What's new

Port Isolation

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Denna

Senior Member
I'm interested in isolating ports on the router so they can't communicate with each other.

Below is an attempt to do so.
 
Last edited:
Will there be any new bridge interfaces? What happens to the current bridge interface (br0)?
 
If the "br0" interface was updated to use each Ethernet port's unique VLAN interface, wouldn't that work ?
DNSMasq/DHCP will create the subnets, based on what interfaces? Each VLAN interface (vlan1.x) or bridge interface (brX)? I would try figure out that piece first.
 
This will take a bit of time.
 
Last edited:
@Fitz Mutch,

This solution is developing a little bit at a time.
In AsusWRT, netfilter/iptables only sees the bridge interface (br0), not the physical interfaces (vlanX). If you want to filter on the specific vlans, then you need ebtables brouting rules, then you can filter on the physical interfaces (vlanX). Or, have a separate bridge interface (br0, br1, br2, etc.) for each Ethernet port. That's about all I know for this stuff.

The following rules probably wouldn't do anything... unless you had corresponding ebtables brouting rules to unbridge the frames.
Code:
#Block communication between all private VLANs.
iptables -I FORWARD -i vlan+ ! -o vlan2 -j DROP
iptables -I FORWARD ! -i vlan2 -o vlan+ -j DROP

#Allow all private VLANs to communicate with vlan2.
iptables -I FORWARD -i vlan+ -o vlan2 -j ACCEPT
iptables -I FORWARD -i vlan2 -o vlan+ -j ACCEPT



How to configure Dnsmasq for each subnet?

/jffs/scripts/dnsmasq.postconf
Code:
#!/bin/sh
for N in 1 2 3 4 5 6 7 8; do
cat <<EOF >>"$1"
### configure DHCP subnet for Ethernet port ${N}?
interface=Eth_Port_${N}
dhcp-range=Eth_Port_${N},192.168.${N}0.2,192.168.${N}0.254,255.255.255.0,8h
dhcp-option=Eth_Port_${N},3,192.168.${N}0.1
dhcp-option=Eth_Port_${N},6,8.8.8.8,8.8.4.4
EOF
done
 
Some VLAN ids are already in use, better to start higher at say, 1000 to avoid conflicts I think
 
How about this ?
Here's what I found while doing quick check of AsusWRT. Probably want to avoid stepping on reserved or known packet marks... these are marks that would "bit XOR modify" other marks that are currently in use by the firmware.

Asus uses packet marks for guest network QoS, which has not been finalized yet? Try to figure out which packet marks are reserved by following the source code. It's probably not documented anywhere.
https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/rc/qos.c#L1434
AND
https://www.snbforums.com/threads/selective-routing-with-asuswrt-merlin.9311/page-22#post-229680

Merlin NAT loopback marks the packets too
https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/rc/firewall.c#L4334
 
Last edited:
How could you come up with a unique packet mark ?
Code:
0000000001111111 = 0x007F = 127    ASUS QoS and bandwidth limiter
0000000010000000 = 0x0080 = 128    (ISIS) Ethernet Port 1
0000000100000000 = 0x0100 = 256    (ISIS) Ethernet Port 2
0000001000000000 = 0x0200 = 512    (ISIS) Ethernet Port 3
0000010000000000 = 0x0400 = 1024   (ISIS) Ethernet Port 4
0000100000000000 = 0x0800 = 2048   (ISIS) Ethernet Port 5
0001000000000000 = 0x1000 = 4096   (ISIS) Ethernet Port 6
0010000000000000 = 0x2000 = 8192   (ISIS) Ethernet Port 7
0100000000000000 = 0x4000 = 16384  (ISIS) Ethernet Port 8
1000000000000000 = 0x8000 = 32768  Merlin NAT Loopback
 
Last edited:
Just read your post at ...
I am sorry, I don't remember writing that. It seems he was just explaining how it works. It was probably my brother Jon.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top