Access options with guest networks

[TheLyppardMan]

At the moment, I only have one device on a guest network, thus:

As you can see, this is on a different IP range to my main network, which uses 192.168.178...

Can anyone tell me what options are available for communication between devices on the guest networks and the main LAN using the latest Merlin firmware? Also, can devices on a guest network communicate with each other, even if isolate from intranet is enabled. Lastly, is it possible to only allow some devices on a guest network to communicate with the main LAN (without getting into the complexity of adding scripts)?

 

[drinkingbird]

At the moment, I only have one device on a guest network, thus:

View attachment 49701

As you can see, this is on a different IP range to my main network, which uses 192.168.178...

Can anyone tell me what options are available for communication between devices on the guest networks and the main LAN using the latest Merlin firmware? Also, can devices on a guest network communicate with each other, even if isolate from intranet is enabled. Lastly, is it possible to only allow some devices on a guest network to communicate with the main LAN (without getting into the complexity of adding scripts)?

Guest wireless 1 uses separate VLANs and subnets (when access intranet is disabled), mostly for the purposes of being able to propagate it to AiMesh nodes and maintain the LAN isolation feature. If you want it to use the same subnet as main LAN, use any Guest Wireless other than 1. In both cases they also use firewall rules (EBTABLES and IPTABLES) to prevent communication to the main LAN also.

When you disable intranet access, the GW SSID automatically enables AP Isolation, so clients on guest cannot see each other. The only way to change that would be to disable the parameter via a script during startup (or temporarily by doing it via SSH).

Alllowing specific traffic between the two is relatively easy. I'm doing it to allow one of my guest networks to be able to discover and print to my HP printer. You have to do it via a firewall-start script, it can't be done via the GUI.

You may want to check on Yazfi - it does let you disable the AP isolation via GUI so guests can talk to each other. I'm not sure if it will let you configure specific guests to be able to talk to the LAN though.

 

[TheLyppardMan]

OK, thanks. I'll have a look at Yazfi as you suggest if I need to add any further devices to the guest network(s).

 

[Piotrek]

Don't start by looking at what options are available.
First, think about what you want to do and why, then decide how to do it.

 

[bennor]

YazFi is likely what you seek but just note YazFi doesn't work with AiMesh nodes.
There is discussion in other threads on using YazFi and some scripting to allow a specific LAN client to access a YazFi guest network client (or vise versa.) But consider that if you are opening up a Guest Network client to have full access to the main LAN, why bother putting the WiFi client into the Guest Network at that point? One should step back and think about what they are trying to achive at that point by using the Guest Network.

https://github.com/jackyaz/YazFi

Here is one such post talking about using some custom scripting with YazFi to allow a YazFi guest client to access a main LAN client:
https://www.snbforums.com/threads/guest-network-clients-not-using-yazfi-subnet.71718/#post-680188

The YazFi section on Custom Scripting with some examples:
https://github.com/jackyaz/YazFi#custom-firewall-rules

Use the site search feature and filter option to search for and find discussion on YazFi. Lots and lots of past discussion and questions/answers on using YazFi.