Secure Network Media Player Set-Up for N66U? Ebtables?

[JayBee]

I'm about to add a media player device to our SOHO network. The network is based on an RT-N66U running latest AsusWRT/Merlin. For good security (as media players do not have a good reputation in this respect) I propose to connect the media player to a separate Guest wifi network with LAN access disabled.

However I would also like the media player to be able to access one item in the local network in addition to the internet - the MiniDLNA service running on a server connected to the LAN.

I would appreciate any suggestions as to how to achieve this arrangement. Also any points about good practice on integrating a media player with a SOHO LAN.

 

[JayBee]

Well, I have given it a few days and no words of wisdom from a passing guru. So have been experimenting with some ebtables scripts from these fora and similar.
The results have been negative. The second 2.5GHz Guest (wl0.2 with intranet access off) that I have been using for tests remains consistently isolated from the local net. So have tried (what I think) should reverse the isolation from the local network, with a view to adding port and MAC filtering if that worked, thus:
ebtables -I FORWARD -p ARP -o wl0.2 -j ACCEPT
ebtables -I FORWARD -i wl0.2 -j ACCEPT
ebtables -I FORWARD -o wl0.2 -j ACCEPT
The above put in the "services-start" script (is that the correct place for it?).

#ebtables -L reports:
....
Bridge chain: FORWARD, entries: 7, policy: ACCEPT
-o wl0.2 -j ACCEPT
-i wl0.2 -j ACCEPT
-p ARP -o wl0.2 -j ACCEPT
-i wl0.1 -j DROP
-o wl0.1 -j DROP
-i wl0.2 -j DROP
-o wl0.2 -j DROP
....

Hopefully someone who has grasp of the arcane art of ebtable scripting will be kind enough to steer me in the right direction.
TIA

 

[JayBee]

So commenting on my own thread once again - hopefully it will help someone do a similar job rather more easily and quickly than I have.
The media player Guest wifi account is now working as hoped it would - full access to the internet and access to the local intranet only for the media player.
Key things I have learned over a couple of days of experimenting:

• My mistake was to assume that the starting point was Intranet access OFF, and then add rules to "punch through" the appropriate ports. However Guest account Intranet access must be ON for media player access. Intranet access OFF blocks access to local net, even if automatic DROP rules for the Guest account are removed with ebtables Flush command. So looks like there must be a second isolation mechanism invoked when intranet access is OFF.
  
• ‘services-setup’ script appears to be best place for this function as ‘firewall-start’ seems to run twice (as rules inserted twice). However a short delay (~10 secs.)is needed at the start of the script to wait until auto ebtables rules are in place, else some rules fail to be added and scripted rules are intermingled with auto ones.
• ebtables -F (Flush ebtable rules) and ebtables -L (List rules) are your friends when testing. Flush clears out all ebtable rules, List shows you what your script has added to the table of rules.