What's new

Control LAN Access via iptables

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

So in the example above there would have been a port forwarding rule on the WAN interface that pointed to 192.168.2.74:6880. A LAN device sending traffic to the WAN IP address for that port would un-bridge the traffic. The router will then DNAT the IP address to 192.168.2.74 and send it back to the bridge interface.

That makes sense, thanks for solving the mystery.
 
I want to selectively allow some IOT devices to access some hosts on my LAN, then reject all others.

YazFi looks promising, but it lists LAN access as an upcoming feature, so not available yet. Also it looks like when that feature is added, it will work just like the "allow intranet" switch in current guest wifi settings, which is not what I want. I want to selectively allow access from specific hosts to specific hosts.
It will allow various choices, I just haven't settled on the preferred implementation to make it easy for users to set up. Once I have, I'll get going with the development :)

Still settling in to a new job which has stifled development energy somewhat!
 
Oh, great! Looking forward to it. I'm trying desperately to avoid buying a separate PFsense box from Aliexpress.
 
It will allow various choices, I just haven't settled on the preferred implementation to make it easy for users to set up. Once I have, I'll get going with the development :)

Still settling in to a new job which has stifled development energy somewhat!

Hey Jack,
did you perhaps managed to finish this implementation?
 
Specific hosts, no, not yet. I did implement "one way" access however.
Hi,

Could you please share the "one way" method? I have a AC88U and editing VLAN is not working because there's no way to configure VLANs on the Realtek switch.
I want to restrict LAN 1 to router IP (80 port, ssh, telnet...) all TCP if possible.

Thank you,
amplatfus
 
What I have to add is probably a bit controversial, but I'll say it anyway.

The problem as I see it is that the OP wants to manage guest/IOTs networks in a way that is antithetical to the Merlin design.

In the world of guest/IOT management, you have two typical strategies. You either keep guests/IOT on the *same* network interface (and by definition, the same IP network) and manage access between them and the private network at the ethernet level (ebtables, tagging, etc.), OR, you keep them on separate network interfaces using *different* ethernet and IP networks, then firewall the guest/IOT networks from the private network at the IP level.

Each strategy has its advantages and disadvantages.

When everyone is using the same network interface, you're depending on the router to manage policies to maintain separation, as I said, either w/ ebtables and/or tagging, and even AP isolation. In some ways, it's simpler to understand. But some ppl then want to manage individual access between devices. And they may not like the idea of guest/IOT devices being able to "see" devices on the private network (even if they are denied access). On the plus side, network discovery works normally.

When guest/IOT and the private networks are using different network interfaces (which is how tomato and dd-wrt work), you have the option to work w/ the IP firewall and iptables to manage that separation. However, network discovery is lost between those network interfaces unless you install and configure Avahi (usually via Entware) to regain it.

So to my mind, you're dealing w/ two different philosophies here. And something like YazFi (if I understand it correctly when it comes to this issue) is just returning Merlin to its roots (tomato). And if that's the case, then why bother w/ Merlin +YazFi at all? Why not just go back to tomato (e.g., FreshTomato)?

I don't want to be misunderstood here. I'm not claiming one strategy is necessarily better than the other. What I'm saying is that Merlin has made a decision as to how he wants his firmware to work based on his own considerations/preferences. To then have something like YazFi undo that and return the router to the more traditional means of managing guest/IOT networks just doesn't make sense. Again, why not just return to where it all began; tomato! If there's such a clamor for this return (even to the point that YazFi would be integrated into Merlin), it calls into question the original decision to NOT have the guest/IOT networks on separate network interfaces.

JMTC

P.S. I'm far from from being an expert on Merlin. My expertise is much more w/ tomato and dd-wrt. So it's entirely possible I'm missing some key points here. This is just my observation of Merlin and its differences w/ tomato and dd-wrt from a distance.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top