What's new

How does the Guest Network "Access Intranet" feature actually work?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

orion44

Regular Contributor
I've never used the Guest Network feature previously so I'd assumed the "Access Intranet" (block LAN traffic) feature worked via iptables similar to the Parental Controls. However, after turning on a guest network and enabling "Access Intranet" I observed no changes being made to the iptables. I also noticed the guest device was assigned an IP in the same subnet as other devices in the LAN.

Despite this, the intensive nmap scans I conducted from the guest device revealed no leaks to the LAN devices or the router itself. So how does this sorcery happen?
 
I've never used the Guest Network feature previously so I'd assumed the "Access Intranet" (block LAN traffic) feature worked via iptables similar to the Parental Controls. However, after turning on a guest network and enabling "Access Intranet" I observed no changes being made to the iptables. I also noticed the guest device was assigned an IP in the same subnet as other devices in the LAN.

Despite this, the intensive nmap scans I conducted from the guest device revealed no leaks to the LAN devices or the router itself. So how does this sorcery happen?
It adds rules to ebtables, I think
Code:
ebtables -L
ebtables -t broute -L
 
YES!
Code:
admin@RT-AC5300-F8D0:/tmp/home/root# ebtables -L
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 2, policy: ACCEPT
-i wl0.1 -j DROP
-o wl0.1 -j DROP

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

admin@RT-AC5300-F8D0:/tmp/home/root# ebtables -t broute -L
Bridge table: broute

Bridge chain: BROUTING, entries: 1, policy: ACCEPT
-p IPv4 -i wl0.1 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP

Thanks!
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top