I have followed the Two Segment Lan Isolation Tutorial without success. I believe I am simply configuring all the network pieces wrong.
I would actually like to have two lan segments on the router without isolation (if there is a way to do this) and use a VLAN on the managed switch I have to isolate the segments.
I have enough network knowledge to shoot myself in the foot. I am just now trying to learn iptables.
i really need some help with this. I've spent hours and hours trying to figure this out and it seems to be beyond my technical knowledge.
I have an ASUS RT-AC86U running merlin 386.12_4 (latest version).
I have a TL-SG116E managed switch with ethernet cables to the AC86U.
My main segment is 192.168.1.0/24 (generally VPN routed) and I have a second segment for 192.168.2.0/24 (non-VPN going to WAN) such as cameras.
- My main laptop is 192.168.1.101 (I control everything from here)
- My BlueIris software laptop is 192.168.2.107 (I see all my cameras here)
- My AC86U router is 192.168.1.1 with subnet 255.255.252.0
- Tried both 255.255.252.0 and 255.255.255.0
I want to have two lan segments with WAN connected on the 192.168.2.0/24 segment and VPN connected on the 192.168.1.0/24 segment.
When I reboot the router to try new settings both my Windows 10 laptops change to unidentified network/public with no internet access.
When I update the subnet mask on the Windows 10 devices from whatever it happens to be to the other (see above), they (most of the time) reconnect to the Internet.
- 255.255.255.0 to 255.255.252.0 and vice versa
This seems to indicate I am configuring my network wrong somewhere.
I am using NordVPN and most traffic is going through that.
I have tried to use port based vlan and put TL-SG116E Port 2 in a VLAN to isolate 192.168.2.0/24.
Without the VLAN, I get
Jan 11 13:48:02 kernel: br100: received packet on eth3 with own address as source address
With the VLAN I no longer get that message but other things break.
I have a network cable running from Port 4 on the Router directly to my main laptop where I configure/run everything.
I have a network cable running from Port 2 to the TL-SG116E managed switch. (port 2)
192.168.2.0/24
I have a network cable running from Port 1 to the TL-SG116E managed switch (uplink/port 1).
192.168.1.0/24
I have 6 ethernet cables from various devices/managed & unmanaged switches to the TL-SG116E's other ports.
I have dozens of devices on my home network (phones, tablets, TV, cameras, ...)
Initially, I am trying to have two separate segments that can "see" each other (i will try to isolate them later).
I get different results. I run Amcrest Surveillance Pro on my main laptop (192.168.1.101)
- Depending on router/laptop subnet mask (I've tried 255.255.252.0 & 255.255.255.0), & my Asus scripts
I can see all my cameras on the 192.168.2.0/24 segment -or- not
- I want to be able to see all cameras using software on:
- my laptop (internet connected) Amcrest Surveillance Pro
- my cellphone (BlueIris App & Amcrest App) both when I am on cellular data & when I am Wifi Connected
- My BlueIris Laptop when Internet connected
SCRIPTS
I would actually like to have two lan segments on the router without isolation (if there is a way to do this) and use a VLAN on the managed switch I have to isolate the segments.
I have enough network knowledge to shoot myself in the foot. I am just now trying to learn iptables.
i really need some help with this. I've spent hours and hours trying to figure this out and it seems to be beyond my technical knowledge.
I have an ASUS RT-AC86U running merlin 386.12_4 (latest version).
I have a TL-SG116E managed switch with ethernet cables to the AC86U.
My main segment is 192.168.1.0/24 (generally VPN routed) and I have a second segment for 192.168.2.0/24 (non-VPN going to WAN) such as cameras.
- My main laptop is 192.168.1.101 (I control everything from here)
- My BlueIris software laptop is 192.168.2.107 (I see all my cameras here)
- My AC86U router is 192.168.1.1 with subnet 255.255.252.0
- Tried both 255.255.252.0 and 255.255.255.0
I want to have two lan segments with WAN connected on the 192.168.2.0/24 segment and VPN connected on the 192.168.1.0/24 segment.
When I reboot the router to try new settings both my Windows 10 laptops change to unidentified network/public with no internet access.
When I update the subnet mask on the Windows 10 devices from whatever it happens to be to the other (see above), they (most of the time) reconnect to the Internet.
- 255.255.255.0 to 255.255.252.0 and vice versa
This seems to indicate I am configuring my network wrong somewhere.
I am using NordVPN and most traffic is going through that.
I have tried to use port based vlan and put TL-SG116E Port 2 in a VLAN to isolate 192.168.2.0/24.
Without the VLAN, I get
Jan 11 13:48:02 kernel: br100: received packet on eth3 with own address as source address
With the VLAN I no longer get that message but other things break.
I have a network cable running from Port 4 on the Router directly to my main laptop where I configure/run everything.
I have a network cable running from Port 2 to the TL-SG116E managed switch. (port 2)
192.168.2.0/24
I have a network cable running from Port 1 to the TL-SG116E managed switch (uplink/port 1).
192.168.1.0/24
I have 6 ethernet cables from various devices/managed & unmanaged switches to the TL-SG116E's other ports.
I have dozens of devices on my home network (phones, tablets, TV, cameras, ...)
Initially, I am trying to have two separate segments that can "see" each other (i will try to isolate them later).
I get different results. I run Amcrest Surveillance Pro on my main laptop (192.168.1.101)
- Depending on router/laptop subnet mask (I've tried 255.255.252.0 & 255.255.255.0), & my Asus scripts
I can see all my cameras on the 192.168.2.0/24 segment -or- not
- I want to be able to see all cameras using software on:
- my laptop (internet connected) Amcrest Surveillance Pro
- my cellphone (BlueIris App & Amcrest App) both when I am on cellular data & when I am Wifi Connected
- My BlueIris Laptop when Internet connected
SCRIPTS
C:
NAT-START
#!/bin/sh
# Make sure the script is indeed invoked
logger -s "br100" "nat-start: applying POSTROUTING rules for br100"
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.2.0/24 -j MASQUERADE
SERVICES-START
#!/bin/sh
# Physical port to interface map for RT-AC86U:
# eth0 WAN
# eth1 LAN 4
# eth2 LAN 3
# eth3 LAN 2 PORT CONNECTED TO TL-SG116E Port 2
# eth4 LAN 1 PORT CONNECTED TO TL-SG116E Uplink Port 1
# eth5 2.4 GHz Radio
# eth6 5 GHz Radio
# Delete those interfaces that we want to isolate from br0
logger -s "isolate_port" "services-start: deleting LAN 1 (eth3) from br0"
brctl delif br0 eth3
# Create a new bridge br100 for isolated interfaces
logger -s "br100" "services-start: creating br100 with LAN PORTS 2 (eth3)"
brctl addbr br100
brctl stp br100 on # STP to prevent bridge loops
brctl addif br100 eth3
brctl setfd br100 2 # STP Forward Delay 2 sec (Default: 15 sec)
# Set up the IPv4 address for br100
# Here we set the subnet to be 192.168.2.0/24
logger -s "br100" "services-start: setting up IPv4 address for br100"
ifconfig br100 192.168.2.1 netmask 255.255.255.0
ifconfig br100 up
FIREWALL-START
#!/bin/sh
# Make sure the script is indeed invoked
logger -s "br100" "firewall-start: applying fw rules for br100"
# Drop all incoming traffic to br100
iptables -I INPUT -i br100 -j drop
# Allow br100 access to various ports
iptables -I INPUT -i br100 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i br100 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br100 -p tcp --dport 5353 -j ACCEPT
iptables -I INPUT -i br100 -p udp --dport 5353 -j ACCEPT
iptables -I INPUT -i br100 -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -i br100 -p tcp --dport 81 -j ACCEPT
iptables -I INPUT -i br100 -p tcp --dport 443 -j ACCEPT
iptables -I INPUT -i br100 -p tcp --dport 8890 -j ACCEPT
iptables -I INPUT -i br100 -p tcp --dport 8999 -j ACCEPT
iptables -I INPUT -i br100 -p tcp --dport 8099 -j ACCEPT
iptables -I INPUT -i br100 -p tcp --dport 8443 -j ACCEPT
iptables -I INPUT -i br100 -p tcp --dport 8554 -j ACCEPT
iptables -I INPUT -i br100 -p tcp --dport 44399 -j ACCEPT
# Allow established, related incoming connections from br100
iptables -INPUT -i br100 -m state RELATED, ESTABLISHED -j ACCEPT
# Forbid packets from br100 to be forwarded to other interfaces
# iptables -I FORWARD -i br100 -j DROP <-- Future Lan Isolation?
# But allow packet forwarding inside br100
iptables -I FORWARD -i br100 -o br100 -j ACCEPT
# Allow packet forwarding between br100 and eth0 (WAN)
iptables -I FORWARD -i br100 -o eth0 -j ACCEPT
# temporarily allow connection between segements
iptables -I FORWARD -i br100 -o br0 -j ACCEPT
# Forbid packets from br0 to be forwarded to br100, isolating new br100 from default br0
# iptables -I FORWARD -i br0 -o br100 -j DROP <-- Future Lan Isolation?
# But allow one-way traffic from br0 to br100 only for restricted ports - Synology NAS and PLEX
iptables -I FORWARD -i br0 -o br100 -p udp --dport 53 -j ACCEPT
iptables -I FORWARD -i br0 -o br100 -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD -i br0 -o br100 -p udp --dport 5353 -j ACCEPT
iptables -I FORWARD -i br0 -o br100 -p tcp --dport 5353 -j ACCEPT
iptables -I FORWARD -i br0 -o br100 -p tcp --dport 81 -j ACCEPT
iptables -I FORWARD -i br0 -o br100 -p tcp --dport 8443 -j ACCEPT
iptables -I FORWARD -i br0 -o br100 -p tcp --dport 8890 -j ACCEPT
iptables -I FORWARD -i br0 -o br100 -p tcp --dport 8999 -j ACCEPT
iptables -I FORWARD -i br0 -o br100 -p tcp --dport 8099 -j ACCEPT
iptables -I FORWARD -i br0 -o br100 -p tcp --dport 8443 -j ACCEPT
iptables -I FORWARD -i br0 -o br100 -p tcp --dport 8554 -j ACCEPT
iptables -I FORWARD -i br0 -o br100 -p tcp --dport 44399 -j ACCEPT
iptables -I FORWARD -i br100 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Drop icmp ping requests to br100
iptables -A OUTPUT -d 192.168.2.1/24 -p icmp --icmp-type echo-request -j DROP
Last edited: