Could someone please give me some pointers for the following use case?
RT-N66 @ latest Merlin
I have a LAN with a bunch of devices, wired & wifi. I also have guests, currently Wifi only. Using standard Merlin or even stock firware it is easy to limit access for guest to Internet, just create a guest network and you're done. This results in a some SSID and a wx.y interface, which is removed from br0 by ebtables DROP rules, but is still routed to eth0, which is connected to the WAN (if i understand this all correctly).
However, i also have some devices, wired & wifi, who my guest may use: printer, scanner and a media server.
The problem is: How to enable my guests and myself to use these "shared" devices, and at the same time prevent guest access to my private LAN?
The best i could come up with is something like: define 3 VLAN's and 3 IP address ranges, say P(rivate), S(hared) and G(uests),and then enable routing P<->S and S<->G, but not P<->G.
Seems like a lot of work, 3 VLAN's, 3 bridges, 3 x DHCP servers and some routing rules. Will this work?
Can this be realized in a simpler way? For example, just use the standard wlx.y devices, which are dropped from the LAN/br0 by stock firmware, and just add routing for wlx.y to the few specific, fixed IP, devices?
RT-N66 @ latest Merlin
I have a LAN with a bunch of devices, wired & wifi. I also have guests, currently Wifi only. Using standard Merlin or even stock firware it is easy to limit access for guest to Internet, just create a guest network and you're done. This results in a some SSID and a wx.y interface, which is removed from br0 by ebtables DROP rules, but is still routed to eth0, which is connected to the WAN (if i understand this all correctly).
However, i also have some devices, wired & wifi, who my guest may use: printer, scanner and a media server.
The problem is: How to enable my guests and myself to use these "shared" devices, and at the same time prevent guest access to my private LAN?
The best i could come up with is something like: define 3 VLAN's and 3 IP address ranges, say P(rivate), S(hared) and G(uests),and then enable routing P<->S and S<->G, but not P<->G.
Seems like a lot of work, 3 VLAN's, 3 bridges, 3 x DHCP servers and some routing rules. Will this work?
Can this be realized in a simpler way? For example, just use the standard wlx.y devices, which are dropped from the LAN/br0 by stock firmware, and just add routing for wlx.y to the few specific, fixed IP, devices?
Last edited: