Page 1 of 1
[Resolved] Isolate LAN-port to WAN only
Posted: Tue Mar 31, 2015 1:53 pm
by jkemenade
Greetings,
How can I enforce that all the traffic originating from one wired LAN-port (eg LAN4) can access only the WAN-port?
Similar to the feature for Wireless Client Isolation but then for one specific LAN-port.
Background: my son organizes lan-parties with his friends and I don't want them to access my other systems, so I want to connect them via a simple switch to a dedicated wired LAN-port on the router.
John
Re: Isolate LAN-port to WAN only
Posted: Tue Mar 31, 2015 6:10 pm
by Lantis
You'll want to setup a VLAN.
This isn't supported through the GUI in gargoyle so you'll be running commands and editing config files.
This is quite a thorough example that I'm sure you could apply to yourself
http://coderazzi.net/howto/openwrt/tl841n/vlans.htm
From my personal point of view:
They'll be too busy killing zombies and eating Doritos to be bothered with the rest of your network
Re: Isolate LAN-port to WAN only
Posted: Tue Mar 31, 2015 6:30 pm
by tapper
Lantis wrote:You'll want to setup a VLAN.
This isn't supported through the GUI in gargoyle so you'll be running commands and editing config files.
This is quite a thorough example that I'm sure you could apply to yourself
http://coderazzi.net/howto/openwrt/tl841n/vlans.htm
From my personal point of view:
They'll be too busy killing zombies and eating Doritos to be bothered with the rest of your network
Hi could he use a DMZ?
Re: Isolate LAN-port to WAN only
Posted: Tue Mar 31, 2015 7:40 pm
by Lantis
My guess would be no.
A DMZ is essentially creating a VLAN, with the only rule being to accept all incoming traffic in my experience. This is to avoid port forwarding issues (and makes sense as that is where the dmz setting is found in the gargoyle ui).
A dmz at a guess would prevent all the LAN attendees from connecting to each other's computers which would stop local LAN servers in games being established.
If my understanding is wrong please correct me, however in the code itself the dmz section creates a simple rule. FROM wan TO lan.
Re: Isolate LAN-port to WAN only
Posted: Wed Apr 01, 2015 11:44 am
by jkemenade
Thanks for your suggestion Lantis. I'll check it out this evening.
And yes, off course they will be too busy killing zombies. But you know how that saying goes: "better safe than sorry". And it might not be on purpose; there might be virusses on the friend computers...
John
Re: Isolate LAN-port to WAN only
Posted: Wed Apr 01, 2015 1:36 pm
by jkemenade
Hi Landis,
I followed the instructions, but guess it goes wrong somewhere.
I decided to have a separate vlan for LAN4 port only and call it the 'partylan' interface.
In the Gargoyle UI is see that LAN4 is no longer visible, which imho good since it is on a separate vlan. However, the client pc doesn't get an IP-nr: "unable to contact your DHCP server"
/etc/config/network
Code: Select all
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'lan'
option ifname 'eth0.1'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option dns '192.168.5.1'
option ipaddr '192.168.5.1'
config interface 'partylan'
option ifname 'eth0.3'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option dns '192.168.5.1'
option ipaddr '192.168.5.1'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config switch
option name 'rtl8366rb'
option reset '1'
option enable_vlan '1'
config switch_vlan 'eth0_1'
option device 'rtl8366rb'
option vlan '1'
option ports '1 2 3 5t'
config switch_vlan 'eth0_3'
option device 'rtl8366rb'
option vlan '3'
option ports '4 5t'
config switch_vlan 'eth0_2'
option device 'rtl8366rb'
option vlan '2'
option ports '0 5t'
/etc/config/firewall
Code: Select all
config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'partylan'
option network 'partylan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'wan'
option network 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'partylan'
option dest 'wan'
/etc/config/dhcp
Code: Select all
config dhcp 'partylan'
option interface 'partylan'
option leasetime '12h'
option start '200'
option limit '20'
note that 'limit' above says 20 and not eg 220; that is because apparantly it uses a length and not max (dhcp for lan is also defined with a length and in de Gargoyle UI it show as start and finish).
Can you give me some more pointers please?
John
Re: Isolate LAN-port to WAN only
Posted: Wed Apr 01, 2015 2:20 pm
by jkemenade
I found the error, in /etc/config/network, the section partylan should be like (note the different range of ipadresses.
Code: Select all
config interface 'partylan'
option ifname 'eth0.3'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.6.1'
Thanks again !!
John
Re: Isolate LAN-port to WAN only
Posted: Wed Apr 01, 2015 6:21 pm
by Lantis
No worries glad you got it sorted.
Be mindful that editing any settings in the UI *may* overwrite your changes you've just performed. Maybe vlans will make it into the ui one day who knows.