2

I have played around a lot with nftables, but I am stuck on this problem for the entire day. I have a wifi ssid that gets tagged vlan20. This part works, and I can see that dnsmasq is assigning ip addresses from this range:

#VLAN 20
dhcp-option=VLAN20,6,192.168.1.1
dhcp-option=VLAN20,3,192.168.20.1
dhcp-range=VLAN20,192.168.20.10,192.168.20.200,255.255.255.0,60m

I connected a spare android phone to this SSID, and it gets assigned a DHCP address from the pool. On the router, I can connect to this device, so basic connectivity is good. I opened sshd on this phone on port 50022, and I can connect to that port as well.

root@router:/etc/systemd/network# ping 192.168.20.184
PING 192.168.20.184 (192.168.20.184) 56(84) bytes of data.
64 bytes from 192.168.20.184: icmp_seq=1 ttl=64 time=192 ms
64 bytes from 192.168.20.184: icmp_seq=2 ttl=64 time=114 ms
^C
--- 192.168.20.184 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 2ms
rtt min/avg/max/mdev = 114.063/152.834/191.605/38.771 ms
root@router:/etc/systemd/network#  nc -z -v 192.168.20.184 50022
192.168.20.184: inverse host lookup failed: Unknown host
(UNKNOWN) [192.168.20.184] 50022 (?) open

How do I extend this with nftables so that all hosts in my untagged vlan (which is all my trusted computers) can connect to this vlan? My plan is to segment vlan20 so that the iot devices in there cannot reach out to my home network, but my phone and other computers can reach to any device in here. My current configs are a mess because of all the experiments I did, but I shoved this in with the hopes that this would make the vlan wide open (spoiler alert: It didn't):

define iot0_if = "vlan20@lan0"

table bridge filter {
    chain input {
        type filter hook input priority 0; policy drop;
        vlan id 20 accept
    }
    chain forward {
        type filter hook forward priority 0; policy drop;
        iifname $iot0_if accept
        oifname $iot0_if accept

    }
    chain output {
        type filter hook output priority 200; policy accept;
    }
}

For completeness, this is my systemd-networking config:

root@router:/etc/systemd/network# cat iot0.netdev
[NetDev]
Name=vlan20
Kind=vlan

[VLAN]
Id=20
root@router:/etc/systemd/network# cat iot0.network
[Match]
Name=vlan20

[Network]
Description="VLAN 20: IOT (Unsecured, 2.4Ghz, no wan access)"
Address=192.168.20.1/24
DNS=192.168.1.1

Edit1: My router is a debian buster system, systemd-247.3-1~bpo10+1 and nftables-0.9.6-1~bpo10+1 and kernel 4.19.0-14-amd64

My untagged network is 192.168.1.0/24. The default route on an untagged machine is set to go to 192.168.1.1 (router, where all the vlans are configured). I am hoping to preserve this setup and have the router transparently forward traffic to the VLANs

sh-4.3# netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eth0
172.17.0.0      0.0.0.0         255.255.0.0     U         0 0          0 docker0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0

ip a from my router (the ifb are from SQM, which is enabled only on wan0):

root@edgelord:/etc# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:e0:67:17:b7:97 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global lan0
       valid_lft forever preferred_lft forever
    inet6 2601:647:c900:8550:2e0:67ff:fe17:b797/64 scope global dynamic mngtmpaddr noprefixroute
       valid_lft 5344sec preferred_lft 5344sec
    inet6 fe80::2e0:67ff:fe17:b797/64 scope link
       valid_lft forever preferred_lft forever
3: wan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc cake state UP group default qlen 1000
    link/ether 10:6f:3f:88:f2:a1 brd ff:ff:ff:ff:ff:ff
    inet 73.162.3.238/23 brd 73.162.3.255 scope global dynamic wan0
       valid_lft 5947sec preferred_lft 5947sec
    inet6 2001:558:6045:36:cd9d:d781:2cb2:17aa/128 scope global dynamic noprefixroute
       valid_lft 5341sec preferred_lft 5341sec
    inet6 fe80::126f:3fff:fe88:f2a1/64 scope link
       valid_lft forever preferred_lft forever
5: vlan20@lan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:e0:67:17:b7:97 brd ff:ff:ff:ff:ff:ff
    inet 192.168.20.1/24 brd 192.168.20.255 scope global vlan20
       valid_lft forever preferred_lft forever
    inet6 fe80::2e0:67ff:fe17:b797/64 scope link
       valid_lft forever preferred_lft forever
7: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
    link/ether 5e:dd:68:a5:2a:2a brd ff:ff:ff:ff:ff:ff
8: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default qlen 32
    link/ether 42:42:05:18:d0:59 brd ff:ff:ff:ff:ff:ff
25: ifb4wan0: <BROADCAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc cake state UNKNOWN group default qlen 32
    link/ether 02:11:5c:38:ab:9f brd ff:ff:ff:ff:ff:ff
    inet6 fe80::11:5cff:fe38:ab9f/64 scope link
       valid_lft forever preferred_lft forever
techwreck
  • 21
  • 2

0 Answers0