I have my IOT devices isolated on a VLAN using YazFi. Client isolation is ON for this network.
On occasion, I will encounter a device that requires client isolation to be turned off when adding it. I believe it's because the device needs direct access to the phone app and vice versa.
I could turn off client isolation, add the device, and then turn it back on.
But can I accomplish something similar via a custom firewall rule?
github.com
Can I use rules to open up my phone only, on the IOT wifi, to access any other IOT device on the same client isolated network? And vice versa, allow any IOT device to access my phone's IP address?
Or, less broad, open up 2 way contact between my phone and 1 other single address on the IOT wifi?
I've done this across VLANs to great effect. But my attempts to do this with firewall rules within the IOT VLAN don't seem to work. I wonder if the client isolation setting supersedes some custom firewall commands, or (probably more likely) if I'm just not configuring the IPtable line correctly.
Some sample lines I've tried, with wl0.2 the IOT wifi VLAN and 192.168.3.144 the phone's IP address:
iptables -I YazFiFORWARD -i wl0.2 -o wl0.2 -s 192.168.3.144 -j ACCEPT
iptables -I YazFiFORWARD -i wl0.2 -o wl0.2 -d 192.168.3.144 -j ACCEPT
On occasion, I will encounter a device that requires client isolation to be turned off when adding it. I believe it's because the device needs direct access to the phone app and vice versa.
I could turn off client isolation, add the device, and then turn it back on.
But can I accomplish something similar via a custom firewall rule?
GitHub - jackyaz/YazFi: Feature expansion of guest WiFi networks on AsusWRT-Merlin, including SSID -> VPN, separate subnets per guest network, pinhole access to LAN resources (e.g. DNS) and more!
Feature expansion of guest WiFi networks on AsusWRT-Merlin, including SSID -> VPN, separate subnets per guest network, pinhole access to LAN resources (e.g. DNS) and more! - jackyaz/YazFi
github.com
Can I use rules to open up my phone only, on the IOT wifi, to access any other IOT device on the same client isolated network? And vice versa, allow any IOT device to access my phone's IP address?
Or, less broad, open up 2 way contact between my phone and 1 other single address on the IOT wifi?
I've done this across VLANs to great effect. But my attempts to do this with firewall rules within the IOT VLAN don't seem to work. I wonder if the client isolation setting supersedes some custom firewall commands, or (probably more likely) if I'm just not configuring the IPtable line correctly.
Some sample lines I've tried, with wl0.2 the IOT wifi VLAN and 192.168.3.144 the phone's IP address:
iptables -I YazFiFORWARD -i wl0.2 -o wl0.2 -s 192.168.3.144 -j ACCEPT
iptables -I YazFiFORWARD -i wl0.2 -o wl0.2 -d 192.168.3.144 -j ACCEPT
