1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Open firewall hole from iPhone to guest IOT

Discussion in 'Asuswrt-Merlin' started by rdy2, Jan 25, 2020.

  1. rdy2

    rdy2 Occasional Visitor

    Joined:
    Dec 24, 2014
    Messages:
    42
    I want to allow iPhone on eth5, to access http server in IOT(ESP32) on isolated wl0.1. Testing with dedicated RT-AC86U(384.14_2), chained WAN to LAN to house router.
    This is my first time with firewall rules, so not surprising that I have problems... I have searched and seen
    https://www.snbforums.com/threads/ebtables-arp-and-wirleess-guest-network.29857/
    https://www.snbforums.com/threads/limit-the-guest-network-ports-and-speed.13955/#post-92668
    https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
    https://ebtables.netfilter.org/examples/basic.html#ex_brouter

    I tried to drop ARP at BROUTING, but did not seem to work for me, so I added two FORWARD rules and now it flows.
    Next, I added BROUTING DROPs for the http, but the frame vanishes... From the above linked packet flow diagram, I expect the frame to traverse the iptables PREROUTING and FORWARD chains, but see nothing there...

    Here are the key tables. (I have added selective logging rules)
    Code:
    Bridge chain: FORWARD, entries: 9, policy: ACCEPT
    -p ARP -i eth5 --arp-ip-src 192.168.50.96 --arp-ip-dst 192.168.50.31 --log-level notice --log-prefix "ebf.FWD22" --log-ip --log-arp -j ACCEPT
    -p ARP -i wl0.1 --arp-ip-src 192.168.50.31 --arp-ip-dst 192.168.50.96 --log-level notice --log-prefix "ebf.FWD21" --log-ip --log-arp -j ACCEPT
    *** silent drop of annoying gratuitous self arping and IPv6 crap
    -p ARP -s <IOT-MAC> -i wl0.1 --arp-ip-dst 192.168.50.31 -j DROP
    -p IPv6 -o wl0.1 -j DROP
    -p IPv6 -i wl0.1 -j DROP
    *** original isolation with added logging
    -i wl0.1 --log-level notice --log-prefix "-ebf.FWD11" --log-ip --log-arp -j DROP
    -o wl0.1 --log-level notice --log-prefix "-ebf.FWD12" --log-ip --log-arp -j DROP
    *** unhandled passer's by trace
    -p ! IPv6 -s <IOT-MAC> --log-level notice --log-prefix "ebf.FWD1" --log-ip --log-arp -j CONTINUE
    -p ! IPv6 -d <IOT-MAC> --log-level notice --log-prefix "ebf.FWD2" --log-ip --log-arp -j CONTINUE
    
    Code:
    Bridge chain: BROUTING, entries: 9, policy: ACCEPT
    -p IPv4 -i eth5 --ip-src 192.168.50.96 --ip-dst 192.168.50.31 --ip-proto tcp --ip-dport 80 --log-level notice --log-prefix "-ebb.BRO21" --log-ip --log-arp -j DROP
    -p IPv4 -i wl0.1 --ip-src 192.168.50.31 --ip-dst 192.168.50.96 --ip-proto tcp --ip-sport 80 --log-level notice --log-prefix "-ebb.BRO22" --log-ip --log-arp -j DROP
    *** original isolation with added logging
    -p IPv4 -i wl0.1 --ip-dst 192.168.50.1 --ip-proto icmp --log-level notice --log-prefix "+ebb.BRO11" --log-ip --log-arp -j ACCEPT
    -p IPv4 -i wl0.1 --ip-dst 192.168.50.0/24 --ip-proto icmp --log-level notice --log-prefix "-ebb.BRO12" --log-ip --log-arp -j DROP
    -p IPv4 -i wl0.1 --ip-dst 192.168.50.0/24 --ip-proto tcp --log-level notice --log-prefix "-ebb.BRO13" --log-ip --log-arp -j DROP
    *** unhandled frames trace logging
    -p ARP -i eth5 --arp-ip-src 192.168.50.96 --arp-ip-dst 192.168.50.31 --log-level notice --log-prefix "ebb.BRO1" --log-ip --log-arp -j CONTINUE
    -p ARP -i wl0.1 --arp-ip-src 192.168.50.31 --arp-ip-dst 192.168.50.96 --log-level notice --log-prefix "ebb.BRO2" --log-ip --log-arp -j CONTINUE
    -p IPv4 -i eth5 --ip-dst 192.168.50.31 --log-level notice --log-prefix "ebb.BRO3" --log-ip --log-arp -j CONTINUE
    -p IPv4 -i wl0.1 --ip-dst 192.168.50.96 --log-level notice --log-prefix "ebb.BRO4" --log-ip --log-arp -j CONTINUE
    
    Code:
    iptables -t filter -S FORWARD
    
    -P FORWARD DROP
    -A FORWARD -s 192.168.50.96/32 -d 192.168.50.31/32 -p tcp -m tcp --dport 80 -j LOG --log-prefix "+ipf.FWD21 " --log-level 5 --log-tcp-sequence --log-tcp-options --log-ip-options
    -A FORWARD -s 192.168.50.96/32 -d 192.168.50.31/32 -p tcp -m tcp --dport 80 -j ACCEPT
    -A FORWARD -s 192.168.50.31/32 -d 192.168.50.96/32 -p tcp -m tcp --sport 80 -j LOG --log-prefix "+ipf.FWD22 " --log-level 5 --log-tcp-sequence --log-tcp-options --log-ip-options
    -A FORWARD -s 192.168.50.31/32 -d 192.168.50.96/32 -p tcp -m tcp --sport 80 -j ACCEPT
    *** trace passer's by
    -A FORWARD -d 192.168.50.31/32 -j LOG --log-prefix " ipf.FWD " --log-level 5 --log-tcp-sequence --log-tcp-options --log-ip-options
    -A FORWARD -s 192.168.50.31/32 -j LOG --log-prefix " ipf.FWD " --log-level 5 --log-tcp-sequence --log-tcp-options --log-ip-options
    -A FORWARD -m mac --mac-source <IOT-MAC> -j LOG --log-prefix " ipf.FWD20 " --log-level 5 --log-tcp-sequence --log-tcp-options --log-ip-options
    *** original rules
    -A FORWARD -d 224.0.0.0/4 -i eth0 -j ACCEPT
    -A FORWARD -m state --state RELATED,ESTABLISHED -j logaccept
    -A FORWARD ! -i br0 -o eth0 -j other2wan
    -A FORWARD -i br0 -o br0 -j logaccept
    -A FORWARD -m state --state INVALID -j logdrop
    -A FORWARD -j NSFW
    -A FORWARD -i br0 -j ACCEPT
    -A FORWARD -m conntrack --ctstate DNAT -j logaccept
    -A FORWARD -m state --state NEW -j OVPN
    -A FORWARD -j logdrop
    
    This is what I see in the log
    Code:
    *** ARP iPhone->IOT
    kernel: ebb.BRO1  IN=eth5 OUT= MAC source = <iPhone-MAC> MAC dest = ff:ff:ff:ff:ff:ff proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800, OPCODE=1 ARP MAC SRC=<iPhone-MAC> ARP IP SRC=192.168.50.96 ARP MAC DST=00:00:00:00:00:00 ARP IP DST=192.168.50.31
    kernel: ebf.FWD22 IN=eth5 OUT=wl0.1 MAC source = <iPhone-MAC> MAC dest = ff:ff:ff:ff:ff:ff proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800, OPCODE=1 ARP MAC SRC=<iPhone-MAC> ARP IP SRC=192.168.50.96 ARP MAC DST=00:00:00:00:00:00 ARP IP DST=192.168.50.31
    kernel: ebf.FWD22 IN=eth5 OUT=eth6 MAC source = <iPhone-MAC> MAC dest = ff:ff:ff:ff:ff:ff proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800, OPCODE=1 ARP MAC SRC=<iPhone-MAC> ARP IP SRC=192.168.50.96 ARP MAC DST=00:00:00:00:00:00 ARP IP DST=192.168.50.31
    kernel: +ebf.INP  IN=eth5 OUT= MAC source = <iPhone-MAC> MAC dest = ff:ff:ff:ff:ff:ff proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800, OPCODE=1 ARP MAC SRC=<iPhone-MAC> ARP IP SRC=192.168.50.96 ARP MAC DST=00:00:00:00:00:00 ARP IP DST=192.168.50.31
    kernel: ebb.BRO2  IN=wl0.1 OUT= MAC source = <IOT-MAC> MAC dest = <iPhone-MAC> proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800, OPCODE=2 ARP MAC SRC=<IOT-MAC> ARP IP SRC=192.168.50.31 ARP MAC DST=<iPhone-MAC> ARP IP DST=192.168.50.96
    kernel: ebf.FWD21 IN=wl0.1 OUT=eth5 MAC source = <IOT-MAC> MAC dest = <iPhone-MAC> proto = 0x0806 ARP HTYPE=1, PTYPE=0x0800, OPCODE=2 ARP MAC SRC=<IOT-MAC> ARP IP SRC=192.168.50.31 ARP MAC DST=<iPhone-MAC> ARP IP DST=192.168.50.96
    *** iPhone tcp:80 request (retried)
    kernel: -ebb.BRO21 IN=eth5 OUT= MAC source = <iPhone-MAC> MAC dest = <IOT-MAC> proto = 0x0800 IP SRC=192.168.50.96 IP DST=192.168.50.31, IP tos=0x00, IP proto=6 SPT=59530 DPT=80
    kernel: -ebb.BRO21 IN=eth5 OUT= MAC source = <iPhone-MAC> MAC dest = <IOT-MAC> proto = 0x0800 IP SRC=192.168.50.96 IP DST=192.168.50.31, IP tos=0x00, IP proto=6 SPT=59530 DPT=80
    kernel: -ebb.BRO21 IN=eth5 OUT= MAC source = <iPhone-MAC> MAC dest = <IOT-MAC> proto = 0x0800 IP SRC=192.168.50.96 IP DST=192.168.50.31, IP tos=0x00, IP proto=6 SPT=59530 DPT=80
    kernel: -ebb.BRO21 IN=eth5 OUT= MAC source = <iPhone-MAC> MAC dest = <IOT-MAC> proto = 0x0800 IP SRC=192.168.50.96 IP DST=192.168.50.31, IP tos=0x00, IP proto=6 SPT=59530 DPT=80
    kernel: -ebb.BRO21 IN=eth5 OUT= MAC source = <iPhone-MAC> MAC dest = <IOT-MAC> proto = 0x0800 IP SRC=192.168.50.96 IP DST=192.168.50.31, IP tos=0x00, IP proto=6 SPT=59530 DPT=80
    
    As you can guess, I have put some time into this... I also tried BROUTING redirect/target DROP, which IIRC could see the frame traverse up to filter-INPUT and disappear.

    I will appreciate some hints to make this work