 ctyoe9 Bill Elliott
join:2002-09-04
Little Falls, NY
1 edit | [DD-WRT] Prevent devices on one VLAN from pinging another Hello all,
I am running DD-WRT v24-sp2 (10/10/09) micro (SVN revision 13064) on a Linksys WRT54G v8 router. This router acts as the gateway between our network and the outside world.
I have two VLANs - the one we've been using since day one, VLAN0, which uses the 192.168.1.x address pool; and a new VLAN10, which uses the 192.168.2.x pool. I'd like for each of them to have Internet access, but not be able to access each other.
A Linksys SRW2048 switch sits between the workstations and the Linksys WRT54G v8 router. The only thing connected to the router on the LAN side is the switch. The switch has the appropriate settings needed to pass the traffic from the new VLAN10 to the router. The router is also set up with the settings needed to handle the VLAN10 traffic.
Everything seems to be working correctly - both VLANs are able to connect to the Internet. I also can't access VLAN0 network shares on VLAN10, and vise versa. This is fine. However, I discovered that I can ping from devices on VLAN0 to devices on VLAN10, but not from VLAN10 to VLAN0. I'm wondering why that would be.
I have attached screenshots of the VLAN settings on the Linksys WRT54G v8 router.
Not shown in the screenshot is what I've tried for a firewall. Under the Administration --> Commands page, I added this command
iptables -I FORWARD -i vlan+ -o vlan+ -j DROP
as the firewall. This, I thought, would stop traffic from flowing between VLANs, but apparently I was wrong. I was still able to ping from VLAN0 to VLAN10.
Could I get some pointers as to if this is the correct setup, or if I should be concerned that I can ping from devices on VLAN0 to devices on VLAN10? If it is normal behavior to be able to ping another VLAN, then I guess I don't have anything to worry about.
Thank you very much for the help! |
