Menu
What's new
By:
Filters Better Search

Forwarding some traffic from guest network into LAN

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

O

ooohhh

New Around Here
Hi,

I have an AiMesh setup of Asus devices (RT-AX86U, RT-AX56U, RP-AX56) and have a guest network. The guest network is implemented using the built in VLAN 502 with the subnet 192.168.102.0/24 and my main lan is on 192.168.1.0/24.

I want to allow access from my guest network to a specific IP in my LAN (printer) and I thought of adding some iptables forwarding rules to allow it, and the plan was to allow traffic from br2 (the bridge for VLAN 502) to that specific IP by adding a FORWARD rule, however even the most simple rule I did for test didn't work iptables -I FORWARD -d 192.168.1.52 -j ACCEPT the traffic gets dropped before somewhere and I can't find where.
Note that I did verify using tcdpdump that the traffic reaches the br2 bridge.

Any pointers on how to do it or to find where the traffic gets dropped would be much appreciated.
Thanks!
 
ooohhh said:
Hi,

I have an AiMesh setup of Asus devices (RT-AX86U, RT-AX56U, RP-AX56) and have a guest network. The guest network is implemented using the built in VLAN 502 with the subnet 192.168.102.0/24 and my main lan is on 192.168.1.0/24.

I want to allow access from my guest network to a specific IP in my LAN (printer) and I thought of adding some iptables forwarding rules to allow it, and the plan was to allow traffic from br2 (the bridge for VLAN 502) to that specific IP by adding a FORWARD rule, however even the most simple rule I did for test didn't work iptables -I FORWARD -d 192.168.1.52 -j ACCEPT the traffic gets dropped before somewhere and I can't find where.
Note that I did verify using tcdpdump that the traffic reaches the br2 bridge.

Any pointers on how to do it or to find where the traffic gets dropped would be much appreciated.
Thanks!
Click to expand...

I think you want to use chain INPUT and not FORWARD. Also specify br2 unless you want it permitted over all interfaces.

This is the rule in INPUT that you want to put yours before if I'm reading it right.
pkts bytes target prot opt in out source destination
35 5658 DROP all -- br2 any anywhere anywhere
 
Thanks
drinkingbird said:
I think you want to use chain INPUT and not FORWARD. Also specify br2 unless you want it permitted over all interfaces.

This is the rule in INPUT that you want to put yours before if I'm reading it right.
35 5658 DROP all -- br2 any anywhere anywhere
Click to expand...
Thanks, but why INPUT? the traffic needs to forward through to the main LAN, it doesn't terminate on the main router. If it wasn't clear I want to give access to a printer with IP 192.168.1.52 while the router IP on that LAN is 192.168.1.1. However, I added it to see if it works, but unfortunately it doesn't (and I see no hits on that rule) iptables -I INPUT -i br2 -d 192.168.1.52 -j ACCEPT
 
OK I found the issue, there are ebtables rules (BROUTING) that also need to be changed as well, in my case ebtables -t broute -i BROUTING -p IPv4 -i wl1.1 --ip-dst 192.168.1.52 --ip-proto icmp -j ACCEPT

Note that this was in addition to the forwarding rule iptables -I FORWARD -i br2 -d 192.168.1.51 -j ACCEPT. next step will be to limit specific port.
 
ooohhh said:
OK I found the issue, there are ebtables rules (BROUTING) that also need to be changed as well, in my case ebtables -t broute -i BROUTING -p IPv4 -i wl1.1 --ip-dst 192.168.1.52 --ip-proto icmp -j ACCEPT

Note that this was in addition to the forwarding rule iptables -I FORWARD -i br2 -d 192.168.1.51 -j ACCEPT. next step will be to limit specific port.
Click to expand...

You're probably on newer code than me with the AX. On my AC1900 the guest rules to the LAN are under INPUT and to the WAN are under FORWARD. Ebtables is not used at all. I'm not using aimesh so could be a difference there too.

Trimmed to just the related rules:

iptables -L INPUT --verbose
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
58 3959 ACCEPT udp -- br2 any anywhere anywhere udp dpt:domain - allow DNS to main LAN
11 3626 ACCEPT udp -- br2 any anywhere anywhere udp dpt:bootps - allow DHCP to main LAN
0 0 ACCEPT udp -- br2 any anywhere anywhere udp dpt:bootpc - allow DHCP to main LAN
35 5658 DROP all -- br2 any anywhere anywhere - deny all other traffic to main LAN

iptables -L FORWARD --verbose
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
66 19751 ACCEPT all -- br2 eth0 anywhere anywhere - allow guest to access internet

In addition to above a default br0 to any with state "NEW" under the INPUT chain allows traffic initiated by br0 to hit br1 and br2 (main can initiate to guest, but guest can't initiate to main).
 
You must log in or register to reply here.

Similar threads

R
Script to detect backup wan and disable certain devices from internet access
Replies
0
Views
342
RandomUser777
R
P
Help with traffic filtering
Replies
0
Views
113
purpleman
P
ToasterPC
OPNSense VLAN tagging with Merlin routers as AiMesh APs
Replies
0
Views
469
ToasterPC
ToasterPC
B
Allow traffic between specific IP in the Guest WiFi
Replies
13
Views
1K
bortek
B
PaulA
Port isolation on RT-AX88U-Pro (router) w/ Merlin w/ Tagged internet ISP
Replies
1
Views
292
PaulA
PaulA
Similar threads
Thread starter Title Forum Replies Date
GShlomi Sharing my DualWan with port forwarding and DDNS experience Asuswrt-Merlin 0
GShlomi Two WANs but not dual-WAN, with port-forwarding Asuswrt-Merlin 7
Mr Solis Enabling NAT Acceleration (CTF) breaks Port Forwarding? (RT-AC68U w/ 386.12_4) Asuswrt-Merlin 17
A PS5 port forwarding and VPN rules Asuswrt-Merlin 4
SA_booley Port forwarding only works on LAN Asuswrt-Merlin 10
C Port Forwarding and Firewall - not working as I expect Asuswrt-Merlin 4
C IPv4 Firewall/Port-Forwarding - Appear to be the same thing on Asuswrt Asuswrt-Merlin 4
mixels Possible to configure RT-AX86U w/ Merlin with more than 64 port forwarding rules? Asuswrt-Merlin 9
V Port forwarding not working? Asuswrt-Merlin 6
Z Port forwarding for client connected to OpenVPN server Asuswrt-Merlin 0

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 1,098 (members: 32, guests: 1,066)
Top