Guest access to internet AND shared devices like printer and media server

[Jochem]

Could someone please give me some pointers for the following use case?

RT-N66 @ latest Merlin

I have a LAN with a bunch of devices, wired & wifi. I also have guests, currently Wifi only. Using standard Merlin or even stock firware it is easy to limit access for guest to Internet, just create a guest network and you're done. This results in a some SSID and a wx.y interface, which is removed from br0 by ebtables DROP rules, but is still routed to eth0, which is connected to the WAN (if i understand this all correctly).

However, i also have some devices, wired & wifi, who my guest may use: printer, scanner and a media server.

The problem is: How to enable my guests and myself to use these "shared" devices, and at the same time prevent guest access to my private LAN?

The best i could come up with is something like: define 3 VLAN's and 3 IP address ranges, say P(rivate), S(hared) and G(uests),and then enable routing P<->S and S<->G, but not P<->G.

Seems like a lot of work, 3 VLAN's, 3 bridges, 3 x DHCP servers and some routing rules. Will this work?

Can this be realized in a simpler way? For example, just use the standard wlx.y devices, which are dropped from the LAN/br0 by stock firmware, and just add routing for wlx.y to the few specific, fixed IP, devices?

 

[barbara]

Can this be realized in a simpler way?

Have a look at this:

ebtables -t broute -L

Frames entering the bridge interface (br0), must first traverse the ebtables BROUTING chain, where DROP means to un-bridge the frame, and ACCEPT means to stay bridged.

So, you'd just want to INSERT your rules into the ebtables BROUTING chain that cause the desired wifi guest network traffic to stay bridged. You can filter on MAC or IP addresses or TCP ports, or whatever.

Asus designed the wifi guest network so that all wifi guest network traffic destined for the LAN gets unbridged in the BROUTING chain. This is so computers on the wifi guest network cannot see each other, yet still access the Internet.

 

[Jochem]

Have a look at this:
ebtables -t broute -L
Frames entering the bridge interface (br0), must first traverse the ebtables BROUTING chain, where DROP means to un-bridge the frame, and ACCEPT means to stay bridged.

So, you'd just want to INSERT your rules into the ebtables BROUTING chain that cause the desired wifi guest network traffic to stay bridged. You can filter on MAC or IP addresses or TCP ports, or whatever.

I have:
-p IPv4 -i wl0.1 --ip-dst 10.0.0.0/24 --ip-proto tcp -j DROP

So, suppose my printer is on 10.0.0.100, then just insert:
-p IPv4 -i wl0.1 --ip-dst 10.0.0.100 --ip-proto tcp -j ACCEPT

and be done? (but which rule gets evaluated first? the 10.0.0.0/24 DROP rule or the 10.0.0.100 ACCEPT rule)

 

[barbara]

but which rule gets evaluated first?

Think it will work?
/usr/sbin/ebtables -t broute -I BROUTING -p IPv4 -i wl0.1 --ip-dst 10.0.0.100 --ip-proto tcp -j ACCEPT

Here's how to display the line numbers and the packet and byte counters, so see if your rule is getting matched.
ebtables -t broute -L --Lmac2 --Lc --Ln

 

[Jochem]

Think it will work?
/usr/sbin/ebtables -t broute -I BROUTING -p IPv4 -i wl0.1 --ip-dst 10.0.0.100 --ip-proto tcp -j ACCEPT

Here's how to display the line numbers and the packet and byte counters, so see if your rule is getting matched.
ebtables -t broute -L --Lmac2 --Lc --Ln

Hmmm. Doesn't work. All traffic to 10.0.0.100 is dropped under the 10.0.0.0/24 rule. So, for some reason the ACCEPT rule doesn't match. Don't get it.

Even if i delete the BROUTING DROP rule, still no success connecting 10.0.0.100. So maybe the FORWARD rules prohibit more?

To recap. After creating a guest network, without access to intranet, two ebtables chains are filled: filter/FORWARD with 2 rules and broute/BROUTING with 1 rule:
Bridge table: filter
Bridge chain: FORWARD, entries: 2, policy: ACCEPT
-i wl0.1 -j DROP
-o wl0.1 -j DROP

and:
Bridge table: broute
Bridge chain: BROUTING, entries: 1, policy: ACCEPT
-p IPv4 -i wl0.1 --ip-dst 10.0.0.0/24 --ip-proto tcp -j DROP

Interestingly enough, i get DHCP replies and i even can ping to servers in the 10.x segment.

 

[Jochem]

Hmmm. Doesn't work.

Just add the following rules to ebtables to enable arp request & replies to/from your printer (use your local printer ip address in stead of 10.0.0.2 please):

• ebtables -t filter -A FORWARD -p ARP --arp-opcode 1 --arp-ip-dst 10.0.0.2
• ebtables -t filter -A FORWARD -p ARP --arp-opcode 2 --arp-ip-src 10.0.0.2

But why does it work without rules for the IP traffic itself? New thread for this question.