Is it possible to allow access to a single hardwired device from both intranet and an isolated guest WLAN?

distilled

Senior Member
A RasPi is wired to port 4 on an AC86U. Is it possible to allow access to that Pi from both the intranet and also a guest WiFi? Ideally on just a single port, but wide open is fine. My head is spinning reading about iptables, ebtables, vlanctl and the depreciated robocfg.

Is there a way to do this at all?
 

ColinTaylor

Part of the Furniture
I thought YazFi allowed pin-holing from the guest WiFi network? Access from the intranet is always enabled for directly connected wired clients (unless you've made some custom VLAN modifications).
 

distilled

Senior Member
YazFi has One-Way and Two-Way from Guest WLANs, but it allows or disallows the entire guest network, it isn't granular enough for this case. I did try it out for fun anyway, and the One-Way simply doesn't work for my use, and Two-Way is essentially just everything open (I assume, didn't think to try it).
 

Jack Yaz

Part of the Furniture
YazFi has One-Way and Two-Way from Guest WLANs, but it allows or disallows the entire guest network, it isn't granular enough for this case. I did try it out for fun anyway, and the One-Way simply doesn't work for my use, and Two-Way is essentially just everything open (I assume, didn't think to try it).
Do you just want dns to go to it? Enter the rpi ip as the yazfi network dns, and YazFi will sort it

Alternatively disable one way and two way, then implement a user script for YazFi to just allow traffic through on the ports needed from guest interface to pi. Yazfi will do everything else to segregate it
 

distilled

Senior Member
What sort of single user script will do this though?

Basically I have two different IoT WLANs, one for some safer open-source devices (Tasmota, etc) and one with "dangerous" call-home type gadgets (FireTVs, etc). I want several devices on the latter WLAN to be able to chat with the hardwired Pi, and it currently cannot. Specifically, this is for the androidtv: integration in Home Assistant, which is running on the Pi. ADB uses tcp/5555, but it is likely there is more involved in the connection. I will investigate that as needed, but isolating the video devices is a privacy issue, not security, so starting with things wide open and then closing it as a second step is palatable.

In short, I have sold my soul (or, at least the sovereignty of my household) to Amazon, and want at least the illusion of mitigation. But it is super-cool to see the Plex Media Player integration show up for every TV in the house, and I want to add more control. Of course, Plex is a bit more flexible, of course.
 

distilled

Senior Member
So the easiest way to resolve this was to put Fresh Tomato on an old AC66U A1, and dedicate it to IoT. Now it is child's play to configure routing between the WAN, the IoT WLANs and the private intranet. This also allows for offloading the two extra guest WLANs from the AC86U, and an existing Ethernet cable allowed for a wired backhaul to a convenient location, for optimum RF.

Fresh Tomato is pretty slick, and looks ideally suited for this sort of thing. Merlin is much higher level, more abstracted from the nuts and bolts, and therefore much easier to use, but hey, incidental and accidental learning is a blessing, right?
 

Jack Yaz

Part of the Furniture
What sort of single user script will do this though?

Basically I have two different IoT WLANs, one for some safer open-source devices (Tasmota, etc) and one with "dangerous" call-home type gadgets (FireTVs, etc). I want several devices on the latter WLAN to be able to chat with the hardwired Pi, and it currently cannot. Specifically, this is for the androidtv: integration in Home Assistant, which is running on the Pi. ADB uses tcp/5555, but it is likely there is more involved in the connection. I will investigate that as needed, but isolating the video devices is a privacy issue, not security, so starting with things wide open and then closing it as a second step is palatable.

In short, I have sold my soul (or, at least the sovereignty of my household) to Amazon, and want at least the illusion of mitigation. But it is super-cool to see the Plex Media Player integration show up for every TV in the house, and I want to add more control. Of course, Plex is a bit more flexible, of course.
user script example (for 2.4ghz guest 1)
Code:
iptables -I YazFiFORWARD -i br0 -o wl0.1 -d IPofPi -p tcp --dport port -j ACCEPT
iptables -I YazFiFORWARD -o br0 -i wl0.1 -s IPofPi -p tcp --sport port -j ACCEPT
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top