How to disable DMZ device to access Intranet

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

krwy0330

New Around Here
Hi:
I used a LAN port to connect the DMZ device and set the DMZ IP in WebUI.
However i don't want the DMZ device access internal.

So I want to add the LAN port to guest wifi network(br1) which is set disabled to access intranet.

I run the command:
brctl delif br0 eth4 && brctl addif br1 eth4

But it does not work.
Thanks in advance to anyone who replies.
 

Markster

Senior Member
Hi:
I used a LAN port to connect the DMZ device and set the DMZ IP in WebUI.
However i don't want the DMZ device access internal.

So I want to add the LAN port to guest wifi network(br1) which is set disabled to access intranet.

I run the command:
brctl delif br0 eth4 && brctl addif br1 eth4

But it does not work.
Thanks in advance to anyone who replies.
You dont need DMZ for that. If you need to setup a separate LAN on one of the physical ports you can do the following
Code:
#!/bin/sh

# Physical port to interface map:
# eth0   WAN
# eth1   LAN 4
# eth2   LAN 3
# eth3   LAN 2
# eth4   LAN 1
# eth5   2.4 GHz Radio
# eth6   5 GHz Radio

# Delete those interfaces that we want to isolate from br0
brctl delif br0 eth1
brctl delif br0 eth2

# Create a new bridge br1 for isolated interfaces
logger -t "br100" "services-start: creating br100 with LAN PORTS 3 & 4 (eth1-2)"
brctl addbr br100
brctl stp br100 on # STP to prevent bridge loops
brctl addif br100 eth1
brctl addif br100 eth2
brctl setfd br100 2 # STP Forward Delay 2 sec (Default: 15 sec)

# Set up the IPv4 address for br100
# Here we set the subnet to be 192.168.150.0/24
logger -t "br100" "services-start: setting up IPv4 address for br100"
ifconfig br100 192.168.150.1 netmask 255.255.255.0
ifconfig br100 up

Call this script from /jffs/scripts/services-start script. This will create a separate LAN segment on ports 3 and 4 with IP segment 192.168.150.0/24.

Now, for the firewall rules

Code:
#!/bin/sh

# Make sure the script is indeed invoked
logger -t "br100" "firewall-start: applying fw rules for br100"

# Forbid packets from br100 to be forwarded to other interfaces
iptables -I FORWARD -i br100 -j DROP

# Forbid packets from br0 to be forwarded to br100, isolating new br100 from default br0
iptables -I FORWARD -i br0 -o br100 -j DROP

# Drop icmp ping requests to br100
iptables -A OUTPUT -d 192.168.150.1/24 -p icmp --icmp-type echo-request -j DROP

Create your own rules and call this script from /jffs/scripts/firewall-start.
You will end up with the completly isolated LAN segment without access to WAN or other segments on your network.
 
Last edited:

krwy0330

New Around Here
You dont need DMZ for that. If you need to setup a separate LAN on one of the physical ports you can do the following
Code:
#!/bin/sh

# Physical port to interface map:
# eth0   WAN
# eth1   LAN 4
# eth2   LAN 3
# eth3   LAN 2
# eth4   LAN 1
# eth5   2.4 GHz Radio
# eth6   5 GHz Radio

# Delete those interfaces that we want to isolate from br0
brctl delif br0 eth1
brctl delif br0 eth2

# Create a new bridge br1 for isolated interfaces
logger -t "br100" "services-start: creating br100 with LAN PORTS 3 & 4 (eth1-2)"
brctl addbr br100
brctl stp br100 on # STP to prevent bridge loops
brctl addif br100 eth1
brctl addif br100 eth2
brctl setfd br100 2 # STP Forward Delay 2 sec (Default: 15 sec)

# Set up the IPv4 address for br100
# Here we set the subnet to be 192.168.150.0/24
logger -t "br100" "services-start: setting up IPv4 address for br100"
ifconfig br100 192.168.150.1 netmask 255.255.255.0
ifconfig br100 up

Call this script from /jffs/scripts/services-start script. This will create a separate LAN segment on ports 3 and 4 with IP segment 192.168.150.0/24.

Now, for the firewall rules

Code:
#!/bin/sh

# Make sure the script is indeed invoked
logger -t "br100" "firewall-start: applying fw rules for br100"

# Forbid packets from br100 to be forwarded to other interfaces
iptables -I FORWARD -i br100 -j DROP

# Forbid packets from br0 to be forwarded to br100, isolating new br100 from default br0
iptables -I FORWARD -i br0 -o br100 -j DROP

# Drop icmp ping requests to br100
iptables -A OUTPUT -d 192.168.150.1/24 -p icmp --icmp-type echo-request -j DROP

Create your own rules and call this script from /jffs/scripts/firewall-start.
You will end up with the completly isolated LAN segment without access to WAN or other segments on your network.

[Add: I've found my problem, Thanks @Markster]

I want the LAN segment can access to WAN but can't access to other segments on my network.
I've tried to do something similar to yours.
Code:
# create a new linux bridge
brctl addbr br-dmz

# move lan1 to the new bridge
brctl delif br0 eth4
brctl addif br-dmz eth4
brctl stp br-dmz on

# make the new bridge work
ip link set br-dmz up
ip addr add 192.179.110.1/24 dev br-dmz   # <- I entered the wrong IP range, which caused my error

# mimic br1 to configure the iptable
-A INPUT -i br-dmz -j DROP
-A FORWARD -i br-dmz -o ppp0 -j ACCEPT


In the moment, I can find DMZ device's mac in br-dmz by command "brctl showmacs br-dmz".
But the DMZ device can't access internet.
I use the tcpdump to catch packets.
There seems to be a problem with ARP.

Code:
09:05:08.055971 ARP, Request who-has 192.168.110.1 tell 192.168.110.161, length 46
09:05:09.055902 ARP, Request who-has 192.168.110.1 tell 192.168.110.161, length 46
 
Last edited:

Markster

Senior Member
You dont need DMZ for that. If you need to setup a separate LAN on one of the physical ports you can do the following
Code:
#!/bin/sh

# Physical port to interface map:
# eth0   WAN
# eth1   LAN 4
# eth2   LAN 3
# eth3   LAN 2
# eth4   LAN 1
# eth5   2.4 GHz Radio
# eth6   5 GHz Radio

# Delete those interfaces that we want to isolate from br0
brctl delif br0 eth1
brctl delif br0 eth2

# Create a new bridge br1 for isolated interfaces
logger -t "br100" "services-start: creating br100 with LAN PORTS 3 & 4 (eth1-2)"
brctl addbr br100
brctl stp br100 on # STP to prevent bridge loops
brctl addif br100 eth1
brctl addif br100 eth2
brctl setfd br100 2 # STP Forward Delay 2 sec (Default: 15 sec)

# Set up the IPv4 address for br100
# Here we set the subnet to be 192.168.150.0/24
logger -t "br100" "services-start: setting up IPv4 address for br100"
ifconfig br100 192.168.150.1 netmask 255.255.255.0
ifconfig br100 up

Call this script from /jffs/scripts/services-start script. This will create a separate LAN segment on ports 3 and 4 with IP segment 192.168.150.0/24.

Now, for the firewall rules

Code:
#!/bin/sh

# Make sure the script is indeed invoked
logger -t "br100" "firewall-start: applying fw rules for br100"

# Forbid packets from br100 to be forwarded to other interfaces
iptables -I FORWARD -i br100 -j DROP

# Forbid packets from br0 to be forwarded to br100, isolating new br100 from default br0
iptables -I FORWARD -i br0 -o br100 -j DROP

# Drop icmp ping requests to br100
iptables -A OUTPUT -d 192.168.150.1/24 -p icmp --icmp-type echo-request -j DROP

Create your own rules and call this script from /jffs/scripts/firewall-start.
You will end up with the completly isolated LAN segment without access to WAN or other segments on your network.
 

Markster

Senior Member
If you want to have this new segment (br100 - 192.168.150.0/24) access WAN you need this included in /jffs/script/nat-start

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.150.0/24 -j MASQUERADE
 

krwy0330

New Around Here
If you want to have this new segment (br100 - 192.168.150.0/24) access WAN you need this included in /jffs/script/nat-start

iptables -t nat -A POSTROUTING -o eth0 -s 192.168.150.0/24 -j MASQUERADE
This is my whole script(create_br_dmz.sh):
Code:
#!/bin/bash -e

#set -x

/jffs/scripts/clear_br_dmz.sh

DMZ_IP_RANGE="192.168.110.1/24"

# Physical port to interface map:
# eth0   WAN
# eth1   LAN 4
# eth2   LAN 3
# eth3   LAN 2
# eth4   LAN 1
# eth5   2.4 GHz Radio
# eth6   5 GHz Radio

# Create a new bridge br1 for isolated interfaces
if ! ip link show br-dmz &> /dev/null
then
  brctl addbr br-dmz
fi
brctl stp br-dmz on # STP to prevent bridge loops
brctl setfd br-dmz 2 # STP Forward Delay 2 sec (Default: 15 sec)

# Set up the IPv4 address for br-dmz
ip link set br-dmz up
if ! ip addr show br-dmz | grep -wq ${DMZ_IP_RANGE}
then
  ip addr add ${DMZ_IP_RANGE} dev br-dmz
fi

for eth in [email protected]
do
  if brctl show br0 | grep -wq $eth
  then
    brctl delif br0 $eth
  fi
  if ! brctl show br-dmz |grep -wq $eth
  then
    brctl addif br-dmz $eth
  fi
done

iptables -t filter -A INPUT -i br-dmz -j DROP
iptables -t filter -A FORWARD -i br-dmz -o ppp0 -j ACCEPT
iptables -t filter -A FORWARD -i br-dmz -o br0 -j DROP
#iptables -t nat -A POSTROUTING -o eth0 -s ${DMZ_IP_RANGE} -j MASQUERADE
iptables -t nat -A POSTROUTING -s ${DMZ_IP_RANGE} -d ${DMZ_IP_RANGE} -o br-dmz -j MASQUERADE


ip6tables -t filter -A INPUT -i br-dmz -m state --state NEW -j ACCEPT
ip6tables -t filter -A INPUT -i br-dmz -j DROP
ip6tables -t filter -A FORWARD -i br-dmz -o ppp0 -j ACCEPT
ip6tables -t filter -A FORWARD -i br-dmz -o br0 -j DROP

I run
Code:
create_br_dmz.sh eth1
to configure dmz and used tcpdump to catch packages.
I saw a lot of dns request and UDP packages without repsonse.
It seems that there are some errors still in my configuration
 

krwy0330

New Around Here
This is my whole script(create_br_dmz.sh):
Code:
#!/bin/bash -e

#set -x

/jffs/scripts/clear_br_dmz.sh

DMZ_IP_RANGE="192.168.110.1/24"

# Physical port to interface map:
# eth0   WAN
# eth1   LAN 4
# eth2   LAN 3
# eth3   LAN 2
# eth4   LAN 1
# eth5   2.4 GHz Radio
# eth6   5 GHz Radio

# Create a new bridge br1 for isolated interfaces
if ! ip link show br-dmz &> /dev/null
then
  brctl addbr br-dmz
fi
brctl stp br-dmz on # STP to prevent bridge loops
brctl setfd br-dmz 2 # STP Forward Delay 2 sec (Default: 15 sec)

# Set up the IPv4 address for br-dmz
ip link set br-dmz up
if ! ip addr show br-dmz | grep -wq ${DMZ_IP_RANGE}
then
  ip addr add ${DMZ_IP_RANGE} dev br-dmz
fi

for eth in [email protected]
do
  if brctl show br0 | grep -wq $eth
  then
    brctl delif br0 $eth
  fi
  if ! brctl show br-dmz |grep -wq $eth
  then
    brctl addif br-dmz $eth
  fi
done

iptables -t filter -A INPUT -i br-dmz -j DROP
iptables -t filter -A FORWARD -i br-dmz -o ppp0 -j ACCEPT
iptables -t filter -A FORWARD -i br-dmz -o br0 -j DROP
#iptables -t nat -A POSTROUTING -o eth0 -s ${DMZ_IP_RANGE} -j MASQUERADE
iptables -t nat -A POSTROUTING -s ${DMZ_IP_RANGE} -d ${DMZ_IP_RANGE} -o br-dmz -j MASQUERADE


ip6tables -t filter -A INPUT -i br-dmz -m state --state NEW -j ACCEPT
ip6tables -t filter -A INPUT -i br-dmz -j DROP
ip6tables -t filter -A FORWARD -i br-dmz -o ppp0 -j ACCEPT
ip6tables -t filter -A FORWARD -i br-dmz -o br0 -j DROP

I run
Code:
create_br_dmz.sh eth1
to configure dmz and used tcpdump to catch packages.
I saw a lot of dns request and UDP packages without repsonse.
It seems that there are some errors still in my configuration

Ok, I resolve the problem!
Just modify all -A to -I with iptables scripts.
It can work now!
 
Last edited:

eleVator

Occasional Visitor
Great info, was looking for this!
Before though i jump into unchartered terittory and pray to the nvram-save gods, do you know if vpn director would be able to route such a dmz device?
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top