Menu
What's new
By:
Filters Better Search

Enabling Virtual Server/Port Forwarding for guest LANs. (Or re-implementing guest lan intranet blocking with ebtables)

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

R

robca

Regular Contributor
I have a RT-AC68U, with Merlin 386.7.2.

I need to put a couple of crappy cameras on the network while traveling, and I need to open two port forwarding for each one, for web access and RTSP. I don't trust those cameras, so I want to put them on a guest network and block intranet access. If they get hacked, won't compromise the rest of the network. Problem is, when I block intranet access for the guest network from the WEB UI, port forwarding stops working.

I tried to look at iptables to understand if blocking local access changes something, but there is nothing obvious

I see that the Guest network 3 I'm using is wl0.3, and I'm thinking of deleting the bridge between br0 and wl10.3, set up a new bridge and then in firewall-start use iptables to route traffic as appropriate... but I'm sure it will be a long trial and error, so I'm hoping for suggestions
 
Please disregard for now, it looks as if I might have found a solution using ebtables... more tomorrow. Will post here, as this is a question that was asked a few times in the past but never answered
 
I think I got it.

When guest network intranet access is disabled, entries are added to ebtables like this

Code: 
admin@RT-AC68U-7BA8:/tmp/home/root# ebtables -t broute -L BROUTING
Bridge table: broute

Bridge chain: BROUTING, entries: 3, policy: ACCEPT
-p IPv4 -i wl0.3 --ip-dst 192.168.1.1 --ip-proto icmp -j ACCEPT
-p IPv4 -i wl0.3 --ip-dst 192.168.1.0/24 --ip-proto icmp -j DROP
-p IPv4 -i wl0.3 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP

Since my cameras IP addresses are 192.168.1.152 and 153, I leave intranet access enabled in the UI, then run

Code: 
ebtables -t broute -I BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.0/24 --ip-proto icmp -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i wl0.3 --ip-src 192.168.1.153 --ip-proto tcp -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.153 --ip-proto tcp -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 -i wl0.3 --ip-src 192.168.1.152 --ip-proto tcp -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.152 --ip-proto tcp -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.1 --ip-proto TCP --ip-dport 80 -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.1 --ip-proto TCP --ip-dport 443 -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.1 --ip-proto TCP --ip-dport 22 -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.1 --ip-proto icmp -j ACCEPT

That allows communication with the two cameras, while blocking the cameras from accessing the router administration ports. If an hacker tried to change the IP address of the cameras, nothing would work. I might use the MAC address for the cameras anyway, since it's harder to spoof from the camera UI at least. I also might want to limit traffic to the cameras only to the Web UI and RTSP

Of course to persist the setting this needs to be added to a script, probably firewall-start or services-start, not sure what's best
 
Updated version of the script, now in firewall-start (in jffs). I'm also using -A to add rules instead of -I (which required inserting rules in reverse order)

Code: 
# Delete built in rules to start with a known situation
ebtables -t broute -D BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.1 --ip-proto icmp -j ACCEPT
ebtables -t broute -D BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.0/24 --ip-proto icmp -j DROP
ebtables -t broute -D BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP

# Prevent access to management ports on the router from devices on guest network
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.1 --ip-proto icmp -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.1 --ip-proto TCP --ip-dport 22 -j DROP
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.1 --ip-proto TCP --ip-dport 443 -j DROP
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.1 --ip-proto TCP --ip-dport 80 -j DROP

# Add rules for IP cameras, only ports 80 and 554
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-src 192.168.1.152 --ip-sport 80 --ip-proto tcp -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.152 --ip-dport 80 --ip-proto tcp -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-src 192.168.1.152 --ip-sport 554 --ip-proto tcp -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.152 --ip-dport 554 --ip-proto tcp -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-src 192.168.1.153 --ip-sport 80 --ip-proto tcp -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.153 --ip-dport 80 --ip-proto tcp -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-src 192.168.1.153 --ip-sport 554 --ip-proto tcp -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.153 --ip-dport 554 --ip-proto tcp -j ACCEPT

# Drop everything else
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.0/24 --ip-proto icmp -j DROP
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
 
Last edited:
You must log in or register to reply here.

Similar threads

D
Guest network with intranet access v. using the main network
Replies
4
Views
460
ColinTaylor
C
R
Solved Help finding workarounds for a WiFi bridge repeater that doesn't support VLANs
Replies
3
Views
464
robca
R
G
RT-AC86U VLAN-like modifications to guest network
Replies
19
Views
2K
pjd50
P
T
RT-AX88U Vlan bridge/port questions
2
Replies
25
Views
1K
torchddv
T
T
Shelly device works properly on Guest network but NOT on regular
Replies
7
Views
1K
jksmurf
J
Similar threads
Thread starter Title Forum Replies Date
T Enabling SQM only on Asymmetrical Connection (1150/40) via AX86U Pro (3004.388.4) Asuswrt-Merlin 5
Mr Solis Enabling NAT Acceleration (CTF) breaks Port Forwarding? (RT-AC68U w/ 386.12_4) Asuswrt-Merlin 17
complexxL9 RT-AX88U Pro - 3004.388.4 - DHCP stops working after enabling JFFS Asuswrt-Merlin 2
J Enabling WireGuard Client Asuswrt-Merlin 2
S HELP! Asus Ax11000 (Merlin 388.2)- Slow 5ghz Speeds when Enabling Guest 2.4ghz Wifi Asuswrt-Merlin 3
F Solved How to create virtual interface on AsusWRT? Asuswrt-Merlin 1
JA93 Easiest setup for remote log server Asuswrt-Merlin 0
Don Draper DDNS Status: Server Error/Inactive Asuswrt-Merlin 11
url004 NXDOMAIN on server but the router can resolve queries Asuswrt-Merlin 1
V DNS server vs DNS-over TLS server list Asuswrt-Merlin 3

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 779 (members: 22, guests: 757)
Top