Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Port Isolation (aka Private VLANs) to improve LAN security

Discussion in 'Asuswrt-Merlin' started by Denna, Aug 13, 2017.

Tags:
  1. Denna

    Denna Senior Member

    Joined:
    Aug 4, 2016
    Messages:
    287
    I'm interested in isolating ports on the router so they can't communicate with each other.

    Below is an attempt to do so.
     
    Last edited: Sep 7, 2017
  2. Fitz Mutch

    Fitz Mutch Senior Member

    Joined:
    May 27, 2016
    Messages:
    349
    Location:
    Portsmouth
    Will there be any new bridge interfaces? What happens to the current bridge interface (br0)?
     
  3. Fitz Mutch

    Fitz Mutch Senior Member

    Joined:
    May 27, 2016
    Messages:
    349
    Location:
    Portsmouth
    DNSMasq/DHCP will create the subnets, based on what interfaces? Each VLAN interface (vlan1.x) or bridge interface (brX)? I would try figure out that piece first.
     
  4. Denna

    Denna Senior Member

    Joined:
    Aug 4, 2016
    Messages:
    287
    This solution is developing a bit at a time.

    -------------------------------------------------------------------------------------------------------------------------------
    NOTE:

    The Asus RT-AC88U has two switches.

    The Ethernet hardware ports 1-4 (what you connect your network cables to) are connected to the Broadcom switch. These ports can be isolated with VLANs with the robocfg tool. The Ethernet hardware ports 5-8 are connected to the Realtek RTL8365MB switch. As of the date of this post, there is no utility to manage VLANs on these ports. The table below shows how Ethernet hardware ports are mapped to the ports report by "robocfg".

    Code:
    Hardware port    Robocfg port
    -------------    ------------
    Port 1           Port 3
    Port 2           Port 2
    Port 3           Port 1
    Port 4           Port 0
    Port 5           Port 5
    Port 6           Port 5
    Port 7           Port 5
    Port 8           Port 5
    WAN              Port 4
    
    As a result, port isolation occurs between Ethernet hardware ports 1, 2, 3, 4 and possibly 5-8 as a group.

    In this procedure, only Ethernet hardware ports 1-4 are configured for isolation.

    The Ethernet hardware ports, switch ports, VLAN names and VLAN IDs are mapped as follows:
    Code:
    Hardware port    Switch port   VLAN name   VLAN ID
    -------------    -----------   ---------   -------
    Port 1           Port 3        eth1.1      10
    Port 2           Port 2        eth1.2      20
    Port 3           Port 1        eth1.3      30
    Port 4           Port 0        eth1.4      40
    
    -------------------------------------------------------------------------------------------------------------------------------
    Step 1 - Create environmental variables used by the scripts below

    Add the following to the /jffs/configs/profile.add file. If necessary, modify the paths for the executables.
    Code:
    export EBTABLES="/usr/sbin/ebtables"
    export IPSET="/usr/sbin/ipset"
    export IPTABLES="/usr/sbin/iptables"
    
    #Specify the names for each physical port that will have a private VLAN.
    export PRIV_VLAN="eth1.1 eth1.2 eth1.3 eth1.4"
    
    export ROBOCFG="/usr/sbin/robocfg"
    
    #Get the router's CIDR network address.
    export ROUTER_NET=$(/usr/sbin/ip route|/bin/grep br0|/usr/bin/cut -d' ' -f1)
    
    #Specify the switch ports to map, in order, to the hardware ports.
    export SWITCH_PORT="3 2 1 0"
    
    #Specify a VLAN ID for each private VLAN
    export VLAN_ID="10 20 30 40"
    
    Step 2 - Setup the script that will configure port isolation.

    NOTE: If the "bridge" command is not available, you can install the Entware-NG version with "opkg install ip-bridge".

    a) Create a file called /jffs/scripts/priv_vlans.sh

    b)
    From the /jffs/scripts directory, run "chmod +x priv_vlans.sh".

    c)
    Add the commands below to the "priv_vlan.sh" script

    d)
    Call this script from the "wan-start" script.
    Code:
    #!/bin/sh
    
    fun()
    {
    set $VLAN_ID
    for i in $PRIV_VLAN; do
    
       #Create unique VLANs for each Ethernet LAN port.
       ip link add link eth1 name $i type vlan id $1
    
       #Assign a unique, private network to each VLAN.
       ip addr add 192.168.$1.1/24 brd 192.168.$1.255 dev $i
    
       #Assign MAC addresses to the VLANs.
       ip link set dev $i address 00:00:00:00:00:$1
    
       #Activate the links.
       ip link set dev $i up
    
       #Add the private VLAN interfaces to the br0 bridge
       ip link set $i master br0
       shift
    done
    }
    fun
    
    fun()
    {
    set $SWITCH_PORT
    for i in $VLAN_ID; do
    
       #Assign each Ethernet port to its private VLAN.
       $ROBOCFG vlan "$i" ports "$1 8t"
    
       shift
    done
    }
    fun
    
    #Reconfigure VLAN1 to consist of ports 5, 7 and 8.
    $ROBOCFG vlan 1 ports "3 5u 7 8t"
    
    -------------------------------------------------------------------------------------------------------------------------------

    Step 3 - Configure DHCP to support each isolated port's different networks

    Add the following to the /jffs/scripts/dnsmasq.postconf file.

    Code:
    #! /bin/sh
    
    CONFIG="$1"
    
    fun()
    {
    set $VLAN_ID
    for i in $PRIV_VLAN; do
    cat <<EOF >>"$CONFIG"
    interface=$i
    dhcp-range=$i,192.168.$1.2,192.168.$1.254,255.255.255.0,8h
    dhcp-option=$i,3,192.168.$1.1
    dhcp-option=$i,6,208.67.222.222,208.67.220.220
    EOF
    shift
    done
    }
    fun
    
    -------------------------------------------------------------------------------------------------------------------------------
    These steps are not ready yet.

    Update your firewall script to block communication between private VLANs with the rules below. These rules should be placed before your general ACCEPT rules.

    Step 4 - Create rules to unbridge the Ethernet frames and block traffic between the private VLANs.
    Code:
    #Block unbridged frames
    ebtables -I FORWARD -i eth1.+ -o ! eth0 -j DROP
    ebtables -I FORWARD -i ! eth0 -o eth1.+ -j DROP
    
    Step 10 - Create iptables rules that manage communication between VLANs
    Code:
    #Allow all VLANs to communicate with vlan2 (WAN)
    $IPTABLES -I FORWARD -i vlan+ -o vlan2 -j ACCEPT
    $IPTABLES -I FORWARD -i vlan2 -o vlan+ -j ACCEPT
    
    #Block communication between all private VLANs.
    $IPTABLES -I FORWARD -i vlan+ ! -o vlan2 -j DROP
    $IPTABLES -I FORWARD ! -i vlan2 -o vlan+ -j DROP
    
    #Block communication between the different private networks.
    for i in "${VLAN_ID[@]}"; do
       srcvar="192.168.$i.0/24"
       dstvar=""
          for j in "${VLAN_ID[@]}"; do
             (( i == j )) && continue
             dstvar+="192.168.$j.0/24,"
          done
       dstvar="${dstvar%,}"
       $IPTABLES -I FORWARD -s "$srcvar" -d "$dstvar" -j DROP
    done
    
    Step 10a (optional) - Block private networks from accessing router through management protocols with an ipset.
    Code:
    #Create an ipset called BLOCKPRIV
    $IPSET create BLOCKPRIV hash:ip netmask 24
    
    #Add private networks 192.168.<20-80>.0/24 to BLOCKPRIV ipset. The "10" network is allowed to access the router.
    $IPSET add BLOCKPRIV 192.168.20.0/24
    $IPSET add BLOCKPRIV 192.168.30.0/24
    $IPSET add BLOCKPRIV 192.168.40.0/24
    
    #Block members of BLOCKPRIV ipset from accessing router via management protocols
    $IPTABLES -I FORWARD -d 192.168.1.1 -m tcp -m multiport --dports 22,80,443 -m set --set BLOCKPRIV src -j DROP
    
    -------------------------------------------------------------------------------------------------------------------------------

    Step 11 - Determine if there is communication between the private VLANs.

    Connect a host to Ethernet hardware Port 1 and use the "arp" command to determine if the other ports' private VLAN IP addresses can be found. Repeat this process for each Ethernet hardware port.

    For example, on a Windows PC, issue the following commands:
    Code:
    arp -d
    arp -a 192.168.10.1
    arp -a 192.168.20.1
    arp -a 192.168.30.1
    arp -a 192.168.40.1
    arp -a 192.168.50.1
    
    If the IP address of another port's private VLAN cannot be found, the command will return a message like "No ARP Entries Found". This is the desired result.

    If the IP address of another port's private VLAN can be found, the command will return its IP and MAC address. You should get this result if you arp the private VLAN's IP address of the Ethernet hardware port you are connected to.

    Questions


    1) Is NAT affected by port isolation ?

    2) How is routing affecting with port isolation ?​
     
    Last edited: Sep 6, 2017
  5. Fitz Mutch

    Fitz Mutch Senior Member

    Joined:
    May 27, 2016
    Messages:
    349
    Location:
    Portsmouth
    In AsusWRT, netfilter/iptables only sees the bridge interface (br0), not the physical interfaces (vlanX). If you want to filter on the specific vlans, then you need ebtables brouting rules, then you can filter on the physical interfaces (vlanX). Or, have a separate bridge interface (br0, br1, br2, etc.) for each Ethernet port. That's about all I know for this stuff.

    The following rules probably wouldn't do anything... unless you had corresponding ebtables brouting rules to unbridge the frames.
    Code:
    #Block communication between all private VLANs.
    iptables -I FORWARD -i vlan+ ! -o vlan2 -j DROP
    iptables -I FORWARD ! -i vlan2 -o vlan+ -j DROP
    
    #Allow all private VLANs to communicate with vlan2.
    iptables -I FORWARD -i vlan+ -o vlan2 -j ACCEPT
    iptables -I FORWARD -i vlan2 -o vlan+ -j ACCEPT
    
    


    How to configure Dnsmasq for each subnet?

    /jffs/scripts/dnsmasq.postconf
    Code:
    #!/bin/sh
    for N in 1 2 3 4 5 6 7 8; do
    cat <<EOF >>"$1"
    ### configure DHCP subnet for Ethernet port ${N}?
    interface=Eth_Port_${N}
    dhcp-range=Eth_Port_${N},192.168.${N}0.2,192.168.${N}0.254,255.255.255.0,8h
    dhcp-option=Eth_Port_${N},3,192.168.${N}0.1
    dhcp-option=Eth_Port_${N},6,8.8.8.8,8.8.4.4
    EOF
    done
    
    
     
  6. Jack Yaz

    Jack Yaz Very Senior Member

    Joined:
    Apr 20, 2017
    Messages:
    562
    Some VLAN ids are already in use, better to start higher at say, 1000 to avoid conflicts I think
     
  7. Fitz Mutch

    Fitz Mutch Senior Member

    Joined:
    May 27, 2016
    Messages:
    349
    Location:
    Portsmouth
    Here's what I found while doing quick check of AsusWRT. Probably want to avoid stepping on reserved or known packet marks... these are marks that would "bit XOR modify" other marks that are currently in use by the firmware.

    Asus uses packet marks for guest network QoS, which has not been finalized yet? Try to figure out which packet marks are reserved by following the source code. It's probably not documented anywhere.
    https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/rc/qos.c#L1434
    AND
    https://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-22#post-229680

    Merlin NAT loopback marks the packets too
    https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/rc/firewall.c#L4334
     
    Last edited: Aug 16, 2017
  8. Fitz Mutch

    Fitz Mutch Senior Member

    Joined:
    May 27, 2016
    Messages:
    349
    Location:
    Portsmouth
    Code:
    0000000001111111 = 0x007F = 127    ASUS QoS and bandwidth limiter
    0000000010000000 = 0x0080 = 128    (ISIS) Ethernet Port 1
    0000000100000000 = 0x0100 = 256    (ISIS) Ethernet Port 2
    0000001000000000 = 0x0200 = 512    (ISIS) Ethernet Port 3
    0000010000000000 = 0x0400 = 1024   (ISIS) Ethernet Port 4
    0000100000000000 = 0x0800 = 2048   (ISIS) Ethernet Port 5
    0001000000000000 = 0x1000 = 4096   (ISIS) Ethernet Port 6
    0010000000000000 = 0x2000 = 8192   (ISIS) Ethernet Port 7
    0100000000000000 = 0x4000 = 16384  (ISIS) Ethernet Port 8
    1000000000000000 = 0x8000 = 32768  Merlin NAT Loopback
    
    
     
    Last edited: Aug 16, 2017
  9. Fitz Mutch

    Fitz Mutch Senior Member

    Joined:
    May 27, 2016
    Messages:
    349
    Location:
    Portsmouth
    All these questions you have, can be answered by reading the AsusWRT source code.
     
  10. Fitz Mutch

    Fitz Mutch Senior Member

    Joined:
    May 27, 2016
    Messages:
    349
    Location:
    Portsmouth
    I am sorry, I don't remember writing that. It seems he was just explaining how it works. It was probably my brother Jon.
     

Share This Page