Build Secure VLAN Networks with ‘Shibby’ Router Firmware

tomatoI’ve been an ardent user of the Tomato Linux Open Source router firmware, specifically on the ASUS RT-N66U home routers using the ‘Shibby’ builds.  They let you take full advantage of enterprise (and kitchen sink) features on the fairly high-powered broadcom-based residential routers with support for OpenVPN, TOR, VLANs and a litany of other useful functions.  Today I’m going to cover setting up port-based and wireless VLAN support for traffic isolation on a network using the RT-N66U and Shibby build 1.32.  Let’s get started.


Why VLANs and Isolation

Simply put, the internet of shit things.  I’ve accumulated a few devices over the years in my home which I do not trust completely – things like a Samsung Smart TV and I didn’t really trust anything that’s blackbox or not completely Open Source for obvious reasons.  Tomato will be using Linux bridges, iptables and vlans under the covers to provide your private network with a bit more security.

ios-tweet

What this Accomplishes
Using isolated VLANs for wired and wireless clients via this guide will let you:

  • Put untrusted internet-connected devices and appliances on their own isolated network so they can’t sniff, attack, poke, prod or wreak havoc on your private, trusted network.
  • Access devices on the isolated network from your private network but not vice-versa.
    • Example: Put your Android Smart TV on an isolated network – you can still control it from your smartphone, laptop, etc by connecting to the isolated WIFI network but when the manufacturer stops releasing security patches two months after you bought it or that sweet NSA sleeper cell backdoor decides to activate it can’t become an attack vector into your private network.
  • Provide a separate, virtual guest WiFi network or wired connection that allows internet access but no access to the rest of your network.
  • Optionally whitelist and restrict all outbound traffic per VLAN/network.

Why Tomato / Shibby
Long before I upgraded my home network to the ASUS RT-N66U I was a long-time user of DD-WRT and OpenWRT firmware to unlock the features and stability of my routers.  I moved to Tomato/Shibby because it had the best support for my device.  Also, DD-WRT started to languish in updates and releases with chipset support never being updated and their new focus on more commercial uses.  Lastly, the Shibby Tomato derivative seemed to be the most active project with releases very often with new features ported in all the time.

Setup and Environment
I’m not going to cover setting up an ASUS RT-N66U or supported model with shibby firmware as that’s already covered in more detail elsewhere (in particular the comments are useful).  It most cases you can simply put the router in TFTP mode and shoot the shibby image over.  Here’s what I’m working with:

  • ASUS RT-N66U (Broadcom BCM5300)
  • Shibby Tomato 1.28 build 132 64K AIO
  • Existing 2.4GHz and 5.0GHz Wireless Networks
  • Existing flat 192.168.0.1/24 internal network using static DHCP
  • Everything done in UI, verification via SSH to the router

Create a new Bridge Interface
The first thing you’ll need to do is create a new bridge interface, this allows you to associate a new VLAN with a physical port (and later associate a virtual wireless SSID if needed).  For this I used br1 but you can use whatever you like.

basic-lan-create-new-lan

  1. Navigate to Basic –> LAN and create a new bridge.
  2. Enter an RFC1918 private address range (e.g. 172.16.0.1/24)
  3. Enable DHCP
  4. Click Add
  5. Scroll to the bottom and save, router will reboot.

NOTE: DO NOT use 10.0.0.1/24, for some reason (bug?) this range will not work even though it’s a valid RFC1918 address range.

Verify the Bridge
After your router reboots you can check the bridge was created successfully, it will be in the MOTD when you SSH into the router and the ip a command should also show it.

tomato-see-new-bridge-vlan-ssh

Create a New VLAN
Now you’re ready to create your new VLAN, this will be associated with the br1 bridge (or whatever you created above) for either a physical wired port on your router or a new virtual wireless network.  Don’t touch VLAN1 or VLAN 2 with the WAN bridge.

advanced-vlan-create-vlan-reassign-port

  1. Navigate to Advanced -> VLAN
  2. Select VLAN ID
  3. Select the new bridge
  4. Uncheck/remove any port(s) you want as members from VLAN 1
  5. Associate them to the new VLAN
  6. Click add
  7. Scroll to the bottom and save, router will reboot again.

The idea behind this is anything (a device, another switch with lots of devices, etc) plugged into ports of your choosing will inherit the isolated VLAN membership you create.  If you wanted to span across multiple wired devices you can simply plug a switch into this port, and any devices would inherit those VLAN settings.

How it Works
At this point you’re done, any device (or switch with set of devices) plugged into port 1 above should now DHCP against VLAN3 – 172.16.0.1/24 network and traffic will be totally isolated from your existing networks.  Note that you can access devices from the other VLAN but they will be isolated from accessing things on your original network.  They will be using a virtual gateway on your router for all traffic for internet traffic (the br2 you created earlier).

device-list

Add a Virtual Wireless Network
You can extend this network segregation by adding a virtual wireless network and associating it with the VLAN and network you’ve created.  You’ll be creating a virtual wireless interface against either your 2.4GHZ or 5.0GHZ adapter with it’s own SSID, broadcast and authentication – for all intended purposes this will appear as an isolated, net-new access point.  This is extremely useful for guest traffic or insecure wireless access without exposing your internal network.

advanced-virtual-wireless-lan-associate-bridge

  1. Navigate to Advanced -> Virtual Wireless
  2. Choose a virtual wireless interface (wl0.1 or wl1.1)
    1. This will be a parent alias under the wireless band you choose, so choose 2.4GHz for general devices or the 5.0GHz band for higher-speed, lower range newer devices.
  3. Enter SSID name
  4. Mode: Access Point
  5. Associate your new bridge
  6. Click add
  7. Scroll to the bottom, click save

Now any client that connects to this wireless access point will also be on your new isolated VLAN.

LAN Routes and Restrictions
Lastly you’ll want to check the LAN access settings and have a default ingress route that exists from your default VLAN1 –> VLAN3.

lanaccess
For simple connections like SSH, HTTP etc. you should be able to access things in the isolated VLAN but not vice-versa.  For more complex connections (like screencasting YouTube from your phone or tablet onto a TV) you may need to connect to the virtual wireless SSID associated with your isolated VLAN.

Optionally Restrict VLAN Outbound Traffic
With the internet of shit things you might want to restrict all outbound traffic to only things you choose, nobody knows what the hell some of these internet connected home devices and appliances might be doing.

In the below example I’ll show you some iptables firewall rules used to restrict a Samsung Smart TV to only access Netflix.  I ended up not doing this because Netflix has way more streaming IP addresses than I could track down and use, and I haven’t had time to run packet captures to get them all.

adminstration-scripts-firewall-block-allow-only-netflix

  1. Navigate to Administration -> Scripts
  2. Select the Firewall tab
  3. From here you can paste iptables rules
  4. Reboot to take effect

A more paste-friendly ruleset could be used below.

#default deny TV
iptables -I FORWARD -i br1 -j DROP

#allow tv access to dns to router
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT

#allow TV to netflix
iptables -I FORWARD -i br1 -p tcp -d 108.175.32.0/24 -j ACCEPT
iptables -I FORWARD -i br1 -p tcp -d 108.175.33.0/24 -j ACCEPT
iptables -I FORWARD -i br1 -p tcp -d 108.175.34.0/24 -j ACCEPT

Summary
The ASUS RT-N class of routers combined with the Shibby tomato firmware is a very powerful tool for home networks (or small business networks in a pinch).  I’m still experimenting with other things you can do with them including using the native OpenVPN client and server functionality.  Please leave a comment or feedback below if this was helpful to you or you’ve got any suggestions I can add.

About Will Foster

hobo devop/sysadmin, all-around nice guy.
This entry was posted in open source and tagged , , , , , , , , . Bookmark the permalink.

31 Responses to Build Secure VLAN Networks with ‘Shibby’ Router Firmware

  1. 2010 says:

    When I follow these instructions, devices on VLAN1 cannot access devices on VLAN3. But devices on VLAN3 can access everything else. So it seems like you have this backwards. The way you have it set up, it looks like your evil TV on VLAN3 can access everything on your home network, but nothing on your original VLAN1 can control the TV. So either you have your smartphone (TV remote app) on VLAN3 too, or it’s using WiFi direct and bypassing the router entirely. For another example, if “trusted” is defined as a device where you have root, the trusted machines are the “high value” machines at the bottom of this page (but for our purpose the 2nd router is a VLAN of course.) https://www.grc.com/nat/nat.htm

    Also there is some text missing from the article: “You could plug in a single” (blank)

    If you want to prevent untrusted devices from hacking each other, I guess you would have to put them on separate VLAN’s, then put all your trusted devices on another VLAN. How then would a trusted PC access the web server in an untrusted device on another VLAN? This article is a good start, but we need better examples. Also be advised that Shibby’s Tor client may be broken (seems to always use the same exit node.)

    ps: dont forget this for your web site: https://letsencrypt.org/

    Liked by 1 person

    • Will Foster says:

      Hey, thanks for your comments, I’ve made some corrections.

      When I follow these instructions, devices on VLAN1 cannot access devices on VLAN3. But devices on VLAN3 can access everything else. So it seems like you have this backwards. The way you have it set up, it looks like your evil TV on VLAN3 can access everything on your home network, but nothing on your original VLAN1 can control the TV. So either you have your smartphone (TV remote app) on VLAN3 too, or it’s using WiFi direct and bypassing the router entirely.

      On my setup it’s like this, in that VLAN3 cannot access VLAN1 but not vice-versa. In the case of the TV I do have to connect to the VLAN3 virtual wifi to control it (screencast etc). I have the following set in my LAN access settings, but I don’t remember if I set this or if it was the default (let me know what yours is set and I’ll update the guide – I added this part anyway).
      LAN Access Settings

      For example here’s me trying to access a local webserver (on VLAN1) from my wall-mounted Android tablet (on VLAN3)

      root@grouper:/storage/emulated/legacy # telnet 192.168.0.44 80
      HTTP/1.1 408 Request Time-out

      I’ve also tested this by plugging a laptop into port1 (VLAN3) – I cannot ssh to anything on VLAN1 but vice-versa works, and I can access everything from the router as it holds the virtual gateways for all VLANs.

      Thanks for your suggestion about letsencrypt, It seems letsencrypt is setup across the board now.

      Like

  2. Anette says:

    I never heard about that firmware before. I updated my firmware before but it never worked as planned. maybe i did something wrong that made the device not functioning properly. That’s why right now. im afraid to do modification on my wireless device.

    Like

    • Will Foster says:

      There’s usually a way to revert back to the normal firmware if you run into problems. If you don’t need any additional functionality out of your router then maybe it’s not worth the effort – but in most cases it’s very hard to brick things with the shibby/tomato line and you can always revert back to stock ASUS.

      You might checkout Merlin firmware instead, it’s a bit more like the stock ASUS it just performs better though doesn’t have all the features that shibby/tomato has.

      Like

  3. jim bo says:

    Shouldn’t I be able to log into the ap in the 172.16.0.1 subnet from the 192.168.0.1 subnet? I’m not able to log into the ap via ethernet lan. I can log on to it via wireless to change settings and connect to it to get internet connection. I copied your settings here to test out. I am unable to ping from the this ap to another device on my main network 192.168.0.1 subnet which I assume is good, isolation. You mentioned that one should be able to access devices on the isolated network from your private network but not vice-versa. Thanks for your input here.

    Like

    • Will Foster says:

      Hey Jim, take a look under Advanced -> LAN Access. in the Tomato UI. There are some settings you can add to facilitate what LANs can access the other ones. I have mine setup like you mentioned, but it has some flexibility to allow additional ingress/egress traffic between different networks.

      Just be careful here, that if you allow full ingress/eggress between LANs you may void any separation that you want to keep. Try experimenting with only adding access from your private LAN to the isolated LAN and see if that accomplishes it. For my setup I just leave it as-is and if I really want to access devices from wireless clients in my protected LAN I’ll temporarily switch SSID to the isolated lan (for instance, display casting for YouTube to my SmartTV).

      Like

  4. jim bo says:

    As shown in this article I have my ap 172.16.0.100 static plugged into lan port 1, vlan 3. My PC obtain IP auto is plugged into lan port 2, vlan 1. I wish to be able to log into the ap for management purposes through the lan network and not through wireless. Under lan access in tomato, I have lan(br0) 192.168.0.1 as the src and lan(br1) 172.16.0.1 as the destination. I still can’t access the ap through the lan. Thanks in advance.

    Like

    • Will Foster says:

      On my tomato I have an interface listening on the isolated VLAN/LAN.

      LAN : 192.168.0.1/24 @ DHCP: 192.168.0.2 – 192.168.0.99
      LAN1: 172.16.0.1/24 @ DHCP: 172.16.0.2 – 172.16.0.10

      Can you access the AP management UI via the http://172.16.0.1 address instead?
      This works for me with no changes, as the AP management UI listens on all interfaces on the Tomato router.

      Like

  5. jim bo says:

    I can login to the tomato router at both ips 192.168.0.1 and 172.16.0.1. I can’t login to the router setup as an access point ip 172.16.0.100 connected to the 172.16.0.1 vlan on the tomato router through the 192.168.0.1 vlan to which my pc is connected. Thanks.

    Like

    • Will Foster says:

      Sorry, I guess I don’t understand what you’re trying to do. As I understand it, that separation is to be expected. You should be able to ping/access resources from your private networks to the isolated 172.16.0.x VLAN but not vice-versa (because there’s only an ingress rule, unless you add an equivalent egress rule) besides established-related traffic. If you need to access the Tomato UI from the 172.16.0.x networks that’s what the http://172.16.0.1 listening port is for, the only way I can see to change this is to add some static routing rules.

      You might be able to do this through the UI within Advanced -> LAN Access and add a specific route from vlan3 (172.16.0.x) to vlan1 (192.168.0.x), if that’s not possible you can add custom routing rules (in the form of iptables/ebtables) in the Tomato UI under Administration -> Scripts -> Firewall, but be careful with this.

      Like

  6. jim bo says:

    I have a router configured as an access point connected to the tomato router. I’m trying to login into this access point. The access point is at 172.16.0.200 static ip. The ethernet cable connects from the lan point of this access point to the lan port of the tomato router vlan 3. My pc is connected to vlan 1. The PC gets its ip auto. Perhaps I don’t understand what the article is about. I thought it was to allow vlan 1 to access vlan 3 but not vice versa. I’m trying to simplify management of the various devices in the network.

    Like

    • Will Foster says:

      I have a router configured as an access point connected to the tomato router. I’m trying to login into this access point. The access point is at 172.16.0.200 static ip. The ethernet cable connects from the lan point of this access point to the lan port of the tomato router vlan 3. My pc is connected to vlan 1. The PC gets its ip auto. Perhaps I don’t understand what the article is about. I thought it was to allow vlan 1 to access vlan 3 but not vice versa. I’m trying to simplify management of the various devices in the network.

      Ok, I think I see what you mean. I’m not sure this covers what you’re trying to do. If you were to connect a dumb switch to that (isolated) VLAN port on the tomato all LAN connection then going into that switch should inherit those settings (and become a member of that 172.16.0.x network, gaining any one-way isolation).

      If you’re doing Layer4 traffic (DHCP – auto IP) on a router I don’t think it will inherit these settings as it’s operating higher on the OSI layer model than Layer2 (VLANs) and may not understand and forward the tags needed to isolate traffic while providing routing behavior. You can usually go lower, not higher unless the devices are managed or support a shared configuration (like VLAN trunking/spanning). This is just a guess, not knowing what your network looks like.

      One thing to try, instead of plugging a router into the LAN port where you’ve setup the isolated VLAN try plugging in a machine by itself – it should work as illustrated in this post, or try a dumb Layer2 switch for the same effect. When you plug in another router (and possible enable Layer3/4 services on it) I’m not sure it would work as illustrated here. I hope this helps.

      Like

  7. jim bo says:

    Do you mean file sharing between computers when you state “Access devices on the isolated network from your private network but not vice-versa”? If not,what type of devices? Thanks.

    Like

    • Will Foster says:

      Do you mean file sharing between computers when you state “Access devices on the isolated network from your private network but not vice-versa”? If not,what type of devices? Thanks.

      I am referring to accessing resources via ICMP, or simple established-related connections from my protected, internal network to a lesser secure one but not vice-versa but not full-blown file sharing, as that will defeat the purpose of VLAN separation between two different broadcast domains (172.16.0.x and 182.168.0.x for example).

      An example might be I can SSH to a less trusted machine or device from the more trusted (default) VLAN on the 192.168.0.x network range but not the other way. In my case I put IoT devices like smart TV, tablets, guest(s) and things I don’t want accessing my internal network on the 172.16.0.x network – they can still access the internet and I can still access them, but they cannot attack, wreak havoc or snoop on my default network.

      Like

  8. goarilla says:

    Doesn’t “shibby” tomato support ipset.
    If so why not just dump all the netflix IP addresses in a set ?

    Like

    • Will Foster says:

      Doesn’t “shibby” tomato support ipset.
      If so why not just dump all the netflix IP addresses in a set ?

      That’s a great suggestion, it does indeed have ipset. I haven’t tried this yet as I’ve since reverted the stringent rules (Netflix just has too many CDN IP addresses to track/manage) but I can certainly give it a shot. I found one reported issue from an older build but that was some time ago, so it’s worth testing out. Thanks for the suggestion.

      Like

      • Chris says:

        ipset work great.
        It’s even more convenient with dnsmasq, so you can filter (or exclude) entire domains. Also, IP ranges work great (e.g. 108.175.0.0/16 would cover many of netflix’s IPs).

        Like

  9. rochr4 says:

    https://goo.gl/photos/hTdYMPXtEL7aDpmT6

    You can do exactly that in gui, I added separate netmask’s for the heck of it, two wireless vlans that can only see each other, virtual gateway and got Internet access, cannot see anything else, especially another network that is hop away, works brilliantly.

    Like

  10. jim bo says:

    I have several vlans created. All devices attached to these vlans can access internet with no issue. I am using tomato build 132 on an asus rt-n66u router. When the windows 10 computer and windows xp computer is configured manually for dns no opendns oops! page but when the computers are set to obtain dns auto and use router for opendns the oops! page appears. I have the opendns servers, all 3, entered in the tomato dns settings. I tried all of the standard procedures flushdns and clear broswer cache. The opendns support has said “From what I can see right now, your router isn’t actually able to use OpenDNS servers and send them out on your network. The NSLOOKUPs that you’ve performed proves this, along with the test you did by applying the OpenDNS servers directly on your computer(s).” Is there a bug in tomato build 132 with this? Thanks in advance.

    Like

  11. Rob says:

    I created a couple of new bridges today, one for guest and a second to get vmware esxi off of my regular private net. Guest wls br3 works fine. The br2 does not. I stole 3 memeber interfaces from br0 and assigned to br1 and reboot. When it comes back up the 3 interfaces i stole from br0 and assigned to br1 are back on br0 as well as staying on br1. I havetried several different scenarios to try and get this to work but no dice

    Like

  12. Steve Goodwin says:

    Wanted to advise on using VPN tunneling with a Tomato router, often the router CPU will be the bottleneck for encrypted traffic. Make sure you prioritize a fast CPU!

    http://www.enginoor.com/list-of-tomato-compatible-routers/

    Like

  13. Mark says:

    Thanks for this guide – it’s great! It has worked well for me on my primary router, but I can’t figure out how to use it on my secondary router that acts as an extender connected via a wired homerun. I followed another guide to set that up and it forwards DHCP requests through to the primary router, and I thought I could just treat it similarly with these wireless VLANs but it doesn’t appear to be working. Any suggestions?

    Like

  14. William Roberts says:

    Thanks for the guide, one problem that I’m having though. When I assign the the port to the new vlan and reboot, that port becomes active on both vlans (showing on vlan1 and vlan3). Any ideas? Sadly, the device that’s connected to that port is pulling it’s ip address from the first vlan. More details here, hopefully I can get it fixed soon. http://www.linksysinfo.org/index.php?threads/cant-remove-port-from-vlan.73259/

    Like

    • Tim says:

      Same here on Tomato Firmware 1.28.0000 MIPSR2-138 K26 USB AIO-64K.
      Assigned ports 1 – 3 to Vlan1 (192.168.x.x) and port 4 to Vlan3 (172.16.x.x). After reboot port 4 is checked on both Vlan1 and Vlan3.
      _Although_ network traffic appears to be separated and IP address are being properly assigned to devices from the appropriate subnet; so it’s working as intended.

      Like

  15. PJ says:

    Shibby is one of the better versions of Tomato but the best and most attractive, in my view, is AdvancedTomato. See AdvancedTomato.com.

    Like

  16. Jason Peters says:

    I’m wondering if having an internet connected smart tv on its own vlan the way you’ve described would cause connectivity issues if wanting to use plex client on the smart tv which is served from a plex server on the private LAN?

    Like

    • Will Foster says:

      I’m wondering if having an internet connected smart tv on its own vlan the way you’ve described would cause connectivity issues if wanting to use plex client on the smart tv which is served from a plex server on the private LAN?

      I have a plex client on my smart TV so I can check for you, but what I imagine would happen is that Plex will fall back to a non-direct connection but still work since it’s still available via plex.tv.

      Like

      • Will Foster says:

        Ok, I seem to be able to connect to other Plex servers without issue using the Samsung Plex app (version 2.007) but I cannot connect to my own. I do however sign my own SSL certificates and listen on a non-standard port. I also tried adding my plex server via the external IP/port to no avail. If you have your Plex Media Server setup with the defaults it may work just fine however.

        Like

  17. gzartman says:

    Good how to!

    Like

Have a Squat, Leave a Reply ..

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s