Port forwarding from guest network to LAN???

[don_bidyre]

Does anyone know if there's a way to enable limited access to selected local resources from a guest network that has Intranet access turned off?

Example: I'd like to allow guest users access to my Wi-Fi connected printer, whist still preventing full LAN access & without opening the printer to access from the internet.

If this is not currently possible, is there a wishlist anywhere

 

[macaroon]

This is basically what I did to allow guest wi-fi to access the LAN DNS server. wl0.1 is the guest wifi, 192.168.1.50 is the DNS server; it may be different for you depending on how you set it up.

In /jffs/scripts/firewall-start I added this:

# Rules for wl0.1 - force routing so traffic doesn't go thru bridge
/usr/sbin/ebtables -t broute -I BROUTING -p ipv4 -i wl0.1 -j DROP
/usr/sbin/ebtables -t broute -I BROUTING -p ipv6 -i wl0.1 -j DROP
/usr/sbin/ebtables -t broute -I BROUTING -p arp -i wl0.1 -j DROP

# traffic coming to (not thru) the router itself from guest wireless
# allow DHCP and DNS (for fallback), block everything else
/usr/sbin/iptables -I INPUT -i wl0.1 -j logdrop
/usr/sbin/iptables -I INPUT -i wl0.1 -p udp --dport 53 -j ACCEPT
/usr/sbin/iptables -I INPUT -i wl0.1 -p udp --dport 67:68 -j ACCEPT

# let guest network connect to Internet and local DNS server but nothing else (not even each other?)
# $1 is WAN interface
/usr/sbin/iptables -I FORWARD -i wl0.1 -o $1 -j ACCEPT
/usr/sbin/iptables -I FORWARD -i wl0.1 -o !$1 -j logdrop
/usr/sbin/iptables -I FORWARD -i wl0.1 -d 192.168.1.50 -p udp --dport 53 -j ACCEPT

For the printer example, change the last line to be your printer IP (and restrict other stuff like ports/protocol if you want) like this:

/usr/sbin/iptables -I FORWARD -i wl0.1 -d <printer-ip> -j ACCEPT

Hope this helps, I got most of this from other threads and the nice people on this forum.