2

I am currently trying to setup a router for my homenetwork using linux (Archlinux to be more specific). The embedded board i am using has 3 lan interfaces, called wan0, lan0, lan1 and two wifi cards, called wifi0 and wifi1. I want to have two separate networks, one for my guests and for my family and me. My current setup looks like this :

                   +-------+
                   | wifi0 +----------------+
                   +-------+           +----+---+
                                       |  brg0  |
                   +-------+           +----+---+
                   | eth0  +----------------+
                   +-------+


                   +-------+
                   | wifi1 +----------------+
                   +-------+           +----+---+
                                       |  brg1  |
                   +-------+           +----+---+
                   | eth1  +----------------+
                   +-------+

I configured a bridge containing lan0 and wifi0, called brd0, with ip address 192.168.10.1/24 and a bridge containing lan1 and wifi1, called brd1, with ip address 192.168.20.1/24. On brd0 as well as brd1 dnsmasq is running in dhcpd mode to propagate ip addresses to clients in the range 192.168.10.50-125 for brd0 and range 192.168.20.50-125 for brd1. The 192.168.20.1/24 network is my guest network, while 192.168.10.1/24 is my home network.

This setup works so far. However, one thing took me by surprise. I though, because guest and home network are in two different subnets the traffic between them is also separated. However, when i am connect to the guest network i can also reach services and computers on the home network, even though no static router or forwarding is set. ( the other way around is also true). I guess this has something to do how bridge devices work under linux.

My question is, how to configure the router so that both networks are separated form each other? Do I need to use traffic filter rules? Can this be implemented with etables? Or is my setup somehow broken and it should not be possible to reach service from one network to the other?

IcePic
  • 21
  • 1

1 Answers1

1

I'll use the text as reference, since your interface names don't match between picture and text.

The router is routing between all its interfaces where it has an IP, so brd0 (home), brd1 (guest) and wan0 (which you forgot to add in the picture), as expected from a router.

Since you'll have later to route between brd0 and wan0 as well as between brd1 and wan0 you can't simply disable routing. You can use two iptables FORWARD rules to forbid this routing, one for each direction:

iptables -A FORWARD -i brd0 -o brd1 -j DROP
iptables -A FORWARD -i brd1 -o brd0 -j DROP

Should you want to have the home network have access to the guest network, but not the opposite, stateful rules can do that, using instead:

iptables -A FORWARD -i brd1 -o brd0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i brd1 -o brd0 -j DROP

The first rule can probably be "factorized" with future similar rules by removing the interface names:

iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

Note: systems from one network can still ping the router's IP belonging to the other network (eg from 192.168.20.2, ping 192.168.10.1 would succeed) since it's not routed, so not traversing those FORWARD rules, but that'd be a bit overkill to address it (with correct rules in the INPUT chain). I just leave it as a remark.

Note2: nothing in this answer needed to be dealing with the fact that brd0 and brd1 are bridges: it's all about routing.

A.B
  • 31,762
  • 2
  • 62
  • 101