AR-150 as a wired-only isolated router

currentflow · November 19, 2016, 3:14am

Hi, I am looking to configure an AR-150 as a wired-only router, using just the LAN and WAN ports. There is no need for Wi-Fi in this application.

One network port would connect to a private local area network (gateway is 192.168.1.254) for internet access and management of the AR-150, while the second port passes internet traffic only (must be isolated from the private network) on a separate subnet (e.g. 10.20.30.x) with DHCP. In this way, the isolated port may be connected to a remotely-sited switch for ‘guest’ wired and Wi-Fi AP distribution.

Any pointers to achieve this would be much appreciated. Thank you.

alzhao · November 22, 2016, 2:52pm

question: you said you don’t need wifi, only two Lan port. But as your two LAN port is connecting to two different networks, how do you use the devices then? Seems you still need to use wireless in order to let the router works.

This can be done using vlan. You can make two vlan, each vlan binds one port.

currentflow · November 22, 2016, 6:23pm

Hi alzhao,

Thank you for your reply. Hopefully I can explain what I am trying to achieve. The AR-150 is being used to create an isolated barrier between two LANs. The private LAN (subnet 192.168.1.xxx) must not be accessible by the public LAN (subnet 10.20.30.xxx). Only internet traffic provided by the private gateway (192.168.1.254) can pass through the router (HTTP, HTTPS, email, selected ports, etc…). All other traffic must be blocked. The public LAN will include a DHCP server, offering for example, an address range of 10.20.30.100 to 10.20.30.200

There is no need to enable the internal Wi-Fi, as this isn’t going to be used. Wi-Fi and cabled connectivity will be provided separately on the public LAN side via an 8-port switch. In this application, it doesn’t matter which ethernet port is assigned to which duty, as long as the functionality is achieved. To manage the AR-150 via SSH or Luci web interface, it would be more secure to have this access available via the private LAN side.

I will investigate the use of VLAN to achieve this. This will be defined in the interfaces section, I presume. I will also need to configure the firewall. Should I be using bridging or NAT?

Thanks again.

alzhao · November 23, 2016, 11:23am

I mean, there are only two Ethernet ports, one connected to your private LAN, one connected to your public network. So this is fine.

But how do you use it? You have to connect devices/clients to the AR150, right? There is two upstream network, but there is now downstream devices.

Seems I still don’t understand what you mean. Can you draw a diagram?

currentflow · November 23, 2016, 5:25pm

Perhaps I should have used the word ‘Guest’ instead of ‘Public’. Sorry about that!

alzhao · November 23, 2016, 10:33pm

This is very clear now.

This is possible. If you want to isolate the guest network, you need to set a firewall rule in AR150 to drop all the packages to 192.168.1.x address except for the gateway. This can be done using iptables.

I don’t know if there is any other easy solutions.

currentflow · November 23, 2016, 11:46pm

A couple of questions please:

To allow the AR150 to be managed from the private LAN side, is this how you might recommend I use the ports?

AR150 ‘LAN’ port to Private LAN (192.168.1.xxx) and
AR150 ‘WAN’ port to Guest LAN (10.20.30.xxx)

Do I still need to use VLAN?

Thank you.

alzhao · November 25, 2016, 9:39am

WAN to private LAN

LAN to Guest LAN

No need vlan. only need iptables. Check this: https://www.cyberciti.biz/tips/linux-iptables-6-how-to-block-outgoing-access-to-selectedspecific-ip-address.html

For example, you can try using the following command in AR150

iptables -A OUTPUT -p tcp -d 192.168.1.0/24 -j DROP

currentflow · March 8, 2017, 6:47pm

Hi,

After a long delay in getting back to this project, I tried your WAN/LAN connection and iptables suggestion. However, it didn’t block the 192.168.1.xxx subnet. I can still access the Private LAN servers from the Guest LAN side.

To make the iptables persistent, I placed the following at the top of /etc/firewall.user:

iptables -A OUTPUT -p all -d 192.168.1.0/24 -j DROP

also tried:

iptables -A OUTPUT -d 192.168.1.0/24 -j DROP

Following a reboot:

root@GL-AR150:/etc# iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
delegate_input  all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
delegate_forward  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
delegate_output  all  --  anywhere             anywhere
DROP       all  --  anywhere             192.168.1.0/24

Chain MINIUPNPD (1 references)
target     prot opt source               destination

Chain delegate_forward (1 references)
target     prot opt source               destination
forwarding_rule  all  --  anywhere             anywhere             /* user chain for forwarding */
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
zone_lan_forward  all  --  anywhere             anywhere
zone_wan_forward  all  --  anywhere             anywhere
reject     all  --  anywhere             anywhere

etc…

While I cannot browse the private LAN, I can for example, access a private server directly by typing ‘\192.168.1.12’ (in Windows Explorer) and gain full access.

Thank you again.