How to segregate a game server?

[eastavin]

Hi. Have a person here interested in adding a homebrew Linux gaming server on the home network for a while to use with friends from their homes. I was hoping for some advice on how to segregate the gaming server from the rest of the current Lan and all its clients. Additionally I have a request to forward ports 80 and 443 to this gaming server. The plan is to use ethernet for the game server. Though a wifi card is available.

Internet from my local cable tv company ipv4 only. The current lan is run by a rt-ax86u with the latest Merlin FW. The ax86u offers current users an openVPN server, an attached ethernet NAS, a couple printers, has one guest wifi for lighting and a few D-Link cams, another guest wifi serves real people visiting this home with internet.

My question is what are the 1 or 2 easiest ways to accommodate this request but keep my current lan segregated and inaccessible to the average user of the gaming server coming in from the internet? I also have a spare rt-ac68u in the closet that could be used if needed for this endeavour.

I would greatly appreciate the input of this forum's members.

Edward

 

[ColinTaylor]

The simplest way if you want to connect the server by ethernet would be to use the RT-AC68U to create a separate network behind your main router and isolate it from that using the Network Services Filter. You would then have to forward the required ports from the RT-AX86U to the RT-AC68U and then onto the the server IP.

See this post: https://www.snbforums.com/threads/isolating-lan-from-clients-behind-second-router.88030/post-880559

 

[eastavin]

The simplest way if you want to connect the server by ethernet would be to use the RT-AC68U to create a separate network behind your main router and isolate it from that using the Network Services Filter. You would then have to forward the required ports from the RT-AX86U to the RT-AC68U and then onto the the server IP.

See this post: https://www.snbforums.com/threads/isolating-lan-from-clients-behind-second-router.88030/post-880559

This looks interesting. So I use the network service filter in my ax68u or the ac68u I hang off its LAN port? The link you sent me to has ax86u and string of 2 ac68u behind it in series so its not clear which one?

Do i have to fill any other boxes other than the ones shown in your link to accomplish this segregation? [I understand about the port forwarding on the ax86u]

 

[ColinTaylor]

So you connect one of the LAN ports on your current router (RT-AX86U) to the WAN port of the RT-AC68U. You setup the RT-AC68U as a normal router but with a different LAN subnet than your main router. You then configure the Network Services Filter as described on the RT-AC68U. That's it (apart from the port forwarding).

P.S. As you only want to connect one ethernet device to this new router you can disable the Wi-Fi on it.

 

[eastavin]

Hi Colin. Thank you for the reply. The internet is hooked to the RT-AX86u. The LAN ip address is 192.168.1.1 and the subnet mask shows 255.255.255.0 A lan port from it is connected to the wan port on the ac68u. that lan ip address is 192.168.2.1 and the subnet mask is the same. Everything is working at this stage. when I enter your instructions into the NSF set for DENY into the ac68u it says incorrect IP address... I have tried a variety 1.0/24, and variations like 2.0 1.1 2.1 always the same answer. Any idea where I am failing? Many thanks Edward

 

[rung]

Some versions of firmware don't accept CIDR notation. Have you tried destination of 192.168.1.*?

 

[ColinTaylor]

Hi Colin. Thank you for the reply. The internet is hooked to the RT-AX86u. The LAN ip address is 192.168.1.1 and the subnet mask shows 255.255.255.0 A lan port from it is connected to the wan port on the ac68u. that lan ip address is 192.168.2.1 and the subnet mask is the same. Everything is working at this stage. when I enter your instructions into the NSF set for DENY into the ac68u it says incorrect IP address... I have tried a variety 1.0/24, and variations like 2.0 1.1 2.1 always the same answer. Any idea where I am failing? Many thanks Edward

In your case you should be entering 192.168.1.0/24. If that doesn't work you could be suffering from a reported bug when using CIDR notation or you're using stock firmware. If it's the latter try using 192.168.1.* instead. What firmware version are you using?

EDIT: Merlin's 3004.388.5 contains a fix for a CIDR bug but I don't know whether that's applicable to the latest 386 release. https://www.snbforums.com/threads/asuswrt-merlin-3004-388-5-is-now-available.87874/

If all else fails and you're using Merlin's firmware on the RT-AC68U it would be very simple to create a custom firewall script that does the same thing as the Network Services Filter.

 

[eastavin]

In your case you should be entering 192.168.1.0/24. If that doesn't work you could be suffering from a reported bug when using CIDR notation or you're using stock firmware. If it's the latter try using 192.168.1.* instead. What firmware version are you using?

EDIT: Merlin's 3004.388.5 contains a fix for a CIDR bug but I don't know whether that's applicable to the latest 386 release. https://www.snbforums.com/threads/asuswrt-merlin-3004-388-5-is-now-available.87874/

If all else fails and you're using Merlin's firmware on the RT-AC68U it would be very simple to create a custom firewall script that does the same thing as the Network Services Filter.

I found the spare ac68u had the latest stock firmware on it. Appears to have a bug unfortunately. The address needs to be entered as 192.168.1.* and you have to also fill out the range. After that it allows you to add the filter. Unfortunately when you push apply it erases everything. So I am going to switch it to Merlin and try again.

 

[ColinTaylor]

I found the spare ac68u had the latest stock firmware on it. Appears to have a bug unfortunately. The address needs to be entered as 192.168.1.* and you have to also fill out the range. After that it allows you to add the filter. Unfortunately when you push apply it erases everything. So I am going to switch it to Merlin and try again.

That's a shame. If you have no luck using the GUI in Merlin, enable custom scripts instead and create a firewall-start script as follows:

#!/bin/sh
iptables -I FORWARD -d 192.168.1.0/24 -i br0 -o $1 -j DROP

 

[eastavin]

That's a shame. If you have no luck using the GUI in Merlin, enable custom scripts instead and create a firewall-start script as follows:

#!/bin/sh
iptables -I FORWARD -d 192.168.1.0/24 -i br0 -o $1 -j DROP

How would I negate this script afterwards if the time came? format JFFS?

 

[eastavin]

In your case you should be entering 192.168.1.0/24. If that doesn't work you could be suffering from a reported bug when using CIDR notation or you're using stock firmware. If it's the latter try using 192.168.1.* instead. What firmware version are you using?

EDIT: Merlin's 3004.388.5 contains a fix for a CIDR bug but I don't know whether that's applicable to the latest 386 release. https://www.snbforums.com/threads/asuswrt-merlin-3004-388-5-is-now-available.87874/

Hi Colin. So I finally switched to Merlin 386.12_4. Oddly it would not take for the longest time. I had to try it six times before it finally installed. I had to factory reset. Never had so many go arounds ever. After getting the basics in I immediately went to the NSF screen and put in 192.168.1.0/24 as you suggested for both tcp and udp.. and presto it worked right away. Thanks. Now your firewall script has my interest.

 

[ColinTaylor]

How would I negate this script afterwards if the time came? format JFFS?

Just delete the firewall-start script.

 

[eastavin]

In your case you should be entering 192.168.1.0/24. (...Into Network Services Filter)

Hi. If the above blocks access to my lan at 192.168.1.1 and anything else in 192.168.1.x is it correct to extrapolate that one would expand the block by entering the following into the NSF field. a) 192.168.0.0/16 and block 192.168.x.x or b) 192.0.0.0/8 and block 192.x.x.x or all of it with 0.0.0.0/0?? ... and still leave in/out internet traffic unaffected? Is there an unintended consequence of going with what i think is the more expansive block as in (b) or (c)?

Many thanks

Edward

 

[ColinTaylor]

Yes you can increase the range if you want to. As a general rule it's often best to keep such things as specific/narrow as necessary.

I suppose in this situation there's some value in blocking all private address ranges. Just in case you change your primary router's network. So that would be 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16.

You wouldn't block 192.0.0.0/8 though because that contains both private and public IP addresses. And yes you could block everything as well using 0.0.0.0/0.