One way access to guest

[Frantisek Brabec]

Under the wifi guest configuration I can enable/disable access to the intranet, this access goes both ways. Is there any way to configure the router such that one would be able to access the guest client from the intranet while still block the guest's access to the intranet? Thanks.

 

[JDB]

Not while they are in the same subnet. There would have to be a NAT between them really.

Take a look at YazFi, it may do/get you closer to what you want


https://www.snbforums.com/threads/y...-merlin-guest-wifi-inc-ssid-vpn-client.45924/


Sent from my iPhone using Tapatalk

 

[dosborne]

one would be able to access the guest client from the intranet while still block the guest's access to the intranet?

Is making them "regular" clients (non guest) an option? There is an option to block internet access by device in the firmware. Since you want to access them internally, why do you want them in guest isolation?

 

[Frantisek Brabec]

Is making them "regular" clients (non guest) an option? There is an option to block internet access by device in the firmware. Since you want to access them internally, why do you want them in guest isolation?

I want to host a server (on my wifi) that people can access from the outside world (using port forwarding). I want to keep this server (and people who log in) separate from my home network but I also want to be able to access it myself from my home network.

If I make it an isolated guest, I can't reach it from the inside of my network. If I make it regular client, everybody on that server has access to all my network.

 

[dosborne]

access from the outside world (using port forwarding).

If I make it regular client, everybody on that server has access to all my network.

Depends on what you mean by "access" and which ports are being forwarded. Forwarding Port 80 only for example doesn't expose the rest of the network.

Another option is a multi-homed server. One Nic serves the "exposed" side of the server, the other Nic is on your local intranet for you to use. But again it comes down to what you are opening up.

 

[Frantisek Brabec]

Depends on what you mean by "access" and which ports are being forwarded. Forwarding Port 80 only for example doesn't expose the rest of the network.

Another option is a multi-homed server. One Nic serves the "exposed" side of the server, the other Nic is on your local intranet for you to use. But again it comes down to what you are opening up.

Opening that server for ssh as root, ie once someone is in, they have all the tools of Linux at their disposal to probe the rest of my network.

 

[dosborne]

Easy enough to secure ssh. But I don't think you understood or answered my question about what it is you WANT to forward or give access to.

 

[Frantisek Brabec]

Easy enough to secure ssh. But I don't think you understood or answered my question about what it is you WANT to forward or give access to.

I want to host a development server (hence root ssh access) to be accessible from anywhere off of my internet connection that I otherwise use for unrelated matters. So I want to keep it totally separate from everything else on my network. I do it by putting it on my router as guest wifi client with intranet connection disabled, then I port forward ssh from the outside to this server.

This seems secure and isolated to me but unfortunately I cannot connect to that server myself from the rest of my network (intranet access is disabled and port forwarding doesn't work from inside the network).

So I want to find a way where everything works as now except I can connect to that server as well.
Thanks.

 

[dosborne]

I'd still go with a second network interface for access from your intranet. Your current setup wouldn't change, this would simply add the connectivity you want.

Ideally, I wouldn't personally have gone the way you did with the guest network, but if it gets you what you want and a second NIC works, then great.

 

[dosborne]

I want to host a development server (hence root ssh access)

For security reasons, are you sure ssh is the only way to accomplish whatever it is they need to do? Have you looked at giving them access via VPN instead of port forwarding?

 

[JDB]

Loopback port forward should work from the LAN. Check your NAT loopback settings.


Sent from my iPhone using Tapatalk

 

[Frantisek Brabec]

Loopback port forward should work from the LAN. Check your NAT loopback settings.

It looks like NAT loopback could be the answer for me, however I do not see the option in my setup. I know in the past it was under Firewall->General but now it's not there anymore?

 

[RMerlin]

but now it's not there anymore?

The option was merely for selecting between two loopback implementations. One of them was dropped because it was unreliable, so there's no need for an actual setting anymore.

 

[Frantisek Brabec]

The option was merely for selecting between two loopback implementations. One of them was dropped because it was unreliable, so there's no need for an actual setting anymore.

Ok, so JDB suggested to "Check your NAT loopback settings" and you're saying there is no settings, can someone tell me what rule to add or what option to enable in order to be able to say from the intranet to the guest network server? Because connecting from the intranet the same way people would from the outside (ie using my public IP and a specific port) - if that's the idea - doesn't work. Thanks.