Access one IP address on primary net from Guest net

[crt]

This is my first post as a real networking newbie. I currently run Shibby Tomato on my Asus RT N66U with our private net at 192.168.1.1 and a Guest net with only internet access on 192.168.2.1. I followed a tutorial to accomplish this with a vlan and bridge.

I would like to grant guest access to our music server which is at 192.168.1.xxx. Is there a way to accomplish this in Tomato or the stock Asus firmware (which I can reinstall if necessary)? I would like access for guests to just the internet and music server.

Unfortunately, my networking knowledge is minimal so if it involves IP tables and the like, I would appreciate help with specific steps.

Thank you for any help you can provide. I have not found anything specific thus far to accomplish this.

 

[abailey]

What VLANs do you currently have. Do you have any switches or other equipment. How is the music server attached?

 

[AcostaJA]

Try configuring sub-net mask at 255.255.64.0

 

[crt]

The music server is a Vortexbox (Linux) PC attached to the primary LAN through a passive switch with all connections via Ethernet. The network setup is pretty typical for home use. Two PCs, one printer, the Vortexbox, three front end streamers (based on Squeezebox) that pull material from the server and a HTPC. In addition, there are two satellite APs for the primary net running Tomato or DD-WRT. I have failed to find a way to add a guest SSID on the extra APs in spite of following some clear online tutorials. So, for now, I'll settle for guest only on the Asus router. All of the above are wired through a couple of passive switches. The wireless clients are iPhone and tablets.

The only VLAN I set up was via a Tomato tutorial to add wireless guest access on my router with the private SSID as br0 and the guest SSID as br1 (I hope I am explaining this properly).

We have a house sitter (a friend) and I want to give her internet access (which is currently operational) and the ability to control the music server, which can be accomplished via access to the Vortexbox or maybe the Squeezebox touch while she is on the guest net, assuming there's a way to permit access from the guest subnet.

 

[crt]

Thanks. Would this be for both the private and guest scenarios (255.255.64.0)? How would I grant access to just one primary net IP address from the guest net (192.168.2.1)?

 

[AcostaJA]

Vlan must be bridged to enable packet inter traffic

 

[azazel1024]

You'll need a switch that can pass VLAN tagging, or else you'll need to connect the music server directly the router (as it supports VLAN tagging). Then make the music server a member of the primary VLAN and a member of the guest only VLAN. Then both groups can access it.

If it is behind a dumb switch, none of the VLAN tagging is going to be getting passed, so you can't setup VLAN membership on the music server (you might have it setup now, but I can guarantee the VLAN tags aren't getting passed through the switch, its only on the router where local VLAN tagging is being seen, which is why a guest VLAN will work for internet only access since it is internal to the router).

If your APs are running a firmware that support VLANs and you can't get it to work and you happen to have them connected to those "passive switches" as you call them (there is no such thing, there are dumb switches, semi-managed and managed switches, but a passive switch is an oxymoron. That would be a hub), that is why.

99% of all dumb switches cannot pass VLAN tagging. Generally you need a semi-managed L2 switch or better to pass VLAN tagging.

If you insert those in to your network, then you could use VLANs and guest SSID on the APs to allow access to the internet gateway and nothing else. Or internet gateway and music server.

 

[abailey]

I agree with azazel1024, you really need managed switches. Managed switches would let you do what you are looking to do with your music server as well as enable you to have guest networks on your AP's (as long as your AP's support multiple VLAN's). The only part I don't agree with azazel1024 is the part where he says "Then make the music server a member of the primary VLAN and a member of the guest only VLAN. Then both groups can access it". This works if you use the same subnet on both VLAN's and if your managed switch supports General Access ports (some managed switches do not). Since you have set up different subnets with your different VLAN's then the best way to get the guest network to access the Music Server is to either put the music server in a third VLAN with its own subnet and give both the Guest and Private subnets access to it through your router, or leave the music server in your private VLAN and use ACL's to define rules that will allow the music server IP to be available to the guest network. ACL's can be tricky to set up though, especially across multiple devices (like a router and a switch).
Also I would NOT change your subnet mask. I would leave it at 255.255.255.0. I am not sure why AcostaJA suggested that. I don't see how that would help your situation. Maybe he could clarify why he suggested that (maybe there is some trick I am unaware of).

 

[azazel1024]

Doh. I missed the part where OP mentioned different subnets.

Yeah, you'd probably want to consolidate to one subnet if you wanted the VLANs to work appropriately.

 

[crt]

I appreciate the tips that you have provided...thank you. I apologize for using the incorrect term for my dumb switches.

Fortunately, my music server is on a NAS that is adjacent to my router so I can plug it directly in as suggested. From there I am a bit confused. Do I use the same subnet (192.168.1.1) for both vlan 1 (private) and vlan 2 (guest)? Won't that allow guests to see everything on the private net? If not, how would I configure the guest vlan to access the music server IP (Tomato)?

Since this is to accommodate a house sitter, could I use 192.168.2.1 for vlan 2 and assign the music server an IP of 192.168.2.xxx and then change it back when we return?

Thanks for any clarification that you can provide to this network beginner. I have tried searching but have come up short. I am investigating replacing my dumb switches with smart ones to enable private and guest access on the satellite APs. Fortunately, some smart switches are less costly than I had assumed.

 

[sfx2000]

This is my first post as a real networking newbie. I currently run Shibby Tomato on my Asus RT N66U with our private net at 192.168.1.1 and a Guest net with only internet access on 192.168.2.1. I followed a tutorial to accomplish this with a vlan and bridge.

I would like to grant guest access to our music server which is at 192.168.1.xxx. Is there a way to accomplish this in Tomato or the stock Asus firmware (which I can reinstall if necessary)? I would like access for guests to just the internet and music server.

Unfortunately, my networking knowledge is minimal so if it involves IP tables and the like, I would appreciate help with specific steps.

Thank you for any help you can provide. I have not found anything specific thus far to accomplish this.

Port Forward the Music Server to the public IP - then the client can hair-pin it back based on the public IP/Port Assignments.