What's new

Is it possible to allow access to a single hardwired device from both intranet and an isolated guest WLAN?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

distilled

Senior Member
A RasPi is wired to port 4 on an AC86U. Is it possible to allow access to that Pi from both the intranet and also a guest WiFi? Ideally on just a single port, but wide open is fine. My head is spinning reading about iptables, ebtables, vlanctl and the depreciated robocfg.

Is there a way to do this at all?
 
I thought YazFi allowed pin-holing from the guest WiFi network? Access from the intranet is always enabled for directly connected wired clients (unless you've made some custom VLAN modifications).
 
YazFi has One-Way and Two-Way from Guest WLANs, but it allows or disallows the entire guest network, it isn't granular enough for this case. I did try it out for fun anyway, and the One-Way simply doesn't work for my use, and Two-Way is essentially just everything open (I assume, didn't think to try it).
 
YazFi has One-Way and Two-Way from Guest WLANs, but it allows or disallows the entire guest network, it isn't granular enough for this case. I did try it out for fun anyway, and the One-Way simply doesn't work for my use, and Two-Way is essentially just everything open (I assume, didn't think to try it).
Do you just want dns to go to it? Enter the rpi ip as the yazfi network dns, and YazFi will sort it

Alternatively disable one way and two way, then implement a user script for YazFi to just allow traffic through on the ports needed from guest interface to pi. Yazfi will do everything else to segregate it
 
What sort of single user script will do this though?

Basically I have two different IoT WLANs, one for some safer open-source devices (Tasmota, etc) and one with "dangerous" call-home type gadgets (FireTVs, etc). I want several devices on the latter WLAN to be able to chat with the hardwired Pi, and it currently cannot. Specifically, this is for the androidtv: integration in Home Assistant, which is running on the Pi. ADB uses tcp/5555, but it is likely there is more involved in the connection. I will investigate that as needed, but isolating the video devices is a privacy issue, not security, so starting with things wide open and then closing it as a second step is palatable.

In short, I have sold my soul (or, at least the sovereignty of my household) to Amazon, and want at least the illusion of mitigation. But it is super-cool to see the Plex Media Player integration show up for every TV in the house, and I want to add more control. Of course, Plex is a bit more flexible, of course.
 
So the easiest way to resolve this was to put Fresh Tomato on an old AC66U A1, and dedicate it to IoT. Now it is child's play to configure routing between the WAN, the IoT WLANs and the private intranet. This also allows for offloading the two extra guest WLANs from the AC86U, and an existing Ethernet cable allowed for a wired backhaul to a convenient location, for optimum RF.

Fresh Tomato is pretty slick, and looks ideally suited for this sort of thing. Merlin is much higher level, more abstracted from the nuts and bolts, and therefore much easier to use, but hey, incidental and accidental learning is a blessing, right?
 
What sort of single user script will do this though?

Basically I have two different IoT WLANs, one for some safer open-source devices (Tasmota, etc) and one with "dangerous" call-home type gadgets (FireTVs, etc). I want several devices on the latter WLAN to be able to chat with the hardwired Pi, and it currently cannot. Specifically, this is for the androidtv: integration in Home Assistant, which is running on the Pi. ADB uses tcp/5555, but it is likely there is more involved in the connection. I will investigate that as needed, but isolating the video devices is a privacy issue, not security, so starting with things wide open and then closing it as a second step is palatable.

In short, I have sold my soul (or, at least the sovereignty of my household) to Amazon, and want at least the illusion of mitigation. But it is super-cool to see the Plex Media Player integration show up for every TV in the house, and I want to add more control. Of course, Plex is a bit more flexible, of course.
user script example (for 2.4ghz guest 1)
Code:
iptables -I YazFiFORWARD -i br0 -o wl0.1 -d IPofPi -p tcp --dport port -j ACCEPT
iptables -I YazFiFORWARD -o br0 -i wl0.1 -s IPofPi -p tcp --sport port -j ACCEPT
 
Wow, *thank you* Jack - for this, and for all that you do in general. I had no idea that YazFi could do this!

I have a solution in place that is working for the moment, but what you just explained opens up quite a few doors for future tinkering. Time will tell which is best - I already have about 40 devices on 2.4 GHz WiFi and another 10 using 2.4 GHz Zigbee (and about 20 on 433 MHz) and I am not sure yet if adding the second AP for IoT gadgets is contributing to noise, or aiding connectivity. This is a smallish condo, and there is probably enough RF in here already to alarm my oncologist, so using clever routing instead of just pumping out more waves might be best.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top