Allow computers on the guest network to see eachother?

[pixeler02]

Hi,

Is there a way for computers on the guest network to see each other? I was hoping to allow communication between guests (and access internet), but not allow them access to other computers on my main LAN.

Seems like computers on the guest network can't see each other.

Thanks for any advice!

 

[RMerlin]

They already do, unless you configured the Guest network "Access Intranet" to "No".

 

[pixeler02]

They already do, unless you configured the Guest network "Access Intranet" to "No".

Will setting "Access Intranet" to "YES" allow guests to access computers on the main LAN? I want guests to access eachother but not allow them access to the computers on the main LAN. Cheers.

 

[ASAT]

I want guests to access each other but not allow them access to the computers on the main LAN.

You can allow specific access for specific purpose. However, remember it is a guest network after all. You want device isolation to be the rule. Otherwise, why have a guest network?

Here's what I did to access my HP printer residing on a special guest Ethernet VLAN. I used Wireshark to view tcpdump data, to see everything that was happening. The Guest Network was blocking:
1. ARP broadcast
2. ARP reply from device
3. ICMP ping
4. UDP packets for SNMP
5. TCP packets for raw socket printing

Now, you don't want to completely open up the guest network because it is a guest network after all. Just crack it open a tiny bit for your specific needs. Example of enabling my HP printer on a guest network, so I can access it from the primary network.

Allow ICMP ping

# Allow ICMP ping (request and reply) to and from the HP Printer residing on the Guest Ethernet Port
# xx:xx:xx:xx:xx:xx is MAC address of HP printer
ebtables -t filter -I FORWARD -p IPv4 -d xx:xx:xx:xx:xx:xx --ip-proto icmp -j ACCEPT
ebtables -t filter -I FORWARD -p IPv4 -s xx:xx:xx:xx:xx:xx --ip-proto icmp -j ACCEPT

Allow SNMP

# Allow SNMP to HP Printer residing on the Guest Ethernet Port
# xx:xx:xx:xx:xx:xx is MAC address of HP printer
ebtables -t filter -I FORWARD -p IPv4 -d xx:xx:xx:xx:xx:xx --ip-proto udp --ip-dport 161 -j ACCEPT
ebtables -t filter -I FORWARD -p IPv4 -s xx:xx:xx:xx:xx:xx --ip-proto udp --ip-sport 161 -j ACCEPT

Allow raw socket printing

# Allow raw socket printing to HP Printer residing on the Guest Ethernet Port
# xx:xx:xx:xx:xx:xx is MAC address of HP printer
ebtables -t filter -I FORWARD -p IPv4 -d xx:xx:xx:xx:xx:xx --ip-proto tcp --ip-dport 9100 -j ACCEPT
ebtables -t filter -I FORWARD -p IPv4 -s xx:xx:xx:xx:xx:xx --ip-proto tcp --ip-sport 9100 -j ACCEPT

Allow ARP reply from device

# Allow ARP reply from HP Printer
# xx:xx:xx:xx:xx:xx is MAC address of HP printer
ebtables -t filter -I FORWARD -p ARP -s xx:xx:xx:xx:xx:xx -j ACCEPT

Allow ARP broadcast between specific interfaces

# Allow ARP broadcast from Primary Ethernet Ports
#ebtables -t filter -I FORWARD -i vlan1 -o vlan1 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Primary Ethernet Ports
#ebtables -t filter -I FORWARD -i vlan1 -o eth1 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Primary 2.4GHz Wi-Fi
#ebtables -t filter -I FORWARD -i vlan1 -o eth2 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Primary 5GHz Wi-Fi
#ebtables -t filter -I FORWARD -i vlan1 -o vlan14 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Guest Ethernet Port
#ebtables -t filter -I FORWARD -i vlan1 -o wl0.1 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Guest 2.4GHz Wi-Fi
#ebtables -t filter -I FORWARD -i vlan1 -o wl1.1 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Guest 5GHz Wi-Fi

# Allow ARP broadcast from Primary 2.4GHz Wi-Fi
#ebtables -t filter -I FORWARD -i eth1 -o vlan1 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Primary Ethernet Ports
#ebtables -t filter -I FORWARD -i eth1 -o eth1 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Primary 2.4GHz Wi-Fi
#ebtables -t filter -I FORWARD -i eth1 -o eth2 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Primary 5GHz Wi-Fi
#ebtables -t filter -I FORWARD -i eth1 -o vlan14 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Guest Ethernet Port
#ebtables -t filter -I FORWARD -i eth1 -o wl0.1 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Guest 2.4GHz Wi-Fi
#ebtables -t filter -I FORWARD -i eth1 -o wl1.1 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Guest 5GHz Wi-Fi

# Allow ARP broadcast from Primary 5GHz Wi-Fi
#ebtables -t filter -I FORWARD -i eth2 -o vlan1 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Primary Ethernet Ports
#ebtables -t filter -I FORWARD -i eth2 -o eth1 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Primary 2.4GHz Wi-Fi
#ebtables -t filter -I FORWARD -i eth2 -o eth2 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Primary 5GHz Wi-Fi
#ebtables -t filter -I FORWARD -i eth2 -o vlan14 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Guest Ethernet Port
#ebtables -t filter -I FORWARD -i eth2 -o wl0.1 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Guest 2.4GHz Wi-Fi
#ebtables -t filter -I FORWARD -i eth2 -o wl1.1 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Guest 5GHz Wi-Fi

# Allow ARP broadcast from Guest 2.4GHz Wi-Fi
#ebtables -t filter -I FORWARD -i wl0.1 -o vlan1 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Primary Ethernet Ports
#ebtables -t filter -I FORWARD -i wl0.1 -o eth1 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Primary 2.4GHz Wi-Fi
#ebtables -t filter -I FORWARD -i wl0.1 -o eth2 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Primary 5GHz Wi-Fi
#ebtables -t filter -I FORWARD -i wl0.1 -o vlan14 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Guest Ethernet Port
#ebtables -t filter -I FORWARD -i wl0.1 -o wl0.1 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Guest 2.4GHz Wi-Fi
#ebtables -t filter -I FORWARD -i wl0.1 -o wl1.1 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Guest 5GHz Wi-Fi

# Allow ARP broadcast from Guest 5GHz Wi-Fi
#ebtables -t filter -I FORWARD -i wl1.1 -o vlan1 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Primary Ethernet Ports
#ebtables -t filter -I FORWARD -i wl1.1 -o eth1 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Primary 2.4GHz Wi-Fi
#ebtables -t filter -I FORWARD -i wl1.1 -o eth2 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Primary 5GHz Wi-Fi
#ebtables -t filter -I FORWARD -i wl1.1 -o vlan14 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Guest Ethernet Port
#ebtables -t filter -I FORWARD -i wl1.1 -o wl0.1 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Guest 2.4GHz Wi-Fi
#ebtables -t filter -I FORWARD -i wl1.1 -o wl1.1 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Guest 5GHz Wi-Fi

# Allow ARP broadcast from Guest Ethernet Port
#ebtables -t filter -I FORWARD -i vlan14 -o vlan1 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Primary Ethernet Ports
#ebtables -t filter -I FORWARD -i vlan14 -o eth1 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Primary 2.4GHz Wi-Fi
#ebtables -t filter -I FORWARD -i vlan14 -o eth2 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Primary 5GHz Wi-Fi
#ebtables -t filter -I FORWARD -i vlan14 -o vlan14 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Guest Ethernet Port
#ebtables -t filter -I FORWARD -i vlan14 -o wl0.1 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Guest 2.4GHz Wi-Fi
#ebtables -t filter -I FORWARD -i vlan14 -o wl1.1 -p ARP -d ff:ff:ff:ff:ff:ff -j ACCEPT # to Guest 5GHz Wi-Fi

 

[pixeler02]

Thanks for this detailed info for configuring firewall (I am sure it will come in handy in future), however, I simply want the guests to be able to have full network connectivity with each other & internet while being separated from my LAN.

Will setting "Access Intranet" to "YES" allow guests to access computers on the main LAN? I want all computers on the guest network to access eachother but not allow them access to the computers on the main LAN.

The specific example is: I have an out-of-town guest staying who has an appleTV and wants to use his iPad to control it (which requires the devices see eachother on the network). I don't want to configure firewall rules for each device. I just want to enable all guest devices full access with each other, without giving them access to my main LAN. Cheers.

 

[ASAT]

I want all computers on the guest network to access eachother but not allow them access to the computers on the main LAN.

Will this work? I have not tried it.

Set "Access Intranet" = Yes

AND try this:

/jffs/scripts/firewall-start

# Deny packets from Primary 2.4GHz Wi-Fi
ebtables -t filter -I FORWARD -i eth1 -o wl0.1 -j DROP # to Guest 2.4GHz Wi-Fi
ebtables -t filter -I FORWARD -i eth1 -o wl1.1 -j DROP # to Guest 5GHz Wi-Fi

# Deny packets from Primary 5GHz Wi-Fi
ebtables -t filter -I FORWARD -i eth2 -o wl0.1 -j DROP # to Guest 2.4GHz Wi-Fi
ebtables -t filter -I FORWARD -i eth2 -o wl1.1 -j DROP # to Guest 5GHz Wi-Fi

# Deny packets from Primary Ethernet Ports
ebtables -t filter -I FORWARD -i vlan1 -o wl0.1 -j DROP # to Guest 2.4GHz Wi-Fi
ebtables -t filter -I FORWARD -i vlan1 -o wl1.1 -j DROP # to Guest 5GHz Wi-Fi

# Deny packets from Guest 2.4GHz Wi-Fi
ebtables -t filter -I FORWARD -i wl0.1 -o eth2 -j DROP # to Primary 5GHz Wi-Fi
ebtables -t filter -I FORWARD -i wl0.1 -o vlan1 -j DROP # to Primary Ethernet Ports

# Deny packets from Guest 5GHz Wi-Fi
ebtables -t filter -I FORWARD -i wl1.1 -o eth1 -j DROP # to Primary 2.4GHz Wi-Fi
ebtables -t filter -I FORWARD -i wl1.1 -o vlan1 -j DROP # to Primary Ethernet Ports


# Allow devices on Guest 5GHz Wi-Fi to see devices on Guest 2.4GHz Wi-Fi and vice-versa
# (If the clients cannot see each other, try this.)
ebtables -t filter -I FORWARD -i wl1.1 -o wl0.1 -j ACCEPT
ebtables -t filter -I FORWARD -i wl0.1 -o wl1.1 -j ACCEPT

 

[kvic]

pixeler02, try this..

• set "Access Intranet" = No
• add the below line to /jffs/scripts/firewall-start
  • iptables -I FORWARD -i wl0.1 -o wl0.1 -j ACCEPT

assume wl0.1 is the interface of your guess network. This allows clients on the same guess SSID access to each other (while clients from different guess SSIDs still isolated).

 

[Jerry12]

# Allow SNMP to HP Printer residing on the Guest Ethernet Port

How do you make a Guest Ethernet Port?
The router's Guest Network configuration page only covers wireless bands (RT-AC3200, at least).

 

[ASAT]

How do you make a Guest Ethernet Port?

I put one of the Ethernet ports on its own VLAN.
http://www.snbforums.com/threads/fo...asus-merlin-rt-ac68u.18969/page-2#post-185959

 

[sfx2000]

Is there a way for computers on the guest network to see each other? I was hoping to allow communication between guests (and access internet), but not allow them access to other computers on my main LAN.

Seems like computers on the guest network can't see each other.

Thanks for any advice!

FWIW - Guest Networks are generally intended for users that you do not "trust" on your Private LAN/WLAN - so having AP Isolation on the Guest Network is not a bad thing...

It's about practicing "safe hex" in that if you don't trust their PC's to put them on your Network, you probably want to give the same consideration to your guests - viruses/worms/ransomware and all...