Allowing guest network to access specific device on private network?

[Granny]

Hello,

I'm using YazFi script to separate my guest networks

I was wondering - I got a LAN network at home, and a NET1_2.4 and NET1_5 (private networks - same subnet as router, subnet 1), I also have a GNET2_2.4 and GNET2_5 (subnet 2 and subnet 3)
My smart TV is connected to the NET1_5 (subnet 1) with a static IP
I want to allow guest in my home to cast ONLY to the TV, but still not access any other service on the LAN/NET1_2.4/NET1_5

When I'm logged in with my phone to NET1 (any band), I see the option to cast youtube to the TV, when I'm on GNET2 (any band), I don't see the icon on the youtube app... it doesn't see the TV as a "cast-able" option...

I tried doing something like that into iptables, but it didn't work.

iptables -A FORWARD -i {wireless_iface} -o {main_iface} -d {TV_IP} -m state --state NEW -j ACCEPT

Any idea how I can achieve this?
Thank you.

 

[eibgrad]

Network discovery (which Chromecast relies on) does NOT work across IP network boundaries! That's one of the downsides of having the guest and private networks NOT using the same IP network. IOW, having the private and guest networks use the same or different IP networks comes w/ both advantages *and* disadvantages. And unfortunately it's not always immediately obvious.

One way to deal w/ this situation (assuming you don't want to return to the Merlin default guest configuration which defaults to the private and guest networks using the same IP network) is to use an mDNS replicator, such as Avahi.

FWIW, I've created an Avahi Tutorial over on the FT (FreshTomato) forums that describes the setup. Most of it applies to virtually any third-party firmware.

Avahi Tutorial: Configuring a Reflector (aka, mDNS repeater)

UPDATE (11/14/2020): Significant changes have recently been made to Entware generally, and the Avahi packages specifically, that have required me to make updates to this document. It reflects the latest information and experiences I've had installing and configuring Avahi on FT (FreshTomato)...

www.linksysinfo.org

 

[Granny]

Network discovery (which Chromecast relies on) does NOT work across IP network boundaries! That's one of the downsides of having the guest and private networks NOT using the same IP network. IOW, having the private and guest networks use the same or different IP networks comes w/ both advantages *and* disadvantages. And unfortunately it's not always immediately obvious.

One way to deal w/ this situation (assuming you don't want to return to the Merlin default guest configuration which defaults to the private and guest networks using the same IP network) is to use an mDNS replicator, such as Avahi.

FWIW, I've created an Avahi Tutorial over on the FT (FreshTomato) forums that describes the setup. Most of it applies to virtually any third-party firmware.

Avahi Tutorial: Configuring a Reflector (aka, mDNS repeater)

UPDATE (11/14/2020): Significant changes have recently been made to Entware generally, and the Avahi packages specifically, that have required me to make updates to this document. It reflects the latest information and experiences I've had installing and configuring Avahi on FT (FreshTomato)...

www.linksysinfo.org

Hi and thanks for the feedback
I don't mind going back to Merlin default if that's easier to get... I thought it would be easier with yazfi

How could I do that with the default Merlin? When both the private NET1 and GNET1 are on the same subnet?

Thank you for your help

 

[eibgrad]

How could I do that with the default Merlin? When both the private NET1 and GNET1 are on the same subnet?

I assume when using the Merlin guest default (i.e., same IP network for both private and guest networks) that access between them is NOT possible if you disable the "Intranet Access" option on the guest network. At least I see no direct means to selectively make an exception. So even if network discovery works, for all practical purposes, you may have no choice but to use YazFi and implement an mDNS reflector. At least then you can block access between the networks at the IP level w/ iptables and define your exceptions.

 

[Jack Yaz]

I assume when using the Merlin guest default (i.e., same IP network for both private and guest networks) that access between them is NOT possible if you disable the "Intranet Access" option on the guest network. At least I see no direct means to selectively make an exception. So even if network discovery works, for all practical purposes, you may have no choice but to use YazFi and implement an mDNS reflector. At least then you can block access between the networks at the IP level w/ iptables and define your exceptions.

Yazfi enables reflection automatically if you enable one way or two way access. One way may, though admittedly OP is using things a bit differently to how i implemented things. Yazfi assumes the main LAN wants access to the guest. What could be simplest in this case is to enable 1 way access so reflector is enabled (one way means LAN can initiate a connection to guest and it can reply, guest cannot initiate a new connection) and then add a user script for YazFi to allow the guest to make a new connection only to the smart TV. I'll have to double check the user script directory for YazFi when I'm on my computer and not on my phone, will update post later

 

[Granny]

Yazfi enables reflection automatically if you enable one way or two way access. One way may, though admittedly OP is using things a bit differently to how i implemented things. Yazfi assumes the main LAN wants access to the guest. What could be simplest in this case is to enable 1 way access so reflector is enabled (one way means LAN can initiate a connection to guest and it can reply, guest cannot initiate a new connection) and then add a user script for YazFi to allow the guest to make a new connection only to the smart TV. I'll have to double check the user script directory for YazFi when I'm on my computer and not on my phone, will update post later

Thank you so much!

So if I understand correctly, if I enable the "1 way access" - it would allow my TV to broadcast it's capabilities to the guest network, and the guest user would see the TV on cast-able options on YouTube app.. but just would be able to connect to it (because he cannot initiate requests)
Once I'll enable that user script (could you please tell me what should be in that user script? ) so the guest user would be able to also connect to the TV only?

Also, off-topic question..
As I have GNET1 and GNET2 with YazFi... I don't see the clients that connected to these networks on the Network Map -> Client List

I do see them if i'm going to System Log -> Wireless Log

Is that by design?

Thank you very much.

 

[Granny]

Yazfi enables reflection automatically if you enable one way or two way access. One way may, though admittedly OP is using things a bit differently to how i implemented things. Yazfi assumes the main LAN wants access to the guest. What could be simplest in this case is to enable 1 way access so reflector is enabled (one way means LAN can initiate a connection to guest and it can reply, guest cannot initiate a new connection) and then add a user script for YazFi to allow the guest to make a new connection only to the smart TV. I'll have to double check the user script directory for YazFi when I'm on my computer and not on my phone, will update post later

Also, when you say LAN - you mean only devices connected to the LAN ports? or also devices that are connected to the private WIFI network are considered as LAN?

Most places online I read that LAN is considered only the devices connected to the LAN ports..
My TV is connected via WIFI (on the private network)

 

[Jack Yaz]

Also, when you say LAN - you mean only devices connected to the LAN ports? or also devices that are connected to the private WIFI network are considered as LAN?

Most places online I read that LAN is considered only the devices connected to the LAN ports..
My TV is connected via WIFI (on the private network)

I'm including private WiFi in my definition of LAN

 

[Jack Yaz]

Thank you so much!

So if I understand correctly, if I enable the "1 way access" - it would allow my TV to broadcast it's capabilities to the guest network, and the guest user would see the TV on cast-able options on YouTube app.. but just would be able to connect to it (because he cannot initiate requests)
Once I'll enable that user script (could you please tell me what should be in that user script? ) so the guest user would be able to also connect to the TV only?

I've added some info to the README on the YazFi forum post, README on Github to be updated soon.

Can I add my own firewall rules?
Yes. YazFi supports calling custom scripts after setting up the guest network. To use a user script, create your script file the appropriate directory with a .sh extension. e.g.

/jffs/addons/YazFi.d/userscripts.d/myscript.sh

Remember to make it executable with

chmod +x /jffs/addons/YazFi.d/userscripts.d/myscript.sh

An example script to allow a guest on 2.4GHz guest 1 to talk to a specific IP address on the LAN:

#!/bin/sh
iptables -I YazFiFORWARD -i wl0.1 -o br0 -d 192.168.1.50 -j ACCEPT

The above will work if "One way" access to the guest enabled. With no access enabled, the script would be:

#!/bin/sh
iptables -I YazFiFORWARD -i wl0.1 -o br0 -d 192.168.1.50 -j ACCEPT
iptables -I YazFiFORWARD -i br0 -o wl0.1 -s 192.168.1.50 -j ACCEPT

Also, off-topic question..
As I have GNET1 and GNET2 with YazFi... I don't see the clients that connected to these networks on the Network Map -> Client List
I do see them if i'm going to System Log -> Wireless Log
Is that by design?
Thank you very much.

Network map is hardcoded by Asus to only look at the primary subnet, unfortunately it isn't possible to list YazFi guests there. You can check in the Wireless Log as you do now, or using option 2 in the YazFi CLI menu. (GUI list is on the feature request list)

 

[Granny]

Thank you for your feedback,

I did it the way you suggested

with my phone i'm connected to

I created this allow_gnet_tv.sh script that contains:
#!/bin/sh
iptables -I YazFiFORWARD -i wl0.2 -o br0 -d {IP_TV} -j ACCEPT


But it doens't work..
On my phone I still do not see the TV as an option to cast.. my TV is a samsung tv (so it's running TIZEN OS - i'm trying to cast to the built-in YouTube/Netflix apps), I don't know if that matters.

When I'm connected to the normal/private WIFI SSID - it works fine

 

[bennor]

with my phone i'm connected to
View attachment 29921

I created this allow_gnet_tv.sh script that contains:
#!/bin/sh
iptables -I YazFiFORWARD -i wl0.2 -o br0 -d {IP_TV} -j ACCEPT


But it doens't work..
On my phone I still do not see the TV as an option to cast.. my TV is a samsung tv (so it's running TIZEN OS - i'm trying to cast to the built-in YouTube/Netflix apps), I don't know if that matters.

When I'm connected to the normal/private WIFI SSID - it works fine

As a troubleshooting step, disable (set to No) Client Isolation and see if the issue persists.

 

[Granny]

As a troubleshooting step, disable (set to No) Client Isolation and see if the issue persists.

UPDATE:

Tried to disable isolation (set to No) - phone on GNET still cannot see the TV...
BUT client on GNET can see the chromecast that is connected to the TV after adding

iptables -I YazFiFORWARD -i wl0.2 -o br0 -d {IP_CHROMECAST} -j ACCEPT

I could use that feature just with the ChromeCast (so guest could cast to it), just find it weird that the TV is still not visible... maybe Samsung doing it differently in TIZEN?

I can also ping from client on GNET to the CHROMECAST IP and getting response..
And weird enough - i can also ping from GNET to the TV IP and also get response... so there is communication from GNET to TV in LAN... but mdns doesn't show the TV as cast-able...

Thank you!

 

[Jack Yaz]

UPDATE:

Tried to disable isolation (set to No) - phone on GNET still cannot see the TV...
BUT client on GNET can see the chromecast that is connected to the TV after adding

iptables -I YazFiFORWARD -i wl0.2 -o br0 -d {IP_CHROMECAST} -j ACCEPT

I could use that feature just with the ChromeCast (so guest could cast to it), just find it weird that the TV is still not visible... maybe Samsung doing it differently in TIZEN?

I can also ping from client on GNET to the CHROMECAST IP and getting response..
And weird enough - i can also ping from GNET to the TV IP and also get response... so there is communication from GNET to TV in LAN... but mdns doesn't show the TV as cast-able...

Thank you!

Can you check that avahi.conf shows reflector as active? I believe it's in /etc

 

[Granny]

Can you check that avahi.conf shows reflector as active? I believe it's in /etc

I cant find avahi.conf under /etc
But I found 'avahi-daemon.conf' under /usr/tmp/avahi with:

[reflector]
enable-reflector=yes