Greetings,
How can I enforce that all the traffic originating from one wired LAN-port (eg LAN4) can access only the WAN-port?
Similar to the feature for Wireless Client Isolation but then for one specific LAN-port.
Background: my son organizes lan-parties with his friends and I don't want them to access my other systems, so I want to connect them via a simple switch to a dedicated wired LAN-port on the router.
John
[Resolved] Isolate LAN-port to WAN only
Moderator: Moderators
[Resolved] Isolate LAN-port to WAN only
Last edited by jkemenade on Fri Apr 03, 2015 2:29 pm, edited 1 time in total.
Re: Isolate LAN-port to WAN only
You'll want to setup a VLAN.
This isn't supported through the GUI in gargoyle so you'll be running commands and editing config files.
This is quite a thorough example that I'm sure you could apply to yourself
http://coderazzi.net/howto/openwrt/tl841n/vlans.htm
From my personal point of view:
They'll be too busy killing zombies and eating Doritos to be bothered with the rest of your network
This isn't supported through the GUI in gargoyle so you'll be running commands and editing config files.
This is quite a thorough example that I'm sure you could apply to yourself
http://coderazzi.net/howto/openwrt/tl841n/vlans.htm
From my personal point of view:
They'll be too busy killing zombies and eating Doritos to be bothered with the rest of your network
https://lantisproject.com/downloads/gargoylebuilds for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.
Please be respectful when posting. I do this in my free time on a volunteer basis.
Re: Isolate LAN-port to WAN only
Hi could he use a DMZ?Lantis wrote:You'll want to setup a VLAN.
This isn't supported through the GUI in gargoyle so you'll be running commands and editing config files.
This is quite a thorough example that I'm sure you could apply to yourself
http://coderazzi.net/howto/openwrt/tl841n/vlans.htm
From my personal point of view:
They'll be too busy killing zombies and eating Doritos to be bothered with the rest of your network
Linksys WRT3200ACM
NETGEAR Nighthawk R7800
NETGEAR R6260
NETGEAR Nighthawk R7800
NETGEAR R6260
Re: Isolate LAN-port to WAN only
My guess would be no.
A DMZ is essentially creating a VLAN, with the only rule being to accept all incoming traffic in my experience. This is to avoid port forwarding issues (and makes sense as that is where the dmz setting is found in the gargoyle ui).
A dmz at a guess would prevent all the LAN attendees from connecting to each other's computers which would stop local LAN servers in games being established.
If my understanding is wrong please correct me, however in the code itself the dmz section creates a simple rule. FROM wan TO lan.
A DMZ is essentially creating a VLAN, with the only rule being to accept all incoming traffic in my experience. This is to avoid port forwarding issues (and makes sense as that is where the dmz setting is found in the gargoyle ui).
A dmz at a guess would prevent all the LAN attendees from connecting to each other's computers which would stop local LAN servers in games being established.
If my understanding is wrong please correct me, however in the code itself the dmz section creates a simple rule. FROM wan TO lan.
https://lantisproject.com/downloads/gargoylebuilds for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.
Please be respectful when posting. I do this in my free time on a volunteer basis.
Re: Isolate LAN-port to WAN only
Thanks for your suggestion Lantis. I'll check it out this evening.
And yes, off course they will be too busy killing zombies. But you know how that saying goes: "better safe than sorry". And it might not be on purpose; there might be virusses on the friend computers...
John
And yes, off course they will be too busy killing zombies. But you know how that saying goes: "better safe than sorry". And it might not be on purpose; there might be virusses on the friend computers...
John
Re: Isolate LAN-port to WAN only
Hi Landis,
I followed the instructions, but guess it goes wrong somewhere.
I decided to have a separate vlan for LAN4 port only and call it the 'partylan' interface.
In the Gargoyle UI is see that LAN4 is no longer visible, which imho good since it is on a separate vlan. However, the client pc doesn't get an IP-nr: "unable to contact your DHCP server"
/etc/config/network
/etc/config/firewall
/etc/config/dhcp
note that 'limit' above says 20 and not eg 220; that is because apparantly it uses a length and not max (dhcp for lan is also defined with a length and in de Gargoyle UI it show as start and finish).
Can you give me some more pointers please?
John
I followed the instructions, but guess it goes wrong somewhere.
I decided to have a separate vlan for LAN4 port only and call it the 'partylan' interface.
In the Gargoyle UI is see that LAN4 is no longer visible, which imho good since it is on a separate vlan. However, the client pc doesn't get an IP-nr: "unable to contact your DHCP server"
/etc/config/network
Code: Select all
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'lan'
option ifname 'eth0.1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option dns '192.168.5.1'
option ipaddr '192.168.5.1'
config interface 'partylan'
option ifname 'eth0.3'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option dns '192.168.5.1'
option ipaddr '192.168.5.1'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config switch
option name 'rtl8366rb'
option reset '1'
option enable_vlan '1'
config switch_vlan 'eth0_1'
option device 'rtl8366rb'
option vlan '1'
option ports '1 2 3 5t'
config switch_vlan 'eth0_3'
option device 'rtl8366rb'
option vlan '3'
option ports '4 5t'
config switch_vlan 'eth0_2'
option device 'rtl8366rb'
option vlan '2'
option ports '0 5t'
Code: Select all
config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'partylan'
option network 'partylan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'wan'
option network 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'partylan'
option dest 'wan'
Code: Select all
config dhcp 'partylan'
option interface 'partylan'
option leasetime '12h'
option start '200'
option limit '20'
Can you give me some more pointers please?
John
Re: Isolate LAN-port to WAN only
I found the error, in /etc/config/network, the section partylan should be like (note the different range of ipadresses. 
Thanks again !!
John
Code: Select all
config interface 'partylan'
option ifname 'eth0.3'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.6.1'
John
Re: Isolate LAN-port to WAN only
No worries glad you got it sorted.
Be mindful that editing any settings in the UI *may* overwrite your changes you've just performed. Maybe vlans will make it into the ui one day who knows.
Be mindful that editing any settings in the UI *may* overwrite your changes you've just performed. Maybe vlans will make it into the ui one day who knows.
https://lantisproject.com/downloads/gargoylebuilds for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.
Please be respectful when posting. I do this in my free time on a volunteer basis.