0

8 port router over two switches (4+4)

Using kernel 2.6.x

All Ethernet clients are connected to the same router on the same subnet (192.168.0.1/24). They are connected to the router for the sole purpose of accessing the Internet. Clients have no reason to connect to each other.

Is it possible to prevent clients from discovering and accessing other clients on the router ?

Could this be done with ebtables, arptables, custom VLAN configurations, etc. ?

For example, if an IoT device is connected to the router, I don't want it to be able to discover or probe other clients.

uihdff
  • 455
  • 2
  • 7
  • 17

1 Answers1

2

Usually, on this kind of hardware, I would expect that the switch-part be operated by a dedicated hardware component (i.e. the embedded Linux would not see 8 independent interfaces and it would not take care of the bridging). Therefore, ebtables/iptables would have no effect on it.

But the whole point to put your machines on the same switch and on the same network segment (192.168.0.x) is to allow them to communicate with each other.

First, can't you assign a different network to each machine? That is: 192.168.port.0/24 for each port (or even 192.168.port.0/30). Then, at the IP level, the machines must use the router to communicate with each other, and you could use iptables to prevent that (if the router only sees one port for the whole switch as expected, disallow traffic coming from that port and forwarded to that same port).

This is a minimum but, due to the switch, it's still possible for a machine to communicate with others (e.g. IP address spoofing, other protocols than IP, specially crafted Ethernet frames, etc.). For better isolation (at the switch level), use VLANs to ensure that machines can only see the router at the Ethernet level.

xhienne
  • 17,793
  • 2
  • 53
  • 69
  • How would you use a VLAN to make a client only see the router at the Ethernet level ? – uihdff Aug 12 '17 at 14:05
  • 1
    @uihdff It depends on your hardware: assign a different VLAN ID to each port on your router. – xhienne Aug 12 '17 at 14:09
  • That's creating "private" VLANs, correct ? – uihdff Aug 12 '17 at 14:11
  • @uihdff Right. Look at what is offered by your equipment. – xhienne Aug 12 '17 at 14:16
  • Each port has been assigned to its own private VLAN and network. On this router, netfilter/iptables only sees the bridge interface "br0". Is ebtables the tool to use for isolating the VLANs ? What ebtables rules/tables/chains should be used ? – uihdff Aug 16 '17 at 03:04
  • 1
    Well, since this is a switch/router, I would expect the ports to be properly isolated (VLAN-wise, at level 2) without resorting to ebtables. You must ensure that broadcast frames on one port (i.e. VLAN) are not visible from another port. Once this has been confirmed, just use iptables to prevent standard routing between ports. – xhienne Aug 16 '17 at 08:08
  • 1
    This is a home router that doesn't provide enterprise level VLAN management. To restrict IP and Ethernet frame traffic, you have to unbridge the "br0" bridge with ebtables and then block with ebtables and iptables. Additionally, the physdev module isn't enabled in Asuswrt-Merlin. What test do you run to verify broadcast frames aren't visible from one isolated port to another ? – uihdff Aug 27 '17 at 00:51
  • 1
    @uihdff You can do a broadcast ping (ping -b <LAN_broadcast_IP>) or just listen to ARP requests. – xhienne Aug 27 '17 at 14:14