How to block connections from one LAN IP to another LAN IP

[miro]

Hi all,

I'm trying to block (ssh) connections from one LAN IP: 192.168.2.6 to another LAN IP: 192.168.2.50 using iptables or ebtables, but so far no luck.

Here's what I tried so far:

ebtables -t broute -I BROUTING -p IPv4 --ip-proto tcp --ip-src 192.168
.2.6 --ip-dport 22 --ip-dst 192.168.2.50 -j DROP

I tried all other chains as well (INPUT, OUTPUT, FORWARD, etc.), same result - I can still connect.
Then I did the same with the iptables - same result.
Then I enabled logging on every chain and I noticed that in the dmesg output, the destination IP is always the IP of the bridge, not the 192.168.2.50 ip address as I was expecting.
Example:

FWLOG IN= OUT=vlan1 MAC source = 08:62:66:8d:22:20 MAC dest = 00:09:34:2c:46:7f proto = 0x0800 IP SRC=192.168.2.1 IP DST=192.168.2.50, IP tos=0x00, IP proto=17 SPT=53 DPT=1203

So in the dmesg output I can see the communication between 192.168.2.6 and 192.168.2.1 and also between 192.168.2.1 and 192.168.2.50, but there is no log entry such as SRC=192.168.2.6 DST=192.168.2.50.

How can I block the connections? Is it even possible using the bridge?

My device is RT-AC66U.
My operation mode is Wireless router.
I'm running the latest firmware: 380.67
Router LAN IP (br0): 192.168.2.1
Router WAN IP (eth0): 192.168.1.2

Thanks.

 

[miro]

anyone?

 

[CaptainSTX]

anyone?

Not possible unless you set up VLANs in different subnets.

 

[miro]

Not possible unless you set up VLANs in different subnets.

Hmm. Am I actually doing something wrong/non standard? I think that firewall functionality is one of the core functionalities of a router. Shouldn't this be provided out-of-the-box for a default "Wireless router" mode? Maybe the "Wireless router" mode shouldn't use a bridge to make it possible?

I really don't want to create VLAN for every device in my network. I'm not even sure it's possible to create 10 or more VLANs....

 

[CaptainSTX]

Inter LAN connections are handled by the switch in your combination router/switch/AP. Therfore Iptables or other rules and scripts do not come into play. They only apply to LAN/WAN connections which are handled by the router section.

If devices connect to your router/switch/AP using Wifi have them connect to guest networks (six networks in a router with Merlin ) you can then isolate them by turning access intranet off. I'm not aware any way you can turn off access intranet off for the LAN ports other than setting up VLANS.

 

[miro]

Inter LAN connections are handled by the switch in your combination router/switch/AP. Therfore Iptables or other rules and scripts do not come into play. They only apply to LAN/WAN connections which are handled by the router section.

If devices connect to your router/switch/AP using Wifi have them connect to guest networks (six networks in a router with Merlin ) you can then isolate them by turning access intranet off. I'm not aware any way you can turn off access intranet off for the LAN ports other than setting up VLANS.

Yes, I'm already using isolated guest network for friends, but I'm worried than some hacker might hack my "non guest" wifi and gain access to the LAN.
I guess it's better to have firewall on each device in LAN instead, but some devices don't have firewall/iptables such as my "dreambox" satellite receiver.

How can I create a VLAN just for these "unsecure" devices and block access from my current LAN using ebtalbes/iptables?

 

[CaptainSTX]

Yes, I'm already using isolated guest network for friends, but I'm worried than some hacker might hack my "non guest" wifi and gain access to the LAN.
I guess it's better to have firewall on each device in LAN instead, but some devices don't have firewall/iptables such as my "dreambox" satellite receiver.

How can I create a VLAN just for these "unsecure" devices and block access from my current LAN using ebtalbes/iptables?

With all the problems with little or no security on poorly designed IoT I wanted to isolate them from my primary network and as much as possible from each other. I did this by creating a double NAT setup.

My first router facing the Internet is a AC1900P. I have set up six guest networks (3 @ 2.4 Ghz & 3 @ 5 Ghz ). My Wifi Iot wifi devices connect to this router and are spread among the six radios. Devices which will work over VPN are routed using VPN however my routing for them isn't strict as if the VPN should go down and I am out of town I want to be able to connect to them.

Behind this router in its own subnet is another router running Tomato. It is set up with four subnets (primary and three VLANS). I have two LAN ports connected to the main DHCP range as well as the two primary radios. VLANs are connected to two of the LAN ports and four seperate SSIDs. Administrative access from the WAN is disabled and in addition only two IPs on my LAN have permission to access it based on their IP. I also route most of the traffic on this router over another VPN client running on my VPN appliance.

This is how I isolate various users and classes of devices. Is it elegant no but it works. Is it overyly complicated yes and no. It didn't require any scripts or Iptables other than what can be done through the GUI. The downside of my setup is it is a lot of hardware, but I enjoy working with networking gear. My APs broadcast a lot of SSIDs but I don't have close neighbors so multiple SSIDs doesn't interfere with their network.

 

[miro]

With all the problems with little or no security on poorly designed IoT I wanted to isolate them from my primary network and as much as possible from each other. I did this by creating a double NAT setup.

My first router facing the Internet is a AC1900P. I have set up six guest networks (3 @ 2.4 Ghz & 3 @ 5 Ghz ). My Wifi Iot wifi devices connect to this router and are spread among the six radios. Devices which will work over VPN are routed using VPN however my routing for them isn't strict as if the VPN should go down and I am out of town I want to be able to connect to them.

Behind this router in its own subnet is another router running Tomato. It is set up with four subnets (primary and three VLANS). I have two LAN ports connected to the main DHCP range as well as the two primary radios. VLANs are connected to two of the LAN ports and four seperate SSIDs. Administrative access from the WAN is disabled and in addition only two IPs on my LAN have permission to access it based on their IP. I also route most of the traffic on this router over another VPN client running on my VPN appliance.

This is how I isolate various users and classes of devices. Is it elegant no but it works. Is it overyly complicated yes and no. It didn't require any scripts or Iptables other than what can be done through the GUI. The downside of my setup is it is a lot of hardware, but I enjoy working with networking gear. My APs broadcast a lot of SSIDs but I don't have close neighbors so multiple SSIDs doesn't interfere with their network.

Thank you for sharing your setup.
I think I will actually use something similar. Could you please tell me if the following setup will work?
1/ I will put another router (router B) before this group of unsecured wired IoT devices. They are all wired, so let's skip the wifi setup for now, to make things easier.
2/ This new router B will connect to the router A (my main router with Merlin), WAN to LAN, but there are two switches between them with other secured devices.

Afterwards I want to:
1/ Disable access from the red section (Dreambox and TV) to every device in LAN. Just internet access.
2/ Disable access to the red section (Dreambox and TV) from every device in LAN.
3/ Allow access to the red section just from my laptop (192.168.2.6)

 

[CaptainSTX]

No it isn't going to workto increase your isolation.

1. You need to connect your insecure devices that you want not to be able to connect to devices on your secure LAN to your Internet facing router which in your case is A.
2. Router B must be connected to Router A LAN - WAN.
3. Router B must be in its own subnet.
4. Switch A should connect to the WAN port on Router B.
5. Switch B may not be needed.

Reconfigure and submit another diagram. I will take a look at it latter.

 

[miro]

No it isn't going to workto increase your isolation.

1. You need to connect your insecure devices that you want not to be able to connect to devices on your secure LAN to your Internet facing router which in your case is A.
2. Router B must be connected to Router A LAN - WAN.
3. Router B must be in its own subnet.
4. Switch A should connect to the WAN port on Router B.
5. Switch B may not be needed.

Reconfigure and submit another diagram. I will take a look at it latter.

I don't want my NAS to be part of the "red" unsecured zone, that's why I left it out and it will be connected to the switch instead of router.
I guess I could create 2 VLANs in router B , one secure VLAN, another unsecure VLAN, but that's another topic.
Main question is this: If I put router B in it's own subnet, such as 192.168.3.0/24, will I be able to connect to this subnet from my laptop from IP such as 192.168.2.6? Even thou it's using switch between?
If yes, what should be the WAN IP of the router B? Can it be 192.168.2.100?

Here's a simplified diagram: I'm interested in connection marked with green line, while other LAN connections should be rejected.

 

[CaptainSTX]

Because of the way (order of routers ) you have things connected it will be possible for any device in your red zone to see and connect to devices in the white zone. And conversrly devices in the white zone will be blocked from connecting to devices on the red zone.

 

[miro]

Because of the way (order of routers ) you have things connected it will be possible for any device in your red zone to see and connect to devices in the white zone. And conversrly devices in the white zone will be blocked from connecting to devices on the red zone.

OK, I think I understand now. My ADSL modem is actually a router with modem, so I'm thinking about connecting the WAN port of Router B to ADSL router/modem.
This way the red unsecured section has access only to the internet and whatever is allowed in NAT/firewall of the Router A.
Same way Router A is only allowed to connect to ports allowed in NAT/firewall of the Router B.
So I will not open any port on NAT/firewall on Router A and I will only allow port 22 on Router B that will NAT to Dreambox (192.168.2.3).

BUT: I think the same can be achieved using VLANs, so I'm not gaining anything from this setup am I?

 

[ColinTaylor]

BUT: I think the same can be achieved using VLANs, so I'm not gaining anything from this setup am I?

Except Asuswrt routers don't have official support for VLANs.

 

[miro]

Thanks for all your help guys.