Allowing main network to access guest networks

[purpleman]

Hi everyone,

Running on the 3006 firmware version, I have 3 guest networks that are isolated from everything. I'd like to have the main network (192.168.0.0/24 on br0) be able to reach one-way to those 3 guest subnets.
I currently achieve this with a firewall-start script that runs the following commands:

iptables -I FORWARD -i br0 -s 192.168.0.0/24 -d 192.168.1.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -s 192.168.0.0/24 -d 192.168.2.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -s 192.168.0.0/24 -d 192.168.3.0/24 -j ACCEPT

I was just wondering if there's any way to achieve the same thing through the GUI, any setting that would do that?

Thanks!

 

[bennor]

@purpleman, the Guest Network Pro feature of the 3006 firmware has its issues and limitations as many have discovered and discussed in other threads. There does not currently appear to be a way to implement YazFi's One Way to Guest (or Two Way to Guest) through the GUI. Instead it's an all or nothing affair by either enabling or disabling the Guest Network Pro option Use same subnet as main LAN. With that option enabled the GNP clients should have full access to the main LAN and main LAN clients should be able to access GNP clients. Disabled and the GNP clients/main LAN clients are isolated from each other. That GNP option may or may not be available depending on which of the Guest Network Pro presets one selects.

Scripting the IPTables is currently apparently the only way to emulate some of the features the YazFi addon brought to the non 3006 firmware's guest wifi.

There is a similar running discussion taking place near the end of the following thread:

YazFi - Allowing cast traffic from guest network to IoT (media) network

Hi, new to AsusWRT-Merlin and YazFi! (Not to mention iptables.) I'm trying to allow my "true" guest network (wl0.1, wl1.1) one-way access to my "media" guest network (wl0.2, wl1.2). The intent being to allow house guests to be able to cast music/video to my speakers/TV. Per Google's help page...

www.snbforums.com

And a few posts discussing related things in this thread:

YazFi - YazFi Lite with Router in AP Mode?

Hi @Jack Yaz , your addon has been outstanding, especially for my recent needs. Are there any plans to implement a lite version of your addon to operate in AP Mode? Most of the functions wouldn't work but I think it would be a great function to add. It would allow soft handoff between SSID's on...

www.snbforums.com

 

[mmjlmjl]

Hi everyone,

Running on the 3006 firmware version, I have 3 guest networks that are isolated from everything. I'd like to have the main network (192.168.0.0/24 on br0) be able to reach one-way to those 3 guest subnets.
I currently achieve this with a firewall-start script that runs the following commands:

iptables -I FORWARD -i br0 -s 192.168.0.0/24 -d 192.168.1.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -s 192.168.0.0/24 -d 192.168.2.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -s 192.168.0.0/24 -d 192.168.3.0/24 -j ACCEPT

I was just wondering if there's any way to achieve the same thing through the GUI, any setting that would do that?

Thanks!

Hi I’d like to try this myself, can you point me to some instructions to set this up, how do I save this to a router an have it executed every reboot automatically?

 

[Jeffrey Young]

Hi I’d like to try this myself, can you point me to some instructions to set this up, how do I save this to a router an have it executed every reboot automatically?

Assuming you are using Merlin's firmware, you can use the firewall-start script to add your rules. I suggest you delete the rules, then insert them. That way, if the script fires a number of times, you won't stack up these rules in the firewall.

Check here for instructions

User scripts

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

 

[bennor]

Hi I’d like to try this myself, can you point me to some instructions to set this up, how do I save this to a router an have it executed every reboot automatically?

See the following link to get started with scripting access between guest network pro and main lan.

Trying to understand Guest Network Pro limitations

Using an AX-86U Pro on FW 3006.102.4_beta1, I'm experimenting with Guest Network Pro and VLANs and I must be missing something. I've created a VLAN (tagged as 3) and set ethernet port 3 as an access port tagged with that VLAN. I've then created a new guest network with that same VLAN, turned on...

www.snbforums.com

 

[dennisxx]

did anyone at the moment found a way to implement YazFi's One Way to Guest (Allowing devices on main network to access all devices of guest network) on 3006 firmware?

 

[bennor]

did anyone at the moment found a way to implement YazFi's One Way to Guest (Allowing devices on main network to access all devices of guest network) on 3006 firmware?

As explained in the link in my post preceding yours, which includes example scripting; one has to use IPTables scripting in a /jffs/scripts/firewall-start file to emulate the YazFi one-way to guest (or main LAN client). YazFi is NOT supported on the 3006 firmware.

 

[dennisxx]

As explained in the link in my post preceding yours, which includes example scripting; one has to use IPTables scripting in a /jffs/scripts/firewall-start file to emulate the YazFi one-way to guest (or main LAN client). YazFi is NOT supported on the 3006 firmware.

sry, i wasn't clear enough - i mean:
implement similar to "YazFi's One Way to Guest (Allowing devices on main network to access all devices of guest network)" through the GUI of 3006 firmware

 

[bennor]

sry, i wasn't clear enough - i mean:
implement similar to "YazFi's One Way to Guest (Allowing devices on main network to access all devices of guest network)" through the GUI of 3006 firmware

Not possible through the GUI at the moment if you set the Guest Network Pro's Use same subnet as main network to disable/off. The Access Intranet option in Guest Network Pro is hit or miss for some. Using iptables scripting in the link I provided to accomplish the one-way from main LAN to Guest Network Pro profile clients. You may have to do some experimenting on exact IP addresses depending on your setup. Example code for the firewall-start file for one-way from main LAN (192.168.50.x) to the first Guest Network Pro Profile (IP address 192.168.52.x):

#!/bin/sh
iptables -I FORWARD -i br0 -s 192.168.50.0/24 -d 192.168.52.0/24 -j ACCEPT

 

[jplw]

Hi everyone,

Running on the 3006 firmware version, I have 3 guest networks that are isolated from everything. I'd like to have the main network (192.168.0.0/24 on br0) be able to reach one-way to those 3 guest subnets.
I currently achieve this with a firewall-start script that runs the following commands:

iptables -I FORWARD -i br0 -s 192.168.0.0/24 -d 192.168.1.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -s 192.168.0.0/24 -d 192.168.2.0/24 -j ACCEPT
iptables -I FORWARD -i br0 -s 192.168.0.0/24 -d 192.168.3.0/24 -j ACCEPT

I was just wondering if there's any way to achieve the same thing through the GUI, any setting that would do that?

Thanks!

Would those rules--if used to send an rtsp request to the guest network--also allow the guest to respond by streaming rtsp data?

 

[Seth Harman]

Would those rules--if used to send an rtsp request to the guest network--also allow the guest to respond by streaming rtsp data?

It should, yes, since you're initiating the rtsp request from the main network into the guest network and you've got a firewall rule that allows that traffic.

 

[diyguy]

right now I have it setup for two way in the GUI , do I have to disable that and use those rules to make it one way?

 

[diyguy]

I did this in /jffs/scripts/firewall-start

you have to edit line 7 for your specific environment and for each network you want this for

#!/bin/sh
# Custom iptables rules for unidirectional LAN isolation
# br0 -> other bridges allowed
# other bridges -> br0 blocked

# List of bridges to block traffic from (to br0)
BRIDGES=("br52" "br53")  # add more bridge interfaces as needed

for BR in "${BRIDGES[@]}"; do
    # Block traffic from this bridge to br0
    iptables -I FORWARD -i "$BR" -o br0 -j DROP

    # Allow traffic from br0 to this bridge
    iptables -I FORWARD -i br0 -o "$BR" -j ACCEPT
done

 

[diyguy]

Anyone know how to allow return traffic in IPtables? My issue is that my 3d printers are on their own network with one-way traffic, but they must send back some information....this used to work on YaZFI one way setup....

 

[bennor]

Anyone know how to allow return traffic in IPtables? My issue is that my 3d printers are on their own network with one-way traffic, but they must send back some information....this used to work on YaZFI one way setup....

See the following link that was posted above. It contains examples of allowing one way and two way traffic to/from Guest Network and main LAN.
https://www.snbforums.com/threads/t...st-network-pro-limitations.94438/#post-952345

 

[diyguy]

Modified my script I had to use Avahi to bridge mDNS between subnets. I also allowed return packets from established sessions in each subnet. Hope this helps someone

#!/bin/sh
sleep 5

# -----------------------------------------------
# IOT Guest Network Interfaces
# Add new bridge names here as you expand
# -----------------------------------------------
IOT_INTERFACES="br52 br53"

for IFACE in $IOT_INTERFACES; do
    # Allow main LAN to initiate connections to IOT devices
    iptables -I FORWARD -i br0 -o $IFACE -j ACCEPT
    # Allow return traffic for established sessions only
    iptables -I FORWARD -i $IFACE -o br0 -m state --state ESTABLISHED,RELATED -j                                                                                                                                                              ACCEPT
done

# -----------------------------------------------
# Avahi mDNS reflector config for IOT guest networks
# Add new bridge names to allow-interfaces as you expand
# -----------------------------------------------
mkdir -p /etc/avahi

cat > /etc/avahi/avahi-daemon.conf << 'AVAHI'
[server]
use-ipv4=yes
use-ipv6=no
allow-interfaces=br0,br52,br53
enable-dbus=no
ratelimit-interval-usec=1000000
ratelimit-burst=1000

[wide-area]
enable-wide-area=yes

[publish]
disable-publishing=no

[reflector]
enable-reflector=yes
reflect-ipv=no

[rlimits]
AVAHI

killall avahi-daemon 2>/dev/null
sleep 2
avahi-daemon -D

 

[Christian_Haitian]

Modified my script I had to use Avahi to bridge mDNS between subnets. I also allowed return packets from established sessions in each subnet. Hope this helps someone

#!/bin/sh
sleep 5

# -----------------------------------------------
# IOT Guest Network Interfaces
# Add new bridge names here as you expand
# -----------------------------------------------
IOT_INTERFACES="br52 br53"

for IFACE in $IOT_INTERFACES; do
    # Allow main LAN to initiate connections to IOT devices
    iptables -I FORWARD -i br0 -o $IFACE -j ACCEPT
    # Allow return traffic for established sessions only
    iptables -I FORWARD -i $IFACE -o br0 -m state --state ESTABLISHED,RELATED -j                                                                                                                                                              ACCEPT
done

# -----------------------------------------------
# Avahi mDNS reflector config for IOT guest networks
# Add new bridge names to allow-interfaces as you expand
# -----------------------------------------------
mkdir -p /etc/avahi

cat > /etc/avahi/avahi-daemon.conf << 'AVAHI'
[server]
use-ipv4=yes
use-ipv6=no
allow-interfaces=br0,br52,br53
enable-dbus=no
ratelimit-interval-usec=1000000
ratelimit-burst=1000

[wide-area]
enable-wide-area=yes

[publish]
disable-publishing=no

[reflector]
enable-reflector=yes
reflect-ipv=no

[rlimits]
AVAHI

killall avahi-daemon 2>/dev/null
sleep 2
avahi-daemon -D

Thank you for this script. It works well. Only one issue i'm running into is that hardwired primary network clients on an aimesh node can't communicate to the guest network clients. However, primary network wireless clients on the aimesh node can reach the guest network clients without issue. Any ideas or suggestions on how best I can resolve this issue?

 

[diyguy]

Thank you for this script. It works well. Only one issue i'm running into is that hardwired primary network clients on an aimesh node can't communicate to the guest network clients. However, primary network wireless clients on the aimesh node can reach the guest network clients without issue. Any ideas or suggestions on how best I can resolve this issue?

Is your AI Mesh node a "Pro" model ? My understanding is that it only will work with a Pro model as a mesh node as the non-pro don't support VLANS.

 

[Seth Harman]

Is your AI Mesh node a "Pro" model ? My understanding is that it only will work with a Pro model as a mesh node as the non-pro don't support VLANS.

This has been dug into in-depth in other threads, but here's the gist:

Guest Network Pro/Smart Home Master are for creating wireless VLANs (meaning you can only add wireless clients to a VLAN). Pro-series routers generally also support wired VLANs (meaning you can also add wired clients to a VLAN). Depending on your setup you may have AiMesh nodes that support wireless VLANs but not wired VLANs (my setup is like this), but the lack of wired VLAN support on an AiMesh node has nothing to do with wired clients being able to talk to wireless VLAN clients via a firewall rule: if there is a firewall rule that allows traffic from the main network into a VLAN it shouldn't matter if a given main network client is connected to the main router or a node.

iptables -I FORWARD -i br0 -s 192.168.1.0/24 -d 192.168.53.0/24 -j ACCEPT

Above is the rule I use in the firewall-start script to allow anything on the main network to initiate a connection to anything on the IoT VLAN I created in Guest Network Pro. Try something simple like that and see if it solves the problem.

 

[visortgw]

Anyone know how to allow return traffic in IPtables? My issue is that my 3d printers are on their own network with one-way traffic, but they must send back some information....this used to work on YaZFI one way setup....

The following allows access to/from my printer (222.10) on primary network (.222) for devices on guest (.54):

iptables -I FORWARD -i br0  -s 192.168.222.0/24 -d 192.168.54.0/24   -j ACCEPT # Access to guest from primary network
iptables -I FORWARD -i br52 -s 192.168.54.0/24  -d 192.168.222.10/32 -j ACCEPT # Reverse for guest devices to printer