A Call for Help:
I am running Merlin's latest as of 9-26-12. I have 3 guest networks set up which are dissalowed from the "intranet" (per the webgui). I have a piece of equipment on physical lan port 1 that I want all three of the networks to be able to communicate with (a copier/printer/scanner). I also want the SMB share on the router to be visible to the three guest networks.
My problem then is that I want to keep the general stock rule where the three guests' network's are invisible to eachother and also to the "top" network but I wan't to have the specific exceptions mentioned above. Unfortunately the firmware does not provide for this in the webgui and my own investigation reveals no easy solution.
Here are the following data points I have been able to gather:
/# ip addr show
/# brctl showstp br0
/#nvram show | grep vlan1ports
/#nvram show | grep vlan2ports
This guy claiming to be a tomato dev states that vlan2:0 is the WAN port.
Based on BR0 and on VLAN1 I should be able to communicate from a client on wl0.1 to vlan1:1 but I am not able to do that when the webgui options are set to disable "guest intranet".
EDIT: After having reviewed the ip tables there is either something going on there which I am overlooking or there is something up with a module running with(?) the kernel.
EDIT Part Deux: I have found that the RT-AC66U is employing ebtables to filter br0's consituent IFS at the bridge/mac level. Observe the differences in the following outputs:
admin@(none):/tmp/home/root# ebtables -L
Bridge table: filter
Bridge chain: INPUT, entries: 0, policy: ACCEPT
Bridge chain: FORWARD, entries: 6, policy: ACCEPT
-i wl0.1 -o ! eth0 -j DROP
-i ! eth0 -o wl0.1 -j DROP
-i wl0.3 -o ! eth0 -j DROP
-i ! eth0 -o wl0.3 -j DROP
-i wl1.3 -o ! eth0 -j DROP
-i ! eth0 -o wl1.3 -j DROP
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
admin@(none):/tmp/home/root# ebtables -L
Bridge table: filter
Bridge chain: INPUT, entries: 0, policy: ACCEPT
Bridge chain: FORWARD, entries: 8, policy: ACCEPT
-i wl0.1 -o ! eth0 -j DROP
-i ! eth0 -o wl0.1 -j DROP
-i wl0.2 -o ! eth0 -j DROP
-i ! eth0 -o wl0.2 -j DROP
-i wl0.3 -o ! eth0 -j DROP
-i ! eth0 -o wl0.3 -j DROP
-i wl1.3 -o ! eth0 -j DROP
-i ! eth0 -o wl1.3 -j DROP
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
The difference between the first ebtable -L and the second was produced by my enabling the webgui's "Guest Access Intranet" feature for wl0.2 or the 2nd non5-ghz wireless guest ssid.
Now, my problem is that vlan1 is hosted on eth0 (i think?) and hence I will not be able to communicate with vlan1 if I can't communicate with eth 0...
Any Takers?
Regards...
I am running Merlin's latest as of 9-26-12. I have 3 guest networks set up which are dissalowed from the "intranet" (per the webgui). I have a piece of equipment on physical lan port 1 that I want all three of the networks to be able to communicate with (a copier/printer/scanner). I also want the SMB share on the router to be visible to the three guest networks.
My problem then is that I want to keep the general stock rule where the three guests' network's are invisible to eachother and also to the "top" network but I wan't to have the specific exceptions mentioned above. Unfortunately the firmware does not provide for this in the webgui and my own investigation reveals no easy solution.
Here are the following data points I have been able to gather:
/# ip addr show
1. lo loopback
2. eth0 WAN port
3. eth1 WLAN 0
4. eth2 WLAN 1
5. vlan1
6. br0
7. wl0.1
8. wl0.2
9. wl0.3
10. wl1.1
11. wl1.2
12. wl1.3
/# brctl showstp br0
br0 8000.10bf48d8e210
vlan1 Port: 8001
eth1 Port: 8002
eth 2 Port: 8003
wl0.1 Port: 8004
[...et seq to wl1.3 port: 8009]
/#nvram show | grep vlan1ports
vlan1ports= 1 2 3 4 8*
/#nvram show | grep vlan2ports
vlan2ports= 0 8*
This guy claiming to be a tomato dev states that vlan2:0 is the WAN port.
Based on BR0 and on VLAN1 I should be able to communicate from a client on wl0.1 to vlan1:1 but I am not able to do that when the webgui options are set to disable "guest intranet".
EDIT: After having reviewed the ip tables there is either something going on there which I am overlooking or there is something up with a module running with(?) the kernel.
EDIT Part Deux: I have found that the RT-AC66U is employing ebtables to filter br0's consituent IFS at the bridge/mac level. Observe the differences in the following outputs:
admin@(none):/tmp/home/root# ebtables -L
Bridge table: filter
Bridge chain: INPUT, entries: 0, policy: ACCEPT
Bridge chain: FORWARD, entries: 6, policy: ACCEPT
-i wl0.1 -o ! eth0 -j DROP
-i ! eth0 -o wl0.1 -j DROP
-i wl0.3 -o ! eth0 -j DROP
-i ! eth0 -o wl0.3 -j DROP
-i wl1.3 -o ! eth0 -j DROP
-i ! eth0 -o wl1.3 -j DROP
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
admin@(none):/tmp/home/root# ebtables -L
Bridge table: filter
Bridge chain: INPUT, entries: 0, policy: ACCEPT
Bridge chain: FORWARD, entries: 8, policy: ACCEPT
-i wl0.1 -o ! eth0 -j DROP
-i ! eth0 -o wl0.1 -j DROP
-i wl0.2 -o ! eth0 -j DROP
-i ! eth0 -o wl0.2 -j DROP
-i wl0.3 -o ! eth0 -j DROP
-i ! eth0 -o wl0.3 -j DROP
-i wl1.3 -o ! eth0 -j DROP
-i ! eth0 -o wl1.3 -j DROP
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
The difference between the first ebtable -L and the second was produced by my enabling the webgui's "Guest Access Intranet" feature for wl0.2 or the 2nd non5-ghz wireless guest ssid.
Now, my problem is that vlan1 is hosted on eth0 (i think?) and hence I will not be able to communicate with vlan1 if I can't communicate with eth 0...
Any Takers?
Regards...
Last edited:
