What's new

YazFi guest network client cannot access to public web server hosted internally

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

emrepolat7

New Around Here
I am running a web server and have set up port forwardings (WAN...Virtual Server / Port Forwarding) for 80 and 443. I have the registered DNS name resolves to my ISP-assigned IP address. I am able to reach the web server from outside internet and also from the LAN, in both cases by using its DNS name. I used YazFi to create a guest subnet. The web server is on the LAN. Clients on the guest subnet CANNOT reach the web server using its DNS name nor my ISP-assigned IP address.

LAN 192.168.1.0/24
YazFi 192.168.2.0/24

Can you suggest steps that I need to take to debug this?

Emre
 
The web server is on the LAN. Clients on the guest subnet CANNOT reach the web server using its DNS name nor my ISP-assigned IP address.
First thing to try is enable the two way to guest in YazFi and see if that fixes the issue. If not you could try using the YazFi scripting to allow YazFi Guest Network clients to access a specific LAN IP address. See the YazFi custom firewall rules section for general information on using the scripting option of YazFi. The following thread discussion has some examples of using scripting to allow YazFi guest clients to access a specific IP address on the LAN.

There are likely additional posts in other threads one can find using the forum's search feature or using the subforum's filter option. Example of a similar past discussion:
 
Last edited:
Thanks for your answer.

The whole point is to separate the LAN network in to subnets. I noticed the alternatives you mentioned on the forum. But, If I do what you say I will expose my server to all subnet clients.

WAN to LAN IP on 2 specific port open (80/443) is OK
Subnet to LAN IP on all ports open is not OK.

Especially if that IP is pointed to my main server for all my other services.
 
WAN to LAN IP on 2 specific port open (80/443) is OK
Subnet to LAN IP on all ports open is not OK.
So, use the iptables --dport option to specify the specific port you want to open when communicating to a specific LAN client.
 
When I use the iptables --dport option as you recommended.

it works if I enter the ip address, but it does not work when I enter the domain name of my web server, unfortunately :)
 
When I use the iptables --dport option as you recommended.

it works if I enter the ip address, but it does not work when I enter the domain name of my web server, unfortunately :)
That's, if I remember right, expected behavior as iptables uses IP address not the hostname or domain name. Also post an example of the script that is working for you to help others who may want to attempt what you are attempting.

Edit to add: Spit balling here but maybe matching the hostname/domain name to an IP address using a host file would work.
 
Last edited:
When I use the iptables --dport option as you recommended.

it works if I enter the ip address, but it does not work when I enter the domain name of my web server, unfortunately :)
Are you using the router for DNS on the Guest network?
1674750448112.png
 

Attachments

  • 1674750427654.png
    1674750427654.png
    144.5 KB · Views: 44
What I understand, the problem is probably my firewall since the public vlan is using external DNS servers which then point back to my external ISP interface for the website. Most firewalls don't like to allow traffic from inside to go out then back in.

I think this is the problem unfortunetly I do not know how to solve :(
 
Have you run a traceroute to see if that is the case? It may help you identify where in the hops your connection fails.
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top