Menu
What's new
By:
Filters Better Search

Subnetting LAN isolation

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

P

Pixwert

New Around Here
Hi!

I've used subnetting to divide my LAN into 2 networks using the mask 255.255.255.128 and I wanted to use one subnet for my NAS and the other one for the rest of the devices in the house. The NAS should not be able to access any devices from the "home network" but all the devices from the "home network" should be able to access the NAS.

I have an ASUS RT-AC86U and got some inspiration from this other post: https://www.snbforums.com/threads/lan-port-isolation-on-asus-merlin-example.73704/ since it explains how to do something similar without having to use a vlan switch.

What I did works, but I'm not sure if I did it the right way, so I was wondering if someone could point out any issues with this approach.

This is what I did to make it work:

First network ID: 192.168.1.0/25
Second network ID: 192.168.1.128/25
NAS IP address: 192.168.1.150, default gateway: 192.168.1.129

Since my router can only have one IP address (which is in the first network), I created a bridge to use as the default gateway for the second network and set its IP address to 192.168.1.129 (not sure if there's a better way to create a "virtual" default gateway for a subnet). And then I forwarded all the packages from the "virtual default gateway" to the eth0 interface (WAN).

Bash: 
# Physical port to interface map for RT-AC86U:
# eth0   WAN
# eth1   LAN 4
# eth2   LAN 3
# eth3   LAN 2
# eth4   LAN 1 (THIS IS WHERE THE NAS IS CONNECTED)
# eth5   2.4 GHz Radio
# eth6   5 GHz Radio

# Delete the interface with the NAS from br0 (the default bridge in the router)
brctl delif br0 eth4

# Create a new bridge br1 for the NAS
brctl addbr br100
brctl stp br100 on # STP to prevent bridge loops
brctl addif br100 eth4
brctl setfd br100 2 # STP Forward Delay 2 sec (Default: 15 sec)

# Set up the IPv4 address for br100
ifconfig br100 192.168.1.129 netmask 255.255.255.128
ifconfig br100 up

Then the firewall rules:

Bash: 
# Forbid packets from br100 to be forwarded to other interfaces
iptables -I FORWARD -i br100 -j DROP

# There's no need to add a rule to allow incoming traffic from the "home network" to my NAS network
# And I think it might be because one of the existing iptable rules in my router is the following:
# -A FORWARD -i br0 -j ACCEPT

# Allow packet forwarding between br100 and eth0 (WAN) to have internet in my NAS
iptables -I FORWARD -i br100 -o eth0 -j ACCEPT

And that's it, with those commands, I get the following working:

- My NAS is isolated in a secondary network and it can't reach out to any other device in the house.
- My NAS has internet access.
- All of the devices in the primary network can access the NAS.
 
You should be able to do that in a firewall. Allow home devices to initiate access to the NAS which will allow a return response but not allow the NAS to initiate a request. It is easy to do in an ACL. I am not sure how your firewall works.
 
You must log in or register to reply here.

Similar threads

R
One router, two segments desired.
Replies
4
Views
454
Rombo
R
PaulA
Port isolation on RT-AX88U-Pro (router) w/ Merlin w/ Tagged internet ISP
Replies
1
Views
441
PaulA
PaulA
ToasterPC
OPNSense VLAN tagging with Merlin routers as AiMesh APs
Replies
0
Views
537
ToasterPC
ToasterPC
J
IPTables allow access to specific ports from tun21 to new bridge
Replies
5
Views
2K
eibgrad
eibgrad
T
RT-AX88U Vlan bridge/port questions
2
Replies
25
Views
2K
torchddv
T
Similar threads
Thread starter Title Forum Replies Date
J Kill Switch & Lan Interface Asuswrt-Merlin 0
M enable IPv4 over LAN Asuswrt-Merlin 11
A LAN - IPTV - what does it do, and how to reproduce it on other than asus devices? Asuswrt-Merlin 1
gil80 Auto Wake On Lan? Asuswrt-Merlin 10
C LAN > DHCP List - Manually Assigned Name + Icon DONT SAVE Asuswrt-Merlin 4
M OpenVPN clients cannot connect to LAN computers. Asuswrt-Merlin 0
G RESOLVED: Lost access to WebUI from LAN, SSH is working Asuswrt-Merlin 1
N Connecting an ax58u to a BT homehub 5, via a lan port, and not getting internet access. Asuswrt-Merlin 3
S VPN director and LAN traffic Asuswrt-Merlin 2
P Google TV on lan port drops connection Asuswrt-Merlin 5

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 793 (members: 28, guests: 765)
Top