.1 dev eth0 metric 1
103.86.99.100 via ISPPUB.1 dev eth0 metric 1
127.0.0.0/8 dev lo scope link
192.168.0.0/22 dev br0 proto kernel scope link src 192.168.1.1
192.168.2.0/24 dev br100 proto kernel scope link src 192.168.2.1

Rombo · Jan 11, 2024

Code:

iptables -vnL INPUT
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  br100  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:44399
    0     0 ACCEPT     tcp  --  br100  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8554
    0     0 ACCEPT     tcp  --  br100  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8443
    0     0 ACCEPT     tcp  --  br100  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8099
    0     0 ACCEPT     tcp  --  br100  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8999
    0     0 ACCEPT     tcp  --  br100  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8890
    0     0 ACCEPT     tcp  --  br100  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    0     0 ACCEPT     tcp  --  br100  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:81
    0     0 ACCEPT     tcp  --  br100  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 ACCEPT     udp  --  br100  *       0.0.0.0/0            0.0.0.0/0            udp dpt:5353
    0     0 ACCEPT     tcp  --  br100  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5353
    0     0 ACCEPT     udp  --  br100  *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  br100  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     tcp  --  br100  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:44399
    0     0 ACCEPT     tcp  --  br100  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8554
    0     0 ACCEPT     tcp  --  br100  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8443
    0     0 ACCEPT     tcp  --  br100  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8099
    0     0 ACCEPT     tcp  --  br100  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8999
    0     0 ACCEPT     tcp  --  br100  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8890
    0     0 ACCEPT     tcp  --  br100  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    0     0 ACCEPT     tcp  --  br100  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:81
    0     0 ACCEPT     tcp  --  br100  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
   14  1631 ACCEPT     udp  --  br100  *       0.0.0.0/0            0.0.0.0/0            udp dpt:5353
    0     0 ACCEPT     tcp  --  br100  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5353
    0     0 ACCEPT     udp  --  br100  *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     tcp  --  br100  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    1    60 INPUT_PING  icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
48178   16M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
  440 22215 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
 3088  515K PTCSRVWAN  all  --  !br0   *       0.0.0.0/0            0.0.0.0/0
 3813  434K PTCSRVLAN  all  --  br0    *       0.0.0.0/0            0.0.0.0/0
    0     0 logdrop    tcp  --  !lo    *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5152
 3813  434K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0            state NEW
 2891  481K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            state NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:67 dpt:68
    0     0 INPUT_ICMP  icmp --  *      *       0.0.0.0/0            0.0.0.0/0
  197 33999 OVPNSI     all  --  *      *       0.0.0.0/0            0.0.0.0/0
  197 33999 OVPNCI     all  --  *      *       0.0.0.0/0            0.0.0.0/0

iptables -vnL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  br100  br0     0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  br0    br100   0.0.0.0/0            0.0.0.0/0            tcp dpt:44399
    0     0 ACCEPT     tcp  --  br0    br100   0.0.0.0/0            0.0.0.0/0            tcp dpt:8554
    0     0 ACCEPT     tcp  --  br0    br100   0.0.0.0/0            0.0.0.0/0            tcp dpt:8443
    0     0 ACCEPT     tcp  --  br0    br100   0.0.0.0/0            0.0.0.0/0            tcp dpt:8099
    0     0 ACCEPT     tcp  --  br0    br100   0.0.0.0/0            0.0.0.0/0            tcp dpt:8999
    0     0 ACCEPT     tcp  --  br0    br100   0.0.0.0/0            0.0.0.0/0            tcp dpt:8890
    0     0 ACCEPT     tcp  --  br0    br100   0.0.0.0/0            0.0.0.0/0            tcp dpt:8443
    0     0 ACCEPT     tcp  --  br0    br100   0.0.0.0/0            0.0.0.0/0            tcp dpt:81
    0     0 ACCEPT     tcp  --  br0    br100   0.0.0.0/0            0.0.0.0/0            tcp dpt:5353
    0     0 ACCEPT     udp  --  br0    br100   0.0.0.0/0            0.0.0.0/0            udp dpt:5353
    0     0 ACCEPT     tcp  --  br0    br100   0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  br0    br100   0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     all  --  br100  br0     0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br100  eth0    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br100  br100   0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br100  br0     0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  br0    br100   0.0.0.0/0            0.0.0.0/0            tcp dpt:44399
    0     0 ACCEPT     tcp  --  br0    br100   0.0.0.0/0            0.0.0.0/0            tcp dpt:8554
    0     0 ACCEPT     tcp  --  br0    br100   0.0.0.0/0            0.0.0.0/0            tcp dpt:8443
    0     0 ACCEPT     tcp  --  br0    br100   0.0.0.0/0            0.0.0.0/0            tcp dpt:8099
    0     0 ACCEPT     tcp  --  br0    br100   0.0.0.0/0            0.0.0.0/0            tcp dpt:8999
    0     0 ACCEPT     tcp  --  br0    br100   0.0.0.0/0            0.0.0.0/0            tcp dpt:8890
    0     0 ACCEPT     tcp  --  br0    br100   0.0.0.0/0            0.0.0.0/0            tcp dpt:8443
    0     0 ACCEPT     tcp  --  br0    br100   0.0.0.0/0            0.0.0.0/0            tcp dpt:81
    0     0 ACCEPT     tcp  --  br0    br100   0.0.0.0/0            0.0.0.0/0            tcp dpt:5353
    0     0 ACCEPT     udp  --  br0    br100   0.0.0.0/0            0.0.0.0/0            udp dpt:5353
    0     0 ACCEPT     tcp  --  br0    br100   0.0.0.0/0            0.0.0.0/0            tcp dpt:53
    0     0 ACCEPT     udp  --  br0    br100   0.0.0.0/0            0.0.0.0/0            udp dpt:53
    0     0 ACCEPT     all  --  br100  br0     0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br100  eth0    0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br100  br100   0.0.0.0/0            0.0.0.0/0
62430   19M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 7922 2868K OVPNSF     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 other2wan  all  --  !br0   eth0    0.0.0.0/0            0.0.0.0/0
 1871  396K ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
  112  5452 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID
    1    40 SECURITY   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
 5939 2467K NSFW       all  --  *      *       0.0.0.0/0            0.0.0.0/0
 5938 2467K ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
    1    40 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT
    0     0 OVPNCF     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 VPNCF      all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0

iptables -vnL OUTPUT
Chain OUTPUT (policy ACCEPT 71397 packets, 59M bytes)
 pkts bytes target     prot opt in     out     source               destination
 1402 96516 OUTPUT_DNS  udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53 u32 "0x0>>0x16&0x3c@0x8>>0xf&0x1=0x0"
    2   232 OUTPUT_DNS  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53 u32 "0x0>>0x16&0x3c@0xc>>0x1a&0x3c@0x8>>0xf&0x1=0x0"
87615   66M OUTPUT_IP  all  --  *      *       0.0.0.0/0            0.0.0.0/0
  254 15240 DROP       icmp --  *      *       0.0.0.0/0            192.168.2.0/24       icmptype 8
   0     0 DROP       icmp --  *      *       0.0.0.0/0            192.168.2.0/24       icmptype 8

iptables -t nat -vnL POSTROUTING
Chain POSTROUTING (policy ACCEPT 1586 packets, 134K bytes)
 pkts bytes target     prot opt in     out     source               destination
 3739  960K MASQUERADE  all  --  *      tun12   0.0.0.0/0            0.0.0.0/0
 1381 90018 PUPNP      all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
  681 43193 MASQUERADE  all  --  *      eth0   !ISPPUBLIC        0.0.0.0/0
 2148  299K MASQUERADE  all  --  *      br0     192.168.0.0/22       192.168.0.0/22
    0     0 MASQUERADE  all  --  *      eth0    192.168.2.0/24       0.0.0.0/0

L&LD · Jan 11, 2024

Please copy/paste your posts above into

Code:

General Code boxes.

To make them much more readable.

Rombo · Jan 11, 2024

Thanks. I'm not sure how to do that. %^(

I don't see a code box to drop them into.

Bash:

ok, I found it. Cheers!
Now I just need to figure out what language ASUS uses (Bash?)

Thread starter	Title	Forum	Replies	Date
A	Hyperotpic router replacement - will it solve my problem with connection dropping!	Routers	3	Thursday at 5:28 PM
V	Wired router with VPN performance similar to Ax88u Pro?	Routers	7	Apr 19, 2024
P	Solved router connected to ISP router	Routers	7	Apr 13, 2024
P	cctv settings in router	Routers	4	Mar 24, 2024
H	Something to place in-between modem and router for traffic stats?	Routers	10	Mar 1, 2024
M	Speed for second router in LAN got capped in half	Routers	6	Feb 16, 2024
B	advice needed regarding a new wired router	Routers	10	Feb 10, 2024
O	Router that can handle 1000Mbit Full duplex WAN-LAN	Routers	36	Feb 9, 2024
	Could a router be used as a linux server?	Routers	5	Jan 15, 2024
F	Question re: router that doesn't require compromising security	Routers	4	Jan 13, 2024

Search

Search

One router, two segments desired.

Rombo

Occasional Visitor

Rombo

Occasional Visitor

Rombo

Occasional Visitor

L&LD

Part of the Furniture

Rombo

Occasional Visitor

Similar threads

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Members online