Hi Guys,
I'm a regular visitor on this forum and user of Merlin for a few years now, i usually poke around untill i get it right but i'm stuck with this for so long (2 months) i decided to ask for your much needed help.
Router: AC88U
My goal, is to have 4 VLAN's as such;
1 - private - 10.10.1.0/24
12 - guests - 10.10.2.0/24 - completely isolated
20 - iot devices - 10.10.3.0/24 - can access wan and each other, but nothing else
30 - cams - 10.10.4.0/24 - can NOT access wan, but can access NAS on private subnet. also allow specific pc from private to connect to cams
There is also a VPN involved to backup sync my nas to a remote location, but let's keep it as simple as possible for now.
This was my initial script, all connections on other ports than the vlan1 just got isolated guest access (the network name also shows up as the guest network)
Continue in reply post, maxing out char count.
I'm a regular visitor on this forum and user of Merlin for a few years now, i usually poke around untill i get it right but i'm stuck with this for so long (2 months) i decided to ask for your much needed help.
Router: AC88U
My goal, is to have 4 VLAN's as such;
1 - private - 10.10.1.0/24
12 - guests - 10.10.2.0/24 - completely isolated
20 - iot devices - 10.10.3.0/24 - can access wan and each other, but nothing else
30 - cams - 10.10.4.0/24 - can NOT access wan, but can access NAS on private subnet. also allow specific pc from private to connect to cams
There is also a VPN involved to backup sync my nas to a remote location, but let's keep it as simple as possible for now.
This was my initial script, all connections on other ports than the vlan1 just got isolated guest access (the network name also shows up as the guest network)
Code:
#!/bin/sh
#if vlan20 does not exist, run script
robocfg show | grep -i vlan20 > /dev/null 2>&1 || \
(
sleep 4
#setup vlans and bridges with subnets
robocfg vlan 1 ports "0 5 7 8t"
robocfg vlan 12 ports "1 8t"
robocfg vlan 20 ports "2 8t"
robocfg vlan 30 ports "3 8t"
vconfig add eth0 12
vconfig add eth0 20
vconfig add eth0 30
ifconfig vlan12 up
ifconfig vlan20 up
ifconfig vlan30 up
brctl addbr br1
brctl addbr br2
brctl addbr br3
brctl stp br1 on
brctl stp br2 on
brctl stp br3 on
brctl addif br1 vlan12
brctl addif br2 vlan20
brctl addif br3 vlan30
brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl addif br1 wl0.1
brctl addif br1 wl1.1
ifconfig br1 10.10.2.1 netmask 255.255.255.0
ifconfig br2 10.10.3.1 netmask 255.255.255.0
ifconfig br3 10.10.4.1 netmask 255.255.255.0
ifconfig br1 up
ifconfig br2 up
ifconfig br3 up
# Allow dnsmasq to listen to br1 br2 and br3
iptables -D INPUT -i br1 -j ACCEPT 2> /dev/null > /dev/null
iptables -I INPUT -i br1 -j ACCEPT
iptables -D INPUT -i br2 -j ACCEPT 2> /dev/null > /dev/null
iptables -I INPUT -i br2 -j ACCEPT
iptables -D INPUT -i br3 -j ACCEPT 2> /dev/null > /dev/null
iptables -I INPUT -i br3 -j ACCEPT
ebtables -t broute -D BROUTING -i br1 -p ipv4 -j DROP 2> /dev/null > /dev/null
ebtables -t broute -I BROUTING -i br1 -p ipv4 -j DROP
ebtables -t broute -D BROUTING -i br2 -p ipv4 -j DROP 2> /dev/null > /dev/null
ebtables -t broute -I BROUTING -i br2 -p ipv4 -j DROP
ebtables -t broute -D BROUTING -i br3 -p ipv4 -j DROP 2> /dev/null > /dev/null
ebtables -t broute -I BROUTING -i br3 -p ipv4 -j DROP
# Allow br1 (guests) WAN access
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
#allow two br2 iot devices wan access
iptables -I FORWARD -i br2 -s 10.10.3.50 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br2 -s 10.10.3.60 -m state --state NEW -j ACCEPT
#allow br0 to access one of these iot devices
iptables -I FORWARD -i br0 -d 10.10.3.50 -m state --state NEW -j ACCEPT
#block other br2 devices WAN access
iptables -I FORWARD -i br2 -s 10.10.3.0/24 -m state --state NEW -j DROP
#allow br3 (cams) to access NAS and allow the NAS to access cams
iptables -I FORWARD -i br3 -d 10.10.1.95 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br0 -s 10.10.1.95 -d 10.10.4.0/24 -m state --state NEW -j ACCEPT
#allow a specific pc to access cams
iptables -I FORWARD -i br0 -s 10.10.1.10 -d 10.10.4.0/24 -m state --state NEW -j ACCEPT
#block other br0 devices to access cams
iptables -I FORWARD -i br0 -d 10.10.4.0/24 -m state --state NEW -j DROP
#block other br3 devices WAN access
iptables -I FORWARD -i br3 -s 10.10.4.0/24 -m state --state NEW -j DROP
# Block br1 br2 and br3 access to br0
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br2 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br3 -o br0 -m state --state NEW -j DROP
# Isolate br1 br2 and br3 from each other
iptables -I FORWARD -i br1 -o br2 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -o br3 -m state --state NEW -j DROP
iptables -I FORWARD -i br2 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br2 -o br3 -m state --state NEW -j DROP
iptables -I FORWARD -i br3 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br3 -o br2 -m state --state NEW -j DROP
#No connections to router
ebtables -t broute -I BROUTING -p IPv4 -i vlan12 --ip-dst 10.10.1.1 --ip-proto tcp -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i vlan20 --ip-dst 10.10.1.1 --ip-proto tcp -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i vlan30 --ip-dst 10.10.1.1 --ip-proto tcp -j DROP
# Block br1 from accessing the router by port:
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset
# Block br2 from accessing the router by port:
iptables -I INPUT -i br2 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br2 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br2 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br2 -p tcp --dport https -j REJECT --reject-with tcp-reset
# Block br3 from accessing the router by port:
iptables -I INPUT -i br3 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br3 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br3 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br3 -p tcp --dport https -j REJECT --reject-with tcp-reset
#guests, no traffic between each other and other subnets
ebtables -t broute -I BROUTING -p IPv4 -i vlan12 --ip-dst 10.10.1.0/24 --ip-proto tcp -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i vlan12 --ip-dst 10.10.2.0/24 --ip-proto tcp -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i vlan12 --ip-dst 10.10.3.0/24 --ip-proto tcp -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i vlan12 --ip-dst 10.10.4.0/24 --ip-proto tcp -j DROP
#IOT devices, each other but not other subnets
ebtables -t broute -I BROUTING -p IPv4 -i vlan20 --ip-dst 10.10.1.0/24 --ip-proto tcp -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i vlan20 --ip-dst 10.10.2.0/24 --ip-proto tcp -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i vlan20 --ip-dst 10.10.4.0/24 --ip-proto tcp -j DROP
#cams, no traffic between each other or other subnets
ebtables -t broute -I BROUTING -p IPv4 -i vlan30 --ip-dst 10.10.1.0/24 --ip-proto tcp -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i vlan30 --ip-dst 10.10.2.0/24 --ip-proto tcp -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i vlan30 --ip-dst 10.10.3.0/24 --ip-proto tcp -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i vlan30 --ip-dst 10.10.4.0/24 --ip-proto tcp -j DROP
#cams get exception to allow connections to NAS IP in other subnet
ebtables -t broute -I BROUTING -p IPv4 -i vlan30 --ip-dst 10.10.1.95 --ip-proto tcp -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 -i vlan30 --ip-dst 10.10.1.95 --ip-proto tcp -j ACCEPT
#exception for specific computer to allow connections to cams
ebtables -t broute -I BROUTING -p IPv4 --ip-src 10.10.1.10 --ip-dst 10.10.4.0/24 --ip-proto tcp -j ACCEPT
#and also the NAS to access cams
ebtables -t broute -I BROUTING -p IPv4 --ip-src 10.10.1.95 --ip-dst 10.10.4.0/24 --ip-proto tcp -j ACCEPT
#exception vlan1 can access this iot device
ebtables -t broute -I BROUTING -p IPv4 -i vlan1 --ip-dst 10.10.3.50 --ip-proto tcp -j ACCEPT
#block all traffic that is not internet on vlan12, 20 and 30
ebtables -t filter -I FORWARD -i ! eth0 -o vlan12 -j DROP
ebtables -t filter -I FORWARD -i ! eth0 -o vlan20 -j DROP
ebtables -t filter -I FORWARD -i ! eth0 -o vlan30 -j DROP
ebtables -t filter -I FORWARD -i vlan12 -o ! eth0 -j DROP
ebtables -t filter -I FORWARD -i vlan20 -o ! eth0 -j DROP
ebtables -t filter -I FORWARD -i vlan30 -o ! eth0 -j DROP
#allow packets to/from NAS/cams and specific computer
ebtables -t filter -I FORWARD -p ipv4 -i vlan20 --ip-dst 10.10.1.95 --ip-proto TCP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 -i vlan20 --ip-dst 10.10.1.95 --ip-proto UDP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.10.1.95 -o vlan20 --ip-proto TCP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.10.1.95 -o vlan20 --ip-proto UDP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.10.1.10 -o vlan20 --ip-proto TCP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.10.1.10 -o vlan20 --ip-proto UDP -j ACCEPT
#Block VPN to access anything on local
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.1.0/24 --ip-proto TCP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.1.0/24 --ip-proto UDP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.2.0/24 --ip-proto TCP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.2.0/24 --ip-proto UDP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.3.0/24 --ip-proto TCP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.3.0/24 --ip-proto UDP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.4.0/24 --ip-proto TCP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.4.0/24 --ip-proto UDP -j ACCEPT
#but only allow VPN to access NAS
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.1.95 --ip-proto TCP -j ACCEPT
ebtables -t filter -I FORWARD -p ipv4 --ip-src 10.8.0.0/16 --ip-dst 10.10.1.95 --ip-proto UDP -j ACCEPT
#set interface groups/names into nvram
nvram set lan_ifnames="vlan1 eth1"
nvram set lan_ifname="br0"
nvram set lan2_ifnames="vlan12 wl0.1 wl1.1"
nvram set lan2_ifname="br1"
nvram set lan3_ifnames="vlan20"
nvram set lan3_ifname="br2"
nvram set lan4_ifnames="vlan30"
nvram set lan4_ifname="br3"
nvram commit
killall eapd
eapd
service restart_dnsmasq
)
Continue in reply post, maxing out char count.