Restrict guest wireless LAN from accessing router

[StevenG]

I am stumped, and think the only way I can accomplish this is with IPTABLES, but I can't get a solution to work.

My setup is this - Asus RTN66U running Shibby Tomato v101, with br0 private lan, and br1 setup as a guest LAN. A guest wifi LAN, wl0.1 is tied to br1 on a VLAN, so devices on br1 cannot see devices on br0, which is what I want, with one exception.

Devices on br1 (the guest wifi lan) can still access the router via it's IP on the other subnet. I would like to block this for security reasons, and only allow the routers IP to be accessible by devices on br0.

Can someone tell me first, if this is doable (it must be), and if so, provide an guidance on setting this up?

Thank you!

 

[aaronwt]

I thought with a guest LAN you weren't supposed to be able to access the router or be able to access other devices on the LAN? I never tested it out though.

EDIT: Crap I just tested it. I figured a guest LAN would be block from accessing the router but it isn't on my RT-N56U router. Crap now I am confused. What is the purpose of the guest LAN? I thought it only allowed internet access?

 

[StevenG]

Well, in tomato, it's really just another wireless LAN, with no additional changes from the internal LAN unless you set them. My understanding is you need to set those with access restrictions or iptable rules. By setting that Wireless LAN on it's own LAN though, and putting it in it's own VLAN, I have isolated it from the primary LAN, except for the router.

I tried this on my neighbor's Cisco router with his "Guest" network feature, and you can NOT get to the router. I do recall, that even with the stock Asus firmware though, this worked the same way. Hence, why I'm asking how I could accomplish this with iptables.