What's new

traffic across vlans for ip cams and iot devices

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Chewbacca

New Around Here
Hi Guys,

I'm a regular visitor on this forum and user of Merlin for a few years now, i usually poke around untill i get it right but i'm stuck with this for so long (2 months) i decided to ask for your much needed help.

Router: AC88U

My goal, is to have 4 VLAN's as such;
1 - private - 10.10.1.0/24
12 - guests - 10.10.2.0/24 - completely isolated
20 - iot devices - 10.10.3.0/24 - can access wan and each other, but nothing else
30 - cams - 10.10.4.0/24 - can NOT access wan, but can access NAS on private subnet. also allow specific pc from private to connect to cams

There is also a VPN involved to backup sync my nas to a remote location, but let's keep it as simple as possible for now.

This was my initial script, all connections on other ports than the vlan1 just got isolated guest access (the network name also shows up as the guest network)

Code:
#!/bin/sh
#if vlan20 does not exist, run script
robocfg show | grep -i vlan20 > /dev/null 2>&1 || \
(
sleep 4
#setup vlans and bridges with subnets
robocfg vlan 1 ports "0 5 7 8t"
robocfg vlan 12 ports "1 8t"
robocfg vlan 20 ports "2 8t"
robocfg vlan 30 ports "3 8t"
vconfig add eth0 12
vconfig add eth0 20
vconfig add eth0 30
ifconfig vlan12 up
ifconfig vlan20 up
ifconfig vlan30 up
brctl addbr br1
brctl addbr br2
brctl addbr br3
brctl stp br1 on
brctl stp br2 on
brctl stp br3 on
brctl addif br1 vlan12
brctl addif br2 vlan20
brctl addif br3 vlan30
brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl addif br1 wl0.1
brctl addif br1 wl1.1
ifconfig br1 10.10.2.1 netmask 255.255.255.0
ifconfig br2 10.10.3.1 netmask 255.255.255.0
ifconfig br3 10.10.4.1 netmask 255.255.255.0
ifconfig br1 up
ifconfig br2 up
ifconfig br3 up


# Allow dnsmasq to listen to br1 br2 and br3
iptables -D INPUT -i br1 -j ACCEPT 2> /dev/null > /dev/null
iptables -I INPUT -i br1 -j ACCEPT
iptables -D INPUT -i br2 -j ACCEPT 2> /dev/null > /dev/null
iptables -I INPUT -i br2 -j ACCEPT
iptables -D INPUT -i br3 -j ACCEPT 2> /dev/null > /dev/null
iptables -I INPUT -i br3 -j ACCEPT

ebtables -t broute -D BROUTING -i br1 -p ipv4 -j DROP 2> /dev/null > /dev/null
ebtables -t broute -I BROUTING -i br1 -p ipv4 -j DROP
ebtables -t broute -D BROUTING -i br2 -p ipv4 -j DROP 2> /dev/null > /dev/null
ebtables -t broute -I BROUTING -i br2 -p ipv4 -j DROP
ebtables -t broute -D BROUTING -i br3 -p ipv4 -j DROP 2> /dev/null > /dev/null
ebtables -t broute -I BROUTING -i br3 -p ipv4 -j DROP

# Allow br1 (guests) WAN access
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT

#allow two br2 iot devices wan access
iptables -I FORWARD -i br2 -s 10.10.3.50 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br2 -s 10.10.3.60 -m state --state NEW -j ACCEPT

#allow br0 to access one of these iot devices
iptables -I FORWARD -i br0 -d 10.10.3.50 -m state --state NEW -j ACCEPT

#block other br2 devices WAN access
iptables -I FORWARD -i br2 -s 10.10.3.0/24 -m state --state NEW -j DROP

#allow br3 (cams) to access NAS and allow the NAS to access cams
iptables -I FORWARD -i br3 -d 10.10.1.95 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br0 -s 10.10.1.95 -d 10.10.4.0/24 -m state --state NEW -j ACCEPT

#allow a specific pc to access cams
iptables -I FORWARD -i br0 -s 10.10.1.10 -d 10.10.4.0/24 -m state --state NEW -j ACCEPT

#block other br0 devices to access cams
iptables -I FORWARD -i br0 -d 10.10.4.0/24 -m state --state NEW -j DROP

#block other br3 devices WAN access
iptables -I FORWARD -i br3 -s 10.10.4.0/24 -m state --state NEW -j DROP


# Block br1 br2 and br3 access to br0
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br2 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br3 -o br0 -m state --state NEW -j DROP

# Isolate br1 br2 and br3 from each other
iptables -I FORWARD -i br1 -o br2 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -o br3 -m state --state NEW -j DROP
iptables -I FORWARD -i br2 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br2 -o br3 -m state --state NEW -j DROP
iptables -I FORWARD -i br3 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br3 -o br2 -m state --state NEW -j DROP


#No connections to router
ebtables -t broute -I BROUTING -p IPv4 -i vlan12 --ip-dst 10.10.1.1 --ip-proto tcp -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i vlan20 --ip-dst 10.10.1.1 --ip-proto tcp -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i vlan30 --ip-dst 10.10.1.1 --ip-proto tcp -j DROP

# Block br1 from accessing the router by port:
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset

# Block br2 from accessing the router by port:
iptables -I INPUT -i br2 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br2 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br2 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br2 -p tcp --dport https -j REJECT --reject-with tcp-reset

# Block br3 from accessing the router by port:
iptables -I INPUT -i br3 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br3 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br3 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br3 -p tcp --dport https -j REJECT --reject-with tcp-reset


#guests, no traffic between each other and other subnets
ebtables -t broute -I BROUTING -p IPv4 -i vlan12 --ip-dst 10.10.1.0/24 --ip-proto tcp -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i vlan12 --ip-dst 10.10.2.0/24 --ip-proto tcp -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i vlan12 --ip-dst 10.10.3.0/24 --ip-proto tcp -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i vlan12 --ip-dst 10.10.4.0/24 --ip-proto tcp -j DROP
#IOT devices, each other but not other subnets
ebtables -t broute -I BROUTING -p IPv4 -i vlan20 --ip-dst 10.10.1.0/24 --ip-proto tcp -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i vlan20 --ip-dst 10.10.2.0/24 --ip-proto tcp -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i vlan20 --ip-dst 10.10.4.0/24 --ip-proto tcp -j DROP
#cams, no traffic between each other or other subnets
ebtables -t broute -I BROUTING -p IPv4 -i vlan30 --ip-dst 10.10.1.0/24 --ip-proto tcp -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i vlan30 --ip-dst 10.10.2.0/24 --ip-proto tcp -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i vlan30 --ip-dst 10.10.3.0/24 --ip-proto tcp -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i vlan30 --ip-dst 10.10.4.0/24 --ip-proto tcp -j DROP
#cams get exception to allow connections to NAS IP in other subnet
ebtables -t broute -I BROUTING -p IPv4 -i vlan30 --ip-dst 10.10.1.95 --ip-proto tcp -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 -i vlan30 --ip-dst 10.10.1.95 --ip-proto tcp -j ACCEPT

#exception for specific computer to allow connections to cams
ebtables -t broute -I BROUTING -p IPv4 --ip-src 10.10.1.10 --ip-dst 10.10.4.0/24 --ip-proto tcp -j ACCEPT
#and also the NAS to access cams
ebtables -t broute -I BROUTING -p IPv4 --ip-src 10.10.1.95 --ip-dst 10.10.4.0/24 --ip-proto tcp -j ACCEPT

#exception vlan1 can access this iot device
ebtables -t broute -I BROUTING -p IPv4 -i vlan1 --ip-dst 10.10.3.50 --ip-proto tcp -j ACCEPT

#block all traffic that is not internet on vlan12, 20 and 30
ebtables -t filter -I FORWARD -i ! eth0 -o vlan12 -j DROP
ebtables -t filter -I FORWARD -i ! eth0 -o vlan20 -j DROP
ebtables -t filter -I FORWARD -i ! eth0 -o vlan30 -j DROP
ebtables -t filter -I FORWARD -i vlan12 -o ! eth0 -j DROP
ebtables -t filter -I FORWARD -i vlan20 -o ! eth0 -j DROP
ebtables -t filter -I FORWARD -i vlan30 -o ! eth0 -j DROP

#allow packets to/from NAS/cams and specific computer
ebtables -t filter -I FORWARD -p ipv4 -i vlan20 --ip-dst 10.10.1.95 --ip-proto TCP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 -i vlan20 --ip-dst 10.10.1.95 --ip-proto UDP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.10.1.95 -o vlan20 --ip-proto TCP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.10.1.95 -o vlan20 --ip-proto UDP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.10.1.10 -o vlan20 --ip-proto TCP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.10.1.10 -o vlan20 --ip-proto UDP -j ACCEPT

#Block VPN to access anything on local
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.1.0/24 --ip-proto TCP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.1.0/24 --ip-proto UDP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.2.0/24 --ip-proto TCP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.2.0/24 --ip-proto UDP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.3.0/24 --ip-proto TCP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.3.0/24 --ip-proto UDP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.4.0/24 --ip-proto TCP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.4.0/24 --ip-proto UDP -j ACCEPT
#but only allow VPN to access NAS
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.1.95 --ip-proto TCP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.1.95 --ip-proto UDP -j ACCEPT


#set interface groups/names into nvram
nvram set lan_ifnames="vlan1 eth1"
nvram set lan_ifname="br0"

nvram set lan2_ifnames="vlan12 wl0.1 wl1.1"
nvram set lan2_ifname="br1"

nvram set lan3_ifnames="vlan20"
nvram set lan3_ifname="br2"

nvram set lan4_ifnames="vlan30"
nvram set lan4_ifname="br3"

nvram commit
killall eapd
eapd

service restart_dnsmasq
)

Continue in reply post, maxing out char count.
 
After hours and hours of trying, i decided to create a testscript to not block anything for testing purposes, and tried the following:

Code:
#!/bin/sh

#if vlan20 does not exist run script
robocfg show | grep -i vlan20 > /dev/null 2>&1 || \
(
sleep 4
#setup vlans and bridges with subnets
robocfg vlan 1 ports "0 5 7 8t"
robocfg vlan 12 ports "1 8t"
robocfg vlan 20 ports "2 8t"
robocfg vlan 30 ports "3 8t"
vconfig add eth0 12
vconfig add eth0 20
vconfig add eth0 30
ifconfig vlan12 up
ifconfig vlan20 up
ifconfig vlan30 up
brctl addbr br1
brctl addbr br2
brctl addbr br3
brctl stp br1 on
brctl stp br2 on
brctl stp br3 on
brctl addif br1 vlan12
brctl addif br2 vlan20
brctl addif br3 vlan30
ifconfig br1 10.10.2.1 netmask 255.255.255.0
ifconfig br2 10.10.3.1 netmask 255.255.255.0
ifconfig br3 10.10.4.1 netmask 255.255.255.0
ifconfig br1 up
ifconfig br2 up
ifconfig br3 up

# Allow dnsmasq to listen to br1 br2 and br3
iptables -D INPUT -i br1 -j ACCEPT 2> /dev/null > /dev/null
iptables -I INPUT -i br1 -j ACCEPT
iptables -D INPUT -i br2 -j ACCEPT 2> /dev/null > /dev/null
iptables -I INPUT -i br2 -j ACCEPT
iptables -D INPUT -i br3 -j ACCEPT 2> /dev/null > /dev/null
iptables -I INPUT -i br3 -j ACCEPT

# Allow br1 (guests) WAN access
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT

#allow br2 iot devices wan access
iptables -I FORWARD -i br2 -s 10.10.3.50 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br2 -s 10.10.3.60 -m state --state NEW -j ACCEPT

#allow br0 to access iot device
iptables -I FORWARD -i br0 -d 10.10.3.50 -m state --state NEW -j ACCEPT

#for testing, allow br0 access to everything
iptables -I FORWARD -i br0 -s 10.10.1.0/24 -m state --state NEW -j ACCEPT

#allow br3 cams to access NAS and nas to access cams
iptables -I FORWARD -i br3 -d 10.10.1.95 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br0 -s 10.10.1.95 -d 10.10.4.0/24 -m state --state NEW -j ACCEPT

#allow pc to access cams
iptables -I FORWARD -i br0 -s 10.10.1.10 -d 10.10.4.0/24 -m state --state NEW -j ACCEPT

#cams exception to allow traffic to NAS
ebtables -t broute -I BROUTING -p IPv4 -i vlan30 --ip-dst 10.10.1.95 --ip-proto tcp -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 -i vlan30 --ip-dst 10.10.1.95 --ip-proto tcp -j ACCEPT

#exception specific PC to cams
ebtables -t broute -I BROUTING -p IPv4 --ip-src 10.10.1.10 --ip-dst 10.10.4.0/24 --ip-proto tcp -j ACCEPT
#and NAS to cams
ebtables -t broute -I BROUTING -p IPv4 --ip-src 10.10.1.95 --ip-dst 10.10.4.0/24 --ip-proto tcp -j ACCEPT

#exception vlan1 to iot device
ebtables -t broute -I BROUTING -p IPv4 -i vlan1 --ip-dst 10.10.3.50 --ip-proto tcp -j ACCEPT

#allow packets to/from NAS/cams and pc
ebtables -t filter -I FORWARD -p ipv4 -i vlan20 --ip-dst 10.10.1.95 --ip-proto TCP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 -i vlan20 --ip-dst 10.10.1.95 --ip-proto UDP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.10.1.95 -o vlan20 --ip-proto TCP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.10.1.95 -o vlan20 --ip-proto UDP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.10.1.10 -o vlan20 --ip-proto TCP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.10.1.10 -o vlan20 --ip-proto UDP -j ACCEPT

#Block VPN to access anything on local
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.1.0/24 --ip-proto TCP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.1.0/24 --ip-proto UDP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.2.0/24 --ip-proto TCP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.2.0/24 --ip-proto UDP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.3.0/24 --ip-proto TCP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.3.0/24 --ip-proto UDP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.4.0/24 --ip-proto TCP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.4.0/24 --ip-proto UDP -j ACCEPT
#but only allow VPN to access NAS
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.1.95 --ip-proto TCP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.1.95 --ip-proto UDP -j ACCEPT


#set interface groups/names into nvram
nvram set lan_ifnames="vlan1 eth1"
nvram set lan_ifname="br0"

nvram set lan2_ifnames="vlan12 wl0.1 wl1.1"
nvram set lan2_ifname="br1"

nvram set lan3_ifnames="vlan20"
nvram set lan3_ifname="br2"

nvram set lan4_ifnames="vlan30"
nvram set lan4_ifname="br3"

nvram commit
killall eapd
eapd

service restart_dnsmasq
)

And also manually ran this afterwards:
Code:
ebtables -t filter -I FORWARD -p ipv4 -i vlan20 -o vlan30 -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 -i vlan12 -o vlan30 -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 -i vlan30 -o vlan12 -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 -i vlan30 -o vlan20 -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 -i vlan30 -o vlan1 -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 -i vlan12 -o vlan1 -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 -i vlan12 -o vlan20 -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 -i vlan20 -o vlan12 -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 -i vlan20 -o vlan1 -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 -i vlan1 -o vlan12 -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 -i vlan1 -o vlan20 -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 -i vlan1 -o vlan30 -j ACCEPT

ebtables -t broute -I BROUTING -p IPv4 -i vlan30 --ip-dst 10.10.1.0/24 --ip-proto tcp -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 -i vlan30 --ip-dst 10.10.2.0/24 --ip-proto tcp -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 -i vlan30 --ip-dst 10.10.3.0/24 --ip-proto tcp -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 -i vlan30 --ip-dst 10.10.4.0/24 --ip-proto tcp -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 -i vlan20 --ip-dst 10.10.4.0/24 --ip-proto tcp -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 -i vlan20 --ip-dst 10.10.3.0/24 --ip-proto tcp -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 -i vlan20 --ip-dst 10.10.2.0/24 --ip-proto tcp -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 -i vlan20 --ip-dst 10.10.1.0/24 --ip-proto tcp -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 -i vlan12 --ip-dst 10.10.1.0/24 --ip-proto tcp -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 -i vlan12 --ip-dst 10.10.2.0/24 --ip-proto tcp -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 -i vlan12 --ip-dst 10.10.3.0/24 --ip-proto tcp -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 -i vlan12 --ip-dst 10.10.4.0/24 --ip-proto tcp -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 -i vlan1 --ip-dst 10.10.4.0/24 --ip-proto tcp -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 -i vlan1 --ip-dst 10.10.3.0/24 --ip-proto tcp -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 -i vlan1 --ip-dst 10.10.2.0/24 --ip-proto tcp -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 -i vlan1 --ip-dst 10.10.1.0/24 --ip-proto tcp -j ACCEPT

iptables -I FORWARD -i br2 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br3 -m state --state NEW -j ACCEPT

Now this actually lets me connect to other devices within the same vlan, but still not across vlans, and also not to the router itself from vlan12, 20 and 30 even though i did not block that. (tried 1.1, 2.1, 3.1 and 4.1)
The weird thing is, with this script vlan20 has internet access but vlan30 doesn't.
DHCP still works fine in all subnets.
I've read somewhere that for wan access you need tagged ports, but none of them are tagged so i guess that doesn't matter.

I really hope someone can shine a light on this, maybe i'm just overlooking something trivial.
 
Sorry for bumping, but i'm really stuck at this. I'm also gladly willing to pay someone to help me out here.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top