Andorul
Occasional Visitor
LAN port isolation on ASUS RT-AX88U with Asuswrt-Merlin 384.16 stops working can anyone repair?
can't delete eth4 from br0: Operation not supportedadd bridge failed: Invalid argument
can't add eth4 to bridge br1: Operation not supported
(https://wu.renjie.im/blog/network/ax88u-vlan/)
by following the link above i manage to put Ethernet LAN1 in a separete VLAN/subnet xxx.xxx.100.xxx br1 for Phiilips Hue, while LAN 2 through LAN8 will be in xxx.xxx.50.xx br0
$cat /jffs/scripts/services-starttouch /tmp/000-services-start
# Physical port to interface map:
# eth0 WAN
# eth1 LAN 4
# eth2 LAN 3
# eth3 LAN 2
# eth4 LAN 1
# eth5 Bridge of LAN 5, LAN 6, LAN 7, LAN 8
# eth6 2.4 GHz Radio
# eth7 5 GHz Radio
# Delete those interfaces that we want to isolate from br0
logger -t "isolate_port" "services-start: deleting LAN 1 (eth4) from br0"
brctl delif br0 eth4
# Create a new bridge br1 for isolated interfaces
logger -t "isolate_port" "services-start: creating br1 with LAN 1 (eth4)"
brctl addbr br1
brctl stp br1 on # STP to prevent bridge loops
brctl addif br1 eth4
# Set up the IPv4 address for br1
# Here we set the subnet to be 192.168.100.0/24
# IPv6 link local address will be assigned automatically
logger -t "isolate_port" "services-start: setting up IPv4 address for br1"
ifconfig br1 192.168.100.1 netmask 255.255.255.0
ifconfig br1 allmulti up
logger -t "isolate_port" "services-start: all done"
date >> /tmp/000-services-start
$cat /jffs/scripts/nat-start
#!/bin/sh
# Make sure the script is indeed invoked
touch /tmp/000-nat-start
logger -t "isolate_port" "nat-start: applying POSTROUTING rules for br1"
# NAT inside 192.168.100.0/24 on br1
iptables -t nat -A POSTROUTING -s 192.168.100.100/24 -d 192.168.100.101/24 \
-o br1 -j MASQUERADE
logger -t "isolate_port" "nat-start: all done"
date >> /tmp/000-nat-start
$cat /jffs/scripts/firewall-start
#!/bin/sh# Make sure the script is indeed invoked
touch /tmp/000-firewall-start
logger -t "isolate_port" "firewall-start: applying INPUT rules for br1"
# Allow new incoming connections from br1
iptables -I INPUT -i br1 -m state --state NEW -j ACCEPT
ip6tables -I INPUT -i br1 -j ACCEPT # Same rule as br0 by default
ip6tables -I INPUT -i br1 -m state --state NEW -j ACCEPT
# Only forbid br1 access the web UI and SSH of the main router
iptables -I INPUT -i br1 -p tcp --dport 80 -j DROP
iptables -I INPUT -i br1 -p tcp --dport 22 -j DROP
ip6tables -I INPUT -i br1 -p tcp --dport 80 -j DROP
ip6tables -I INPUT -i br1 -p tcp --dport 22 -j DROP
logger -t "isolate_port" "firewall-start: applying FORWARD rules for br1"
# Forbid packets from br1 to be forwarded to other interfaces
iptables -I FORWARD -i br1 -j DROP
ip6tables -I FORWARD -i br1 -j DROP
# But allow packet forwarding inside br1
iptables -I FORWARD -i br1 -o br1 -j ACCEPT
ip6tables -I FORWARD -i br1 -o br1 -j ACCEPT
# Allow packet forwarding between br1 and eth0 (WAN)
iptables -I FORWARD -i br1 -o eth0 -j ACCEPT
ip6tables -I FORWARD -i br1 -o eth0 -j ACCEPT
# Allow one-way traffic from br0 to br1
iptables -I FORWARD -i br0 -o br1 -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -m state \
--state RELATED,ESTABLISHED -j ACCEPT
ip6tables -I FORWARD -i br0 -o br1 -j ACCEPT
ip6tables -I FORWARD -i br1 -o br0 -m state \
--state RELATED,ESTABLISHED -j ACCEPT
logger -t "isolate_port" "firewall-start: all done"
date >> /tmp/000-firewall-start
$cat /jffs/configs/dnsmasq.conf.add
interface=br1# DHCPv4 range: 192.168.100.100 - 192.168.100.101, netmask: 255.255.255.0, lease time:86400s (1day)
dhcp-range=br1,192.168.100.100,192.168.100.101,255.255.255.0,86400s
dhcp-option=br1,3,192.168.100.1
Hope some one read this, since I don't know where to ask I made a 2 post in https://www.snbforums.com/threads/l...n1-ethernet-port-isolation-on-rt-ax88u.79011/
Last edited:
