1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

traffic across vlans for ip cams and iot devices

Discussion in 'Asuswrt-Merlin' started by Chewbacca, May 17, 2018.

  1. Chewbacca

    Chewbacca New Around Here

    Joined:
    May 16, 2018
    Messages:
    3
    Hi Guys,

    I'm a regular visitor on this forum and user of Merlin for a few years now, i usually poke around untill i get it right but i'm stuck with this for so long (2 months) i decided to ask for your much needed help.

    Router: AC88U

    My goal, is to have 4 VLAN's as such;
    1 - private - 10.10.1.0/24
    12 - guests - 10.10.2.0/24 - completely isolated
    20 - iot devices - 10.10.3.0/24 - can access wan and each other, but nothing else
    30 - cams - 10.10.4.0/24 - can NOT access wan, but can access NAS on private subnet. also allow specific pc from private to connect to cams

    There is also a VPN involved to backup sync my nas to a remote location, but let's keep it as simple as possible for now.

    This was my initial script, all connections on other ports than the vlan1 just got isolated guest access (the network name also shows up as the guest network)

    Code:
    #!/bin/sh
    #if vlan20 does not exist, run script
    robocfg show | grep -i vlan20 > /dev/null 2>&1 || \
    (
    sleep 4
    #setup vlans and bridges with subnets
    robocfg vlan 1 ports "0 5 7 8t"
    robocfg vlan 12 ports "1 8t"
    robocfg vlan 20 ports "2 8t"
    robocfg vlan 30 ports "3 8t"
    vconfig add eth0 12
    vconfig add eth0 20
    vconfig add eth0 30
    ifconfig vlan12 up
    ifconfig vlan20 up
    ifconfig vlan30 up
    brctl addbr br1
    brctl addbr br2
    brctl addbr br3
    brctl stp br1 on
    brctl stp br2 on
    brctl stp br3 on
    brctl addif br1 vlan12
    brctl addif br2 vlan20
    brctl addif br3 vlan30
    brctl delif br0 wl0.1
    brctl delif br0 wl1.1
    brctl addif br1 wl0.1
    brctl addif br1 wl1.1
    ifconfig br1 10.10.2.1 netmask 255.255.255.0
    ifconfig br2 10.10.3.1 netmask 255.255.255.0
    ifconfig br3 10.10.4.1 netmask 255.255.255.0
    ifconfig br1 up
    ifconfig br2 up
    ifconfig br3 up
    
    
    # Allow dnsmasq to listen to br1 br2 and br3
    iptables -D INPUT -i br1 -j ACCEPT 2> /dev/null > /dev/null
    iptables -I INPUT -i br1 -j ACCEPT
    iptables -D INPUT -i br2 -j ACCEPT 2> /dev/null > /dev/null
    iptables -I INPUT -i br2 -j ACCEPT
    iptables -D INPUT -i br3 -j ACCEPT 2> /dev/null > /dev/null
    iptables -I INPUT -i br3 -j ACCEPT
    
    ebtables -t broute -D BROUTING -i br1 -p ipv4 -j DROP 2> /dev/null > /dev/null
    ebtables -t broute -I BROUTING -i br1 -p ipv4 -j DROP
    ebtables -t broute -D BROUTING -i br2 -p ipv4 -j DROP 2> /dev/null > /dev/null
    ebtables -t broute -I BROUTING -i br2 -p ipv4 -j DROP
    ebtables -t broute -D BROUTING -i br3 -p ipv4 -j DROP 2> /dev/null > /dev/null
    ebtables -t broute -I BROUTING -i br3 -p ipv4 -j DROP
    
    # Allow br1 (guests) WAN access
    iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
    
    #allow two br2 iot devices wan access
    iptables -I FORWARD -i br2 -s 10.10.3.50 -m state --state NEW -j ACCEPT
    iptables -I FORWARD -i br2 -s 10.10.3.60 -m state --state NEW -j ACCEPT
    
    #allow br0 to access one of these iot devices
    iptables -I FORWARD -i br0 -d 10.10.3.50 -m state --state NEW -j ACCEPT
    
    #block other br2 devices WAN access
    iptables -I FORWARD -i br2 -s 10.10.3.0/24 -m state --state NEW -j DROP
    
    #allow br3 (cams) to access NAS and allow the NAS to access cams
    iptables -I FORWARD -i br3 -d 10.10.1.95 -m state --state NEW -j ACCEPT
    iptables -I FORWARD -i br0 -s 10.10.1.95 -d 10.10.4.0/24 -m state --state NEW -j ACCEPT
    
    #allow a specific pc to access cams
    iptables -I FORWARD -i br0 -s 10.10.1.10 -d 10.10.4.0/24 -m state --state NEW -j ACCEPT
    
    #block other br0 devices to access cams
    iptables -I FORWARD -i br0 -d 10.10.4.0/24 -m state --state NEW -j DROP
    
    #block other br3 devices WAN access
    iptables -I FORWARD -i br3 -s 10.10.4.0/24 -m state --state NEW -j DROP
    
    
    # Block br1 br2 and br3 access to br0
    iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
    iptables -I FORWARD -i br2 -o br0 -m state --state NEW -j DROP
    iptables -I FORWARD -i br3 -o br0 -m state --state NEW -j DROP
    
    # Isolate br1 br2 and br3 from each other
    iptables -I FORWARD -i br1 -o br2 -m state --state NEW -j DROP
    iptables -I FORWARD -i br1 -o br3 -m state --state NEW -j DROP
    iptables -I FORWARD -i br2 -o br1 -m state --state NEW -j DROP
    iptables -I FORWARD -i br2 -o br3 -m state --state NEW -j DROP
    iptables -I FORWARD -i br3 -o br1 -m state --state NEW -j DROP
    iptables -I FORWARD -i br3 -o br2 -m state --state NEW -j DROP
    
    
    #No connections to router
    ebtables -t broute -I BROUTING -p IPv4 -i vlan12 --ip-dst 10.10.1.1 --ip-proto tcp -j DROP
    ebtables -t broute -I BROUTING -p IPv4 -i vlan20 --ip-dst 10.10.1.1 --ip-proto tcp -j DROP
    ebtables -t broute -I BROUTING -p IPv4 -i vlan30 --ip-dst 10.10.1.1 --ip-proto tcp -j DROP
    
    # Block br1 from accessing the router by port:
    iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
    iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
    iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
    iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset
    
    # Block br2 from accessing the router by port:
    iptables -I INPUT -i br2 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
    iptables -I INPUT -i br2 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
    iptables -I INPUT -i br2 -p tcp --dport www -j REJECT --reject-with tcp-reset
    iptables -I INPUT -i br2 -p tcp --dport https -j REJECT --reject-with tcp-reset
    
    # Block br3 from accessing the router by port:
    iptables -I INPUT -i br3 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
    iptables -I INPUT -i br3 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
    iptables -I INPUT -i br3 -p tcp --dport www -j REJECT --reject-with tcp-reset
    iptables -I INPUT -i br3 -p tcp --dport https -j REJECT --reject-with tcp-reset
    
    
    #guests, no traffic between each other and other subnets
    ebtables -t broute -I BROUTING -p IPv4 -i vlan12 --ip-dst 10.10.1.0/24 --ip-proto tcp -j DROP
    ebtables -t broute -I BROUTING -p IPv4 -i vlan12 --ip-dst 10.10.2.0/24 --ip-proto tcp -j DROP
    ebtables -t broute -I BROUTING -p IPv4 -i vlan12 --ip-dst 10.10.3.0/24 --ip-proto tcp -j DROP
    ebtables -t broute -I BROUTING -p IPv4 -i vlan12 --ip-dst 10.10.4.0/24 --ip-proto tcp -j DROP
    #IOT devices, each other but not other subnets
    ebtables -t broute -I BROUTING -p IPv4 -i vlan20 --ip-dst 10.10.1.0/24 --ip-proto tcp -j DROP
    ebtables -t broute -I BROUTING -p IPv4 -i vlan20 --ip-dst 10.10.2.0/24 --ip-proto tcp -j DROP
    ebtables -t broute -I BROUTING -p IPv4 -i vlan20 --ip-dst 10.10.4.0/24 --ip-proto tcp -j DROP
    #cams, no traffic between each other or other subnets
    ebtables -t broute -I BROUTING -p IPv4 -i vlan30 --ip-dst 10.10.1.0/24 --ip-proto tcp -j DROP
    ebtables -t broute -I BROUTING -p IPv4 -i vlan30 --ip-dst 10.10.2.0/24 --ip-proto tcp -j DROP
    ebtables -t broute -I BROUTING -p IPv4 -i vlan30 --ip-dst 10.10.3.0/24 --ip-proto tcp -j DROP
    ebtables -t broute -I BROUTING -p IPv4 -i vlan30 --ip-dst 10.10.4.0/24 --ip-proto tcp -j DROP
    #cams get exception to allow connections to NAS IP in other subnet
    ebtables -t broute -I BROUTING -p IPv4 -i vlan30 --ip-dst 10.10.1.95 --ip-proto tcp -j ACCEPT
    ebtables -t broute -I BROUTING -p IPv4 -i vlan30 --ip-dst 10.10.1.95 --ip-proto tcp -j ACCEPT
    
    #exception for specific computer to allow connections to cams
    ebtables -t broute -I BROUTING -p IPv4 --ip-src 10.10.1.10 --ip-dst 10.10.4.0/24 --ip-proto tcp -j ACCEPT
    #and also the NAS to access cams
    ebtables -t broute -I BROUTING -p IPv4 --ip-src 10.10.1.95 --ip-dst 10.10.4.0/24 --ip-proto tcp -j ACCEPT
    
    #exception vlan1 can access this iot device
    ebtables -t broute -I BROUTING -p IPv4 -i vlan1 --ip-dst 10.10.3.50 --ip-proto tcp -j ACCEPT
    
    #block all traffic that is not internet on vlan12, 20 and 30
    ebtables -t filter -I FORWARD -i ! eth0 -o vlan12 -j DROP
    ebtables -t filter -I FORWARD -i ! eth0 -o vlan20 -j DROP
    ebtables -t filter -I FORWARD -i ! eth0 -o vlan30 -j DROP
    ebtables -t filter -I FORWARD -i vlan12 -o ! eth0 -j DROP
    ebtables -t filter -I FORWARD -i vlan20 -o ! eth0 -j DROP
    ebtables -t filter -I FORWARD -i vlan30 -o ! eth0 -j DROP
    
    #allow packets to/from NAS/cams and specific computer
    ebtables -t filter -I FORWARD -p ipv4 -i vlan20 --ip-dst 10.10.1.95 --ip-proto TCP -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 -i vlan20 --ip-dst 10.10.1.95 --ip-proto UDP -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.10.1.95 -o vlan20 --ip-proto TCP -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.10.1.95 -o vlan20 --ip-proto UDP -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.10.1.10 -o vlan20 --ip-proto TCP -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.10.1.10 -o vlan20 --ip-proto UDP -j ACCEPT
    
    #Block VPN to access anything on local
    ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.1.0/24 --ip-proto TCP -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.1.0/24 --ip-proto UDP -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.2.0/24 --ip-proto TCP -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.2.0/24 --ip-proto UDP -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.3.0/24 --ip-proto TCP -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.3.0/24 --ip-proto UDP -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.4.0/24 --ip-proto TCP -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.4.0/24 --ip-proto UDP -j ACCEPT
    #but only allow VPN to access NAS
    ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.1.95 --ip-proto TCP -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.1.95 --ip-proto UDP -j ACCEPT
    
    
    #set interface groups/names into nvram
    nvram set lan_ifnames="vlan1 eth1"
    nvram set lan_ifname="br0"
    
    nvram set lan2_ifnames="vlan12 wl0.1 wl1.1"
    nvram set lan2_ifname="br1"
    
    nvram set lan3_ifnames="vlan20"
    nvram set lan3_ifname="br2"
    
    nvram set lan4_ifnames="vlan30"
    nvram set lan4_ifname="br3"
    
    nvram commit
    killall eapd
    eapd
    
    service restart_dnsmasq
    )
    
    Continue in reply post, maxing out char count.
     
  2. Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!
  3. Chewbacca

    Chewbacca New Around Here

    Joined:
    May 16, 2018
    Messages:
    3
    After hours and hours of trying, i decided to create a testscript to not block anything for testing purposes, and tried the following:

    Code:
    #!/bin/sh
    
    #if vlan20 does not exist run script
    robocfg show | grep -i vlan20 > /dev/null 2>&1 || \
    (
    sleep 4
    #setup vlans and bridges with subnets
    robocfg vlan 1 ports "0 5 7 8t"
    robocfg vlan 12 ports "1 8t"
    robocfg vlan 20 ports "2 8t"
    robocfg vlan 30 ports "3 8t"
    vconfig add eth0 12
    vconfig add eth0 20
    vconfig add eth0 30
    ifconfig vlan12 up
    ifconfig vlan20 up
    ifconfig vlan30 up
    brctl addbr br1
    brctl addbr br2
    brctl addbr br3
    brctl stp br1 on
    brctl stp br2 on
    brctl stp br3 on
    brctl addif br1 vlan12
    brctl addif br2 vlan20
    brctl addif br3 vlan30
    ifconfig br1 10.10.2.1 netmask 255.255.255.0
    ifconfig br2 10.10.3.1 netmask 255.255.255.0
    ifconfig br3 10.10.4.1 netmask 255.255.255.0
    ifconfig br1 up
    ifconfig br2 up
    ifconfig br3 up
    
    # Allow dnsmasq to listen to br1 br2 and br3
    iptables -D INPUT -i br1 -j ACCEPT 2> /dev/null > /dev/null
    iptables -I INPUT -i br1 -j ACCEPT
    iptables -D INPUT -i br2 -j ACCEPT 2> /dev/null > /dev/null
    iptables -I INPUT -i br2 -j ACCEPT
    iptables -D INPUT -i br3 -j ACCEPT 2> /dev/null > /dev/null
    iptables -I INPUT -i br3 -j ACCEPT
    
    # Allow br1 (guests) WAN access
    iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
    
    #allow br2 iot devices wan access
    iptables -I FORWARD -i br2 -s 10.10.3.50 -m state --state NEW -j ACCEPT
    iptables -I FORWARD -i br2 -s 10.10.3.60 -m state --state NEW -j ACCEPT
    
    #allow br0 to access iot device
    iptables -I FORWARD -i br0 -d 10.10.3.50 -m state --state NEW -j ACCEPT
    
    #for testing, allow br0 access to everything
    iptables -I FORWARD -i br0 -s 10.10.1.0/24 -m state --state NEW -j ACCEPT
    
    #allow br3 cams to access NAS and nas to access cams
    iptables -I FORWARD -i br3 -d 10.10.1.95 -m state --state NEW -j ACCEPT
    iptables -I FORWARD -i br0 -s 10.10.1.95 -d 10.10.4.0/24 -m state --state NEW -j ACCEPT
    
    #allow pc to access cams
    iptables -I FORWARD -i br0 -s 10.10.1.10 -d 10.10.4.0/24 -m state --state NEW -j ACCEPT
    
    #cams exception to allow traffic to NAS
    ebtables -t broute -I BROUTING -p IPv4 -i vlan30 --ip-dst 10.10.1.95 --ip-proto tcp -j ACCEPT
    ebtables -t broute -I BROUTING -p IPv4 -i vlan30 --ip-dst 10.10.1.95 --ip-proto tcp -j ACCEPT
    
    #exception specific PC to cams
    ebtables -t broute -I BROUTING -p IPv4 --ip-src 10.10.1.10 --ip-dst 10.10.4.0/24 --ip-proto tcp -j ACCEPT
    #and NAS to cams
    ebtables -t broute -I BROUTING -p IPv4 --ip-src 10.10.1.95 --ip-dst 10.10.4.0/24 --ip-proto tcp -j ACCEPT
    
    #exception vlan1 to iot device
    ebtables -t broute -I BROUTING -p IPv4 -i vlan1 --ip-dst 10.10.3.50 --ip-proto tcp -j ACCEPT
    
    #allow packets to/from NAS/cams and pc
    ebtables -t filter -I FORWARD -p ipv4 -i vlan20 --ip-dst 10.10.1.95 --ip-proto TCP -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 -i vlan20 --ip-dst 10.10.1.95 --ip-proto UDP -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.10.1.95 -o vlan20 --ip-proto TCP -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.10.1.95 -o vlan20 --ip-proto UDP -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.10.1.10 -o vlan20 --ip-proto TCP -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.10.1.10 -o vlan20 --ip-proto UDP -j ACCEPT
    
    #Block VPN to access anything on local
    ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.1.0/24 --ip-proto TCP -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.1.0/24 --ip-proto UDP -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.2.0/24 --ip-proto TCP -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.2.0/24 --ip-proto UDP -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.3.0/24 --ip-proto TCP -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.3.0/24 --ip-proto UDP -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.4.0/24 --ip-proto TCP -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.4.0/24 --ip-proto UDP -j ACCEPT
    #but only allow VPN to access NAS
    ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.1.95 --ip-proto TCP -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.1.95 --ip-proto UDP -j ACCEPT
    
    
    #set interface groups/names into nvram
    nvram set lan_ifnames="vlan1 eth1"
    nvram set lan_ifname="br0"
    
    nvram set lan2_ifnames="vlan12 wl0.1 wl1.1"
    nvram set lan2_ifname="br1"
    
    nvram set lan3_ifnames="vlan20"
    nvram set lan3_ifname="br2"
    
    nvram set lan4_ifnames="vlan30"
    nvram set lan4_ifname="br3"
    
    nvram commit
    killall eapd
    eapd
    
    service restart_dnsmasq
    )
    And also manually ran this afterwards:
    Code:
    ebtables -t filter -I FORWARD -p ipv4 -i vlan20 -o vlan30 -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 -i vlan12 -o vlan30 -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 -i vlan30 -o vlan12 -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 -i vlan30 -o vlan20 -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 -i vlan30 -o vlan1 -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 -i vlan12 -o vlan1 -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 -i vlan12 -o vlan20 -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 -i vlan20 -o vlan12 -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 -i vlan20 -o vlan1 -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 -i vlan1 -o vlan12 -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 -i vlan1 -o vlan20 -j ACCEPT
    ebtables -t filter -I FORWARD -p ipv4 -i vlan1 -o vlan30 -j ACCEPT
    
    ebtables -t broute -I BROUTING -p IPv4 -i vlan30 --ip-dst 10.10.1.0/24 --ip-proto tcp -j ACCEPT
    ebtables -t broute -I BROUTING -p IPv4 -i vlan30 --ip-dst 10.10.2.0/24 --ip-proto tcp -j ACCEPT
    ebtables -t broute -I BROUTING -p IPv4 -i vlan30 --ip-dst 10.10.3.0/24 --ip-proto tcp -j ACCEPT
    ebtables -t broute -I BROUTING -p IPv4 -i vlan30 --ip-dst 10.10.4.0/24 --ip-proto tcp -j ACCEPT
    ebtables -t broute -I BROUTING -p IPv4 -i vlan20 --ip-dst 10.10.4.0/24 --ip-proto tcp -j ACCEPT
    ebtables -t broute -I BROUTING -p IPv4 -i vlan20 --ip-dst 10.10.3.0/24 --ip-proto tcp -j ACCEPT
    ebtables -t broute -I BROUTING -p IPv4 -i vlan20 --ip-dst 10.10.2.0/24 --ip-proto tcp -j ACCEPT
    ebtables -t broute -I BROUTING -p IPv4 -i vlan20 --ip-dst 10.10.1.0/24 --ip-proto tcp -j ACCEPT
    ebtables -t broute -I BROUTING -p IPv4 -i vlan12 --ip-dst 10.10.1.0/24 --ip-proto tcp -j ACCEPT
    ebtables -t broute -I BROUTING -p IPv4 -i vlan12 --ip-dst 10.10.2.0/24 --ip-proto tcp -j ACCEPT
    ebtables -t broute -I BROUTING -p IPv4 -i vlan12 --ip-dst 10.10.3.0/24 --ip-proto tcp -j ACCEPT
    ebtables -t broute -I BROUTING -p IPv4 -i vlan12 --ip-dst 10.10.4.0/24 --ip-proto tcp -j ACCEPT
    ebtables -t broute -I BROUTING -p IPv4 -i vlan1 --ip-dst 10.10.4.0/24 --ip-proto tcp -j ACCEPT
    ebtables -t broute -I BROUTING -p IPv4 -i vlan1 --ip-dst 10.10.3.0/24 --ip-proto tcp -j ACCEPT
    ebtables -t broute -I BROUTING -p IPv4 -i vlan1 --ip-dst 10.10.2.0/24 --ip-proto tcp -j ACCEPT
    ebtables -t broute -I BROUTING -p IPv4 -i vlan1 --ip-dst 10.10.1.0/24 --ip-proto tcp -j ACCEPT
    
    iptables -I FORWARD -i br2 -m state --state NEW -j ACCEPT
    iptables -I FORWARD -i br3 -m state --state NEW -j ACCEPT
    Now this actually lets me connect to other devices within the same vlan, but still not across vlans, and also not to the router itself from vlan12, 20 and 30 even though i did not block that. (tried 1.1, 2.1, 3.1 and 4.1)
    The weird thing is, with this script vlan20 has internet access but vlan30 doesn't.
    DHCP still works fine in all subnets.
    I've read somewhere that for wan access you need tagged ports, but none of them are tagged so i guess that doesn't matter.

    I really hope someone can shine a light on this, maybe i'm just overlooking something trivial.
     
  4. Chewbacca

    Chewbacca New Around Here

    Joined:
    May 16, 2018
    Messages:
    3
    Sorry for bumping, but i'm really stuck at this. I'm also gladly willing to pay someone to help me out here.
     
Please support SNBForums! Just click on this link before you buy something from Amazon and we'll get a small commission on anything you buy. Thanks!