Issolate wifi clients but allow Samba/DNLA access?

[js19]

I'm trying to issolate clients from each other and the intranet on the guest wifi, but still give them read access to the Samba and DNLA (on the AC68U).

I've found a thread on issolating clients on a specific interface from each other with
wl -i wl0.1 ap_issolate 1

And ebtables to block intranet access
ebtabes -I FORWARD -i wl0.1 -o ! eth0 -j DROP
ebtables -I FORWARD -i ! eth0 -o wl0.1 -j DROP

But this seems to block Samba etc. I readup on ebtables and iptables and tried adding different exceptions using the router mac or IP but I can't work out how to allow access to Samba & DNLA.

Any suggestions?

 

[Hexabion]

Shouldnt there be a "-p ! 445" in there aswell?

Or make it jump to another middle-rule first you make, not directly to DROP:

ebtabes -I FORWARD -i wl0.1 -o ! eth0 -j SMBDLNA

then in a rule you've called SMBDLNA you have:

ebtabes -I FORWARD -p ! 445 -p ! 8200 -j DROP

Im just speculating here, and i DO NOT know the CORRECT formatting, just applying logic to what you've written.

 

[js19]

Solution

Found this thread about bug in an earlier build where router access was enabled from guest http://forums.smallnetbuilder.com/showthread.php?t=17378&page=5

I only have a basic understanding of ebtables. Only just found that ebtables -L didn't list broute rules (need to use ebtables -t broute -L ) and that broutes were executed first.

Solution: Adding these rules allows guest wifi 1 access to Samba. Just repeat or add port ranges for other services.
ebtables -t broute -I BROUTING 1 -i wl0.1 -pIPv4 --ip-protocol TCP --ip-dst <routerIP> --ip-destination-port 445 -j ACCEPT
ebtables -t broute -I BROUTING 1 -i wl1.1 -pIPv4 --ip-protocol TCP --ip-dst <routerIP> --ip-destination-port 445 -j ACCEPT

Seems to solve my problem.