[Resolved] Isolate LAN-port to WAN only

Report wireless and/or network connectivity problems in this forum.

Moderator: Moderators

Post Reply
jkemenade
Posts: 21
Joined: Mon Nov 12, 2012 4:15 am

[Resolved] Isolate LAN-port to WAN only

Post by jkemenade »

Greetings,

How can I enforce that all the traffic originating from one wired LAN-port (eg LAN4) can access only the WAN-port?

Similar to the feature for Wireless Client Isolation but then for one specific LAN-port.

Background: my son organizes lan-parties with his friends and I don't want them to access my other systems, so I want to connect them via a simple switch to a dedicated wired LAN-port on the router.

John
Last edited by jkemenade on Fri Apr 03, 2015 2:29 pm, edited 1 time in total.

Lantis
Moderator
Posts: 6735
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Isolate LAN-port to WAN only

Post by Lantis »

You'll want to setup a VLAN.
This isn't supported through the GUI in gargoyle so you'll be running commands and editing config files.
This is quite a thorough example that I'm sure you could apply to yourself
http://coderazzi.net/howto/openwrt/tl841n/vlans.htm


From my personal point of view:
They'll be too busy killing zombies and eating Doritos to be bothered with the rest of your network :P
http://lantisproject.com/downloads/gargoyle_ispyisail.php for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

tapper
Moderator
Posts: 1076
Joined: Sun Oct 13, 2013 5:49 pm
Location: Stoke-on-trent UK

Re: Isolate LAN-port to WAN only

Post by tapper »

Lantis wrote:You'll want to setup a VLAN.
This isn't supported through the GUI in gargoyle so you'll be running commands and editing config files.
This is quite a thorough example that I'm sure you could apply to yourself
http://coderazzi.net/howto/openwrt/tl841n/vlans.htm


From my personal point of view:
They'll be too busy killing zombies and eating Doritos to be bothered with the rest of your network :P
Hi could he use a DMZ?
Linksys WRT3200ACM
NETGEAR Nighthawk R7800
NETGEAR R6260

Lantis
Moderator
Posts: 6735
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Isolate LAN-port to WAN only

Post by Lantis »

My guess would be no.

A DMZ is essentially creating a VLAN, with the only rule being to accept all incoming traffic in my experience. This is to avoid port forwarding issues (and makes sense as that is where the dmz setting is found in the gargoyle ui).
A dmz at a guess would prevent all the LAN attendees from connecting to each other's computers which would stop local LAN servers in games being established.

If my understanding is wrong please correct me, however in the code itself the dmz section creates a simple rule. FROM wan TO lan.
http://lantisproject.com/downloads/gargoyle_ispyisail.php for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

jkemenade
Posts: 21
Joined: Mon Nov 12, 2012 4:15 am

Re: Isolate LAN-port to WAN only

Post by jkemenade »

Thanks for your suggestion Lantis. I'll check it out this evening.

And yes, off course they will be too busy killing zombies. But you know how that saying goes: "better safe than sorry". And it might not be on purpose; there might be virusses on the friend computers...

John

jkemenade
Posts: 21
Joined: Mon Nov 12, 2012 4:15 am

Re: Isolate LAN-port to WAN only

Post by jkemenade »

Hi Landis,

I followed the instructions, but guess it goes wrong somewhere.
I decided to have a separate vlan for LAN4 port only and call it the 'partylan' interface.

In the Gargoyle UI is see that LAN4 is no longer visible, which imho good since it is on a separate vlan. However, the client pc doesn't get an IP-nr: "unable to contact your DHCP server"

/etc/config/network

Code: Select all

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config interface 'lan'
        option ifname 'eth0.1'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option dns '192.168.5.1'
        option ipaddr '192.168.5.1'

config interface 'partylan'
        option ifname 'eth0.3'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option dns '192.168.5.1'
        option ipaddr '192.168.5.1'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config switch
        option name 'rtl8366rb'
        option reset '1'
        option enable_vlan '1'

config switch_vlan 'eth0_1'
        option device 'rtl8366rb'
        option vlan '1'
        option ports '1 2 3 5t'

config switch_vlan 'eth0_3'
        option device 'rtl8366rb'
        option vlan '3'
        option ports '4 5t'

config switch_vlan 'eth0_2'
        option device 'rtl8366rb'
        option vlan '2'
        option ports '0 5t'
/etc/config/firewall

Code: Select all

config zone
        option name 'lan'
        option network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'partylan'
        option network 'partylan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'wan'
        option network 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config forwarding
        option src 'partylan'
        option dest 'wan'
/etc/config/dhcp

Code: Select all

config dhcp 'partylan'
        option interface 'partylan'
        option leasetime '12h'
        option start '200'
        option limit '20'
note that 'limit' above says 20 and not eg 220; that is because apparantly it uses a length and not max (dhcp for lan is also defined with a length and in de Gargoyle UI it show as start and finish).

Can you give me some more pointers please?

John

jkemenade
Posts: 21
Joined: Mon Nov 12, 2012 4:15 am

Re: Isolate LAN-port to WAN only

Post by jkemenade »

I found the error, in /etc/config/network, the section partylan should be like (note the different range of ipadresses. :D

Code: Select all

config interface 'partylan'
        option ifname 'eth0.3'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.6.1'
Thanks again !!

John

Lantis
Moderator
Posts: 6735
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Isolate LAN-port to WAN only

Post by Lantis »

No worries glad you got it sorted.
Be mindful that editing any settings in the UI *may* overwrite your changes you've just performed. Maybe vlans will make it into the ui one day who knows.
http://lantisproject.com/downloads/gargoyle_ispyisail.php for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

Post Reply