noob question about setting up vlan, iptables etc

[Martin - SNBuser]

Hi all

I don't have too much experience with vlan and iptables, so please bear on with me (I tried to search in the older posts, but found it to be difficult to find exactly the answers I've been thinking about). I'm running asuswrt-merlin on Asus RT-AC87U (with entware installed). First, I wish to understand and therefore I have some questions:

1. When I change something in the webgui 192.168.1.1, the router automatically changes IPtables, right (e.g. add new wireless channel)? If I then log in with SSH and change iptables-routes, does the webgui gets confused? When is it recommended to use webgui and when is it a good idea to log in with ssh/telnet and manually modify iptables-rules?
2. Why are there so many default iptables-rules? At least I don't completely understand them...
3. When should I use commands such as robocfg and nvram? I'm a little confused about when it's advisable to use this instead of what can be done through the webgui...?
4. Is there only 1 log-file for the iptables-rules or are there several log-files to look into?
5. In addition to my RT-AC87U router which takes care of wireless clients, I have a managed switch for wired clients (but I haven't used the managed features yet, however I know it can also do something with VLANs). I'm very confused about VLAN's, I mean: If I setup something about VLAN in the router should I then also make the same changes in the managed switch? This confuses me a lot...

That was my warmup questions (I hope I didn't lose you). Now, here's what I wish to accomplish in relation to VLANs (which I've never setup before, so please bear with me and maybe guide me in the right direction):

• I wish to setup a VLAN for trusted MAC-addresses (we could maybe call this an administration VLAN). This VLAN should have access to my router at 192.168.1.1 - as the only VLAN - the other VLANs should not be able to access my router.
• Then I wish to have a VLAN for known MAC-addresses where the connected devices should not be able to see each other, but just be able to connect to the internet through the router (it means if there's a security problem with one of the devices, it's not a problem as they have no access to any other machine).
• Finally I wish to have a guest VLAN for unknown MAC-addresses ("guests"). These clients should be able to see each other but no machines on the other VLANs.

Could anyone please share some words about how to proceed with these tasks? I've read a lot about iptables lately, however it confuses me when I read about people doing a lot with e.g. robocfg and nvram commands - these commands I don't have any experience with.

Please point me in the right direction, thanks!

 

[ColinTaylor]

When I change something in the webgui 192.168.1.1, the router automatically changes IPtables, right (e.g. add new wireless channel)? If I then log in with SSH and change iptables-routes, does the webgui gets confused? When is it recommended to use webgui and when is it a good idea to log in with ssh/telnet and manually modify iptables-rules?

The web GUI reads NVRAM variables to populate its fields. Changes are written back to NVRAM (committed) when the user clicks Apply. At the same time, various services will need to be restarted to pick up the changes made to NVRAM.

Always use the GUI if at all possible, that is the supported way. If you make changes via the command line it is your responsibly to understand what you are doing. Any changes will only be temporary unless you a) modify existing NVRAM variables, or b) create a "user script" which reapplies your changes at boot (or when the service is restarted).

Why are there so many default iptables-rules? At least I don't completely understand them...

They're all there for a reason but to explain every conceivable rule in every conceivable configuration is beyond the scope of this forum.

When should I use commands such as robocfg and nvram? I'm a little confused about when it's advisable to use this instead of what can be done through the webgui...?

See answer above. robocfg is an unsupported function which varies from router model to router model. Use at your own risk. If you must use it, look in the forum for people with the same hardware that have used it.

Is there only 1 log-file for the iptables-rules or are there several log-files to look into?

There is syslog.

In addition to my RT-AC87U router which takes care of wireless clients, I have a managed switch for wired clients (but I haven't used the managed features yet, however I know it can also do something with VLANs). I'm very confused about VLAN's, I mean: If I setup something about VLAN in the router should I then also make the same changes in the managed switch? This confuses me a lot...

The VLAN's you see on the router are used internally to bridge/separate its internal interfaces (IPTV might be an exception?). They are not meant to be used outside the router (on your LAN).

 

[Martin - SNBuser]

The web GUI reads NVRAM variables to populate its fields. Changes are written back to NVRAM (committed) when the user clicks Apply. At the same time, various services will need to be restarted to pick up the changes made to NVRAM.

Ok, thank you. Then I (better) understand why it sometimes takes a while to "apply changes" - it's restarting services and reading NVRAM settings...

Always use the GUI if at all possible, that is the supported way. If you make changes via the command line it is your responsibly to understand what you are doing. Any changes will only be temporary unless you a) modify existing NVRAM variables, or b) create a "user script" which reapplies your changes at boot (or when the service is restarted).

Hmm. Ok. I wish to make something with VLAN and I think I cannot make it with the GUI, is that right? (I'll summarize my next challenge in the bottom of this reply)...

They're all there for a reason but to explain every conceivable rule in every conceivable configuration is beyond the scope of this forum.

Ok, understood. Thanks.

See answer above. robocfg is an unsupported function which varies from router model to router model. Use at your own risk. If you must use it, look in the forum for people with the same hardware that have used it.

That is understood, thanks.

There is syslog.

Thanks, I found syslog under /tmp and under /jffs (it's the same file, hardlinked I bet - although I cannot "stat", the sizes are exact the same). Ok, I'll keep a close eye to this file, when I begin to experiment, thanks a lot.

The VLAN's you see on the router are used internally the bridge/separate its internal interfaces (IPTV might be an exception?). They are not meant to be used outside the router (on your LAN).

I think I have the option to setup VLANs on my router or on the managed switch. For my setup, then I think I need to set it up, on the router and maybe ignore that the managed switch can also do something with VLANs... Thanks...

My biggest challenge now is how to proceed with these tasks - how to get started (I understand many iptables commands, but am still not sure if I should just begin trying to setup additional iptables rules or if I should do something else e.g. with the GUI)?:

• I wish to setup a VLAN for trusted MAC-addresses (we could maybe call this an administration VLAN). This VLAN should have access to my router at 192.168.1.1 - as the only VLAN - the other VLANs should not be able to access my router.
• Then I wish to have a VLAN for known MAC-addresses where the connected devices should not be able to see each other, but just be able to connect to the internet through the router (it means if there's a security problem with one of the devices, it's not a problem as they have no access to any other machine).
• Finally I wish to have a guest VLAN for unknown MAC-addresses ("guests"). These clients should be able to see each other but no machines on the other VLANs.

It cannot be made through the GUI, is that right? I think I need to do some manual stuff with iptables/NVRAM/robocfg, is this assumption right, anyone? Thank you very much Colin Taylor so far - your comments are highly appreciated! Thanks.

 

[Martin - SNBuser]

Hi all,

Ok, I'm trying to dig into this problem now, but there are many things I don't completely understand... This post http://www.snbforums.com/threads/wireless-and-vlans.28077/#post-216156 explains this (I wrote my comments/understanding to the right, you probably need to scroll right, sorry!):

eth0 is Ethernet WAN port
vlan1 is Ethernet LAN ports 1-4
eth1 is 2.4 GHz Wi-Fi
eth2 is 5.0 GHz Wi-Fi
wl0.1 is 2.4 GHz Guest#1 Wi-Fi
wl1.1 is 5.0 GHz Guest#1 Wi-Fi
wl0.2 is 2.4 GHz Guest#2 Wi-Fi
wl1.2 is 5.0 GHz Guest#2 Wi-Fi
wl0.3 is 2.4 GHz Guest#3 Wi-Fi
wl1.3 is 5.0 GHz Guest#3 Wi-Fi

I ran '# ip link show | grep -i ": "' on my RT-AC87U and received:

1: lo: <LOOPBACK,MULTICAST,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN mode DEFAULT    <== loopback, ok
2: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 32   <== bridge 0, what is the purpose of this?
3: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 32   <== another bridge, what does this do and why is it here?
4: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT qlen 1000   <== Ethernet WAN, ok
6: vlan1@eth0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT   <== this should then be LAN ports 1-4, correct?
7: vlan2@eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT   <== is this guest VLAN or what is this?
8: br0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT   <== another bridge, what does it do?
10: vlan4000@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT   <== what is VLAN4000 and why is it here? Should/can I use it?
11: eth1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT qlen 1000   <== is this really 2.4 GHz WIFI? I would expect "wl"-...
12: wl0.2: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT qlen 1000   <== this should be wireless 2.4 GHz, correct?

Please comment on my comments to the right. I also have 5 GHz wireless + wireless guest enabled... Can anyone help a little understanding these, before I continue with experimenting with robocfg and scripts I've found various places? Thanks for any comments...