VLAN trunking to protect LAN from untrusted WAPs

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
firefly
DD-WRT Novice


Joined: 22 Oct 2012
Posts: 2

PostPosted: Wed Oct 24, 2012 23:12    Post subject: VLAN trunking to protect LAN from untrusted WAPs Reply with quote
It's not quite clear where to post this question, since it involves multiple SoC vendors. I put it here because I have several WNDR3400s to work with, which use the BCM4718. Seems hardware may be quite relevant here, since VLAN support is apparently dependent on the chipset (or at least, VLAN tagging?).

I need to figure out how to make wireless access points publicly available (or at least available in limited fashion to untrusted people and devices), and yet keep items on the LAN protected. I have read many posts and wiki entries here, but I find I'm going in circles on how to solve my issue.

The situation is an apartment complex install, making WAPs available to the tenants. I'm using WNDR3400s for access points, because I picked 8 of them up for $25 each. I intend to install more the the two I show below, but doubt that matters for this question. I find the WNDR3400 has a VLAN setup tab (r18946M), but the WNDR3700 does not (r19519). Its no problem to swap WNDR3700 with a WNDR3400 if needed for VLAN support.

I did this with an ASCII picture... but can't figure out the BBCode for it. Here are the connections without the art:

Cable Modem => R#1
R#1 (WNDR3700) => S#1, PC
S#1 (PoE switch SF1008P) => R#2, R#3, DVR#1, DVR#2
R#2 (WNDR3400 as WAP) => DVR#3
R#3 (WNDR3400 as WAP)
DVR#1,2,3 (Security camera DVRs)


So, basically, anything physically plugged into the LAN is trusted and should be able to communicate with anything else physically plugged in. Anything coming over wireless is untrusted, and should only be able to get back to the modem and out to the internet. Ideally, those wireless devices should not even be able to access any other wireless device, but that is not a requirement. Also, it would be nice to have each WAP have a second SSID, to be secure and therefore trusted and part of the LAN.

By reading VLAN_Detached_Networks_(Separate_Networks_With_Internet), I thought I might just create an "untrusted" VLAN using one of the ports on R#1, but not all traffic coming from the switch is untrusted. I _might_ be able to plug DVR#1, #2 and #3 all directly into R#1 if nothing else works, but this crude method would presumably prevent creating additional trusted SSIDs. I hope I don't have to do this.

I read Separate_LAN_and_WLAN in the wiki, but I can't see how to extrapolate that beyond a single router. 1) DHCP is handled with the router, and so mobility/roaming will suffer. I would like a single router (probably R#1) handle DHCP for all WAPs... not each WAP have it's own DHCP. 2) iptables is used to keep traffic on br1 from getting to br0, but in my case WAN will not be used, and so traffic will have to get onto br0 to make it back to R#1.

I read Reconfigure_VLANs_for_802.1q_Compatibility, which seems like what I'm trying to do, but I didn't see how to tag frames that come from wireless.

With my limited knowledge, it seems I MUST use VLAN to get this working. Essentially, create a VLAN for the untrusted WAPs that connects virtually to R#1. This is what VLAN is for right? Having a virtual LAN segment that is independent of the physical connections. So, how can it be done in my case?
Sponsor
firefly
DD-WRT Novice


Joined: 22 Oct 2012
Posts: 2

PostPosted: Wed Oct 31, 2012 21:34    Post subject: Reply with quote
I've figured out and addressed my setup. I haven't yet proven out everything in the wild, so to speak, but it does appear to function as expected. I'll post my configuration here for reference, should anyone else find it useful.

It must be noted that my trusty WNDR3700 I already had onsite has been decommissioned since it doesn't appear to support VLAN, or at least, not 802.1q. I didn't prove this out, but it runs on Atheros hardware so I didn't spend any time on it. I have several WNDR3400s, and they _DO_ support VLAN and tagging.

The setup has turned out to be fairly straightforward - or at least, it feels like it now that I understand more about it. However, I had a few things that really tripped me up for many hours. First, the VLAN configuration GUI _does_ work for the WNDR3400 (r18946M), but the checkboxes do not correctly correspond the noted external ports. So, as is widely written, use the command line for VLAN control. Second, I was too quick with testing the various configurations after making changes. This led to incorrectly assuming that things were not working. In fact, even after bootup, I find that it takes some 30-60 seconds before the VLANs are working as intended, and for iptables to prevent traffic from routing from one VLAN to another. Patience on reaching conclusions proved rewarding here. Third, sometimes when changing the VLAN configuration (via command line), I would see the router do what appeared to be two soft reboots. In those cases, the router was apparently rejecting my VLAN setup and _changing_ the VLAN configuration in NVRAM to something else. I could turn around and apply the EXACT same VLAN configuration I had first tried, and it would work the next time. This led to lots of confusion, so if things don't work for you, use the command line to check the NVRAM variables to see that the VLAN configuration is what you intended.

Of course, the port numbers printed on the router probably do not correspond to the internal port assignments within the router. I used these commands temporarily so that I could discover the internal<->external port mapping:

Code:

# Port Test
# ALL ports but internal 0/1 are part of LAN
# Disable internal 0/1.
# Test by trying to ping the router through all 5
# ethernet ports, and seeing which ones are "dead"
# (this assumes that LAN ports are mapped sequentially)
#
# If External W/1 is gone, mapping is:
# Ext  W 1 2 3 4
# Int  0 1 2 3 4
#
# If External W/4 is gone, mapping is:
# Ext  W 1 2 3 4
# Int  0 4 3 2 1
#
# If External 1/2 is gone, mapping is:
# Ext  W 1 2 3 4
# Int  4 0 1 2 3
#
# If External 3/4 is gone, mapping is:
# Ext  W 1 2 3 4
# Int  4 3 2 1 0

nvram set vlan0ports="5"
nvram set vlan1ports="2 3 4 5*"
nvram set vlan2ports="5"
nvram set port0vlans="18 19"
nvram set port1vlans="18 19"
nvram set port2vlans="1 18 19"
nvram set port3vlans="1 18 19"
nvram set port4vlans="1 18 19"
nvram set port5vlans="1 16"
nvram commit
reboot


OK, so for the setup:

I realized that I could not connect any DVR directly to the switch, because I have an unmanaged switch and therefore any traffic coming through the switch must already have the VLAN tagging (802.1q) present in order to be accepted by R#1.

My new setup is:
Cable Modem => R#1
R#1 (WNDR3700) => S#1, DVR#1, DVR#2, PC
S#1 (PoE switch SF1008P) => R#2, R#4
R#2 (WNDR3400 as WAP) => R#3
R#3 (WNDR3400 as WAP) => DVR#3
R#4 (WNDR3400 as WAP) => -NONE-

In my case, I daisy chained R#2 -> R#3 to prevent having to do a really long run of LAN cable (and I needed an access point in between anyway), so I configured all the routers to have a VLAN trunk for the uplink _and_ a VLAN trunk for the downlink (just to keep all routers configured the same).

R#1 is my gateway. I wanted to keep my configuration as simple as possible, and move as much of the work as I could onto R#1 and simplify the other routers configuration as much as possible. My configuration introduces a bottleneck at R#1, except that in my case, I don't expect any client to client communication across VLANs and so I don't mind having R#1 be the only point to deal with routing for inter-VLAN communication (which is entirely disallowed in my config).


VLAN1: My local, private network is 192.168.1/24.
VLAN3: My untrusted network is 192.168.2/24.
VLAN2: WAN (only relevant for R#1)

(NOTE: I didn't figure out - but didn't work on - a way to prevent all clients in the 192.168.2/24 subnet from communicating with one another.)

R#1 is configured as:
Quote:

IP 192.168.1.1
External Port W is VLAN2 (as in default config)
External Port 1 is VLAN1/VLAN3 _tagged_
All other ports are VLAN1, not tagged (as in default config)
VLAN3 is not assigned to any bridge on VLAN config page
The physical wireless interface is set to a private SSID for my usage.
A virtual wireless interface is added (wl0.1) with a public SSID.
Bridge br1 is created and set as 192.168.2/24, STP enabled (STP unnecessary?)
vlan3 and wl0.1 are added to br1.
An additional DHCP server is created for br1
The firewall script is as follows:

Code:

# Enable NAT on the WAN port to correct a bug in builds over 17000
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`

# Drop everything on br1, with exceptions below
iptables -I INPUT -i br1 -j DROP

# Allow br1 to access DHCP on the router
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT

# Allow br1 to access DNS on the router
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT

# Restrict br1 from accessing br0 and vice versa
iptables -I FORWARD 1 -i br1 -o br0 -j DROP
iptables -I FORWARD 1 -i br0 -o br1 -j DROP

# Fix NAT loopback, which has been broken since r15760
# (See bug #1868: http://svn.dd-wrt.com:8000/ticket/1868)
# (Note: I personally didn't get the "mark" method to work)
LAN=`nvram get lan_ipaddr`/`nvram get lan_netmask`
iptables -t nat -I POSTROUTING -o br0 -s $LAN -d $LAN -j MASQUERADE




EVERY other router (R#2,R#3,...) is configured as:

Quote:

WAN Connection Type is Disabled
IP 192.168.1.2xx
Gateway and DNS 192.168.1.1
DHCP Server is Disabled
External Port W is VLAN1/VLAN3 _tagged_ (uplink)
External Port 1 is VLAN1/VLAN3 _tagged_ (downlink)
All other ports are VLAN1, not tagged (as in default config)
VLAN3 is not assigned to any bridge on VLAN config page
The physical wireless interface is set to a private SSID for my usage.
A virtual wireless interface is added (wl0.1) with a public SSID.
Bridge br1 is created and left as 0.0.0.0/0
vlan3 and wl0.1 are added to br1.
NO additional DHCP server
NO additional firewall scripts


R#1 connects through External Port 1 to the the switch S#1.
All routers are connected upstream through the External WAN Port.
If a router is connected downstream, it's done through External Port 1.


That's it. If I discover any errors with my setup, I'll post the fixes here. I'd be happy to clarify if there are any questions.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum