root@TomatoAP:/tmp/home/root# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.485b39e80df9 no eth1
vlan1
br1 8000.485b39e80df9 no vlan3
wl0.1
edit: current ruleset
wl -i wl0.1 ap_isolate 1
ebtables -A FORWARD -i ! vlan3 -o vlan3 -j ACCEPT
ebtables -A FORWARD -i vlan3 -o ! vlan3 -j ACCEPT
ebtables -A FORWARD --logical-in br1 -j DROP
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp -m multiport --dports 53,67 -j ACCEPT
Sure, so when i'm connect to wl0.1 i'm able to access a wired device connected to br1/vlan3 and vice versa.
Wifi isolation of wl0.1 works fine tho, im not able to see or access any other device wireless device at wl0.1.
Sorry, the wired device is connected to my Tomato AP/Router over LAN port 2 and my OpenWRT Router is connected via LAN Port 1 and i'm using LAN Port 1 at my OpenWRT Router to connect with the Tomato AP.
Ok, so you should put the wired ports you want to use for guest on your tomato into say vlan4 vlan5 vlan6 etc (untagged is easiest) and then bridge vlan4, vlan5, vlan6 etc into the br1 bridge, put the cpu into vlan4,vlan5,vlan6 as tagged.
That will isolate each port on your tomato from other ports and from wireless.
Edit: this way vlan3 is used only for communication between the two infrastructure devices (router/ap) and is privileged in the bridge, the only port allowed to bridge to the others on tomato
Sorry but i think that i dont dont fully understand this, you are talking about OpenWRT in this case or just Tomato?
When i try to bridge vid4 to br1 i get the following error:
I meant on tomato only. I think this is just the old-age of tomato, I'm not sure, but it seems like you should be able to have multiple vlans in the same bridge, it basically just means the cpu changes the vlan tag as it bridges it... but I haven't tested this on a more recent kernel. I think you've hit a wall here related to Tomatoes old age.
edit: alternative is that the thing I'm trying to do isn't really possible. your big issue is that the ports are on a physical switch so you want to keep that physical switch from switching packets between "guests", which means each port needs to be on its own vlan.
but then, how do you bridge them all over to your OpenWRT box? the idea was stick the vlan ports into the bridge... but that doesn't seem to work here in tomato land.
checking on my debian box I can add two different vlan interfaces to a single bridge:
here's output from ip link show after all that
3: eno1.33@eno1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop master br0 state DOWN mode DEFAULT group default qlen 1000
link/ether 30:5a:3a:7b:6f:97 brd ff:ff:ff:ff:ff:ff
4: eno1.44@eno1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop master br0 state DOWN mode DEFAULT group default qlen 1000
link/ether 30:5a:3a:7b:6f:97 brd ff:ff:ff:ff:ff:ff
5: br0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 30:5a:3a:7b:6f:97 brd ff:ff:ff:ff:ff:ff
So if you can't do this on tomato because it's old... I am not sure what you can do at this point that would really be useful.
I came up with another Idea, i'm just gonne create a new interface "guestlan1" (192.168.66.1) assign it to eth0.4 with the same rules as guest (DNS + DHCP only) + ebtable rule for br-guestlan1 at OpenWRT and create another bridge at Tomato (br2 192.168.66.2), so i can assign vlan4 to br2.
Im gonne test this real quick, maybe it's not a smart idea but it could help/fix my problem....
Ah, you put vlan4 on both OpenWRT and Tomato, yes that would work. However it may screw up roaming... not sure. It's not super scalable, if you wanted say 8 wired guest ports for example, you'd start making tagged vlan connections all over the place.
I think the generalization of this is probably to add iptables rules to the bridge, but again I think tomato is maybe too old for that. With the sysctl for bridge iptables turned on and a sufficiently recent kernel, you could drop any packet whose source and dest ids are both in your LAN subnet (excepting the router itself). ebtables might not even be required at that point
Crazy enough that it worked that way... I only have 2-3 wired clients i want/need to isolate at the moment and for now it's the only solution that worked so far. It's quite "exhausting" that way but at least it works.
Tomato is really driving me crazy but i only have two Tomato Router as backups.
I'll check tomorrow if it works with another wired guest client (vlan5, br3), if it work as well it will be my solution for now.
I guess that i have to modify my whole setup anyway if i get the managed switch...
@dlakelan, All i can say to you is big thanks for your patience and input !
It really helped me alot not to give up plus i also learned a few things and i think that is the most important part...
Thanks, always glad to hear that people appreciate the help and learn something.
For a "bigger" install, you might consider for example using the Tp-Link SG108E, which has what it calls a "MTU Vlan" which stands for "multitenant unit vlan", it's essentially that you can put one "uplink" port and then all the other ports are isolated from everything except that one uplink. This, combined with firewall rules for the bridge, which does work in OpenWRT would solve your wired problem.
Turns out it's just the same idea we already discussed, ports 1-7 untagged on vlans 1-7 and port 8 tagged for all of them, at the router you bridge all the tagged vlans
Exactly.... I've just tested a PS4 at the same port as the wired guest client but for some reaosn the PS4 is not able to recieve an IP adress...
Does anyone know if the PS4 needs more than DNS+DHCP to connect to the internet/psn network ?
Ok so i've created another guest interface (guestlan2) with the same firewall settings as guestlan1 (DHCP+DNS only, bridged to eth0.5)...
IP Adress OpenWRT: 192.168.77.1 (guestlan2)
IP Adress Tomato: 192.168.77.2 (br3), vlan5 bridged to br3 (tagged Lan port 1, tagged Lan port 3)
But it doesn't work, I can't recieve an IP adress anymore...
So at the end it will only work with "one" vlan for "one" wired guest client, pretty lame !
Tomato can't handle it somehow... and at this point i dont want to bother me and you guys to dig any further into Tomato to fix it, if it's even fixable at all.
So what would be a good OpenWRT Router to replace my Tomato Access Point (RT-N16/RT-N66U) ??
I would need good 2.4ghz performance and a Router which allready has some decent Community builds avalible (in other words a router which is well supported by the OpenWRT community)
Would a D-Link Dir860L B1 work for me ? I might be able to get a used one for cheap...
Hmm...
How tomato setups it network, looks somewhat odd.
So why is it not working?
ebtables -A FORWARD --logical-in br-guest -j DROP
How can this rule even work on openwrt?
This can only work if dnsmasq (is it even dnsmasq on tomato?) is listening on all interfaces/wildcard or on the bridge interface itself?
I would assume that the dnsmasq instance is bound to one specific interface
(that is part of the bridge) on tomato.
And because of that using the above rule breaks dhcp,dns?
I think you should have used:
ebtables -A FORWARD --logical-in br1 -j DROP
And instead of iptables here
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp -m multiport --dports 53,67 -j ACCEPT
Use ebtables to make the dhcp,dns traffic flow through the bridge ports.
The Question here is on which bridge port does the dnsmasq instance listen.
ebtables -A FORWARD --logical-in br1 --ip-protocol udp --ip-destination-port 67:68 -j ACCEPT
ebtables -A FORWARD --logical-in br1 --ip-protocol udp --ip-source-port 67:68 -j ACCEPT
ebtables -A FORWARD --logical-in br1 --ip-protocol udp --ip-destination-port 53 -j ACCEPT
ebtables -A FORWARD --logical-in br1 --ip-protocol udp --ip-source-port 53 -j ACCEPT
ebtables -A FORWARD --logical-in br1 -j DROP
I think you can also make this working by using iptables phydev module.
But i guess tomato doesn't have this build-in by default.
@shm0
Thanks for your input but to be honest i pretty much gave up on Tomato...It is only frustrating me over time.
So I bought a D-Link Dir860L B1, which i should get within the next days two days and then i'm going to set up everything with 2x OpenWRT routers (at least i'll try)...
Tomato is just too old, as dlakelan and Jeff already figured out. There is a recent build for my MIPSR2 based Router available but it's a forked one from a build of 2015 !
