Guest network with access to Chromecast?

[Martineau]

@Martineau can you share the script you have made?

…... there isn't much documentation on this script as you haven't posted it officially?

I write scripts for personal use - the amount of time and effort to 'publish it officially' and adapt it to accommodate every weird user environment isn't something I need to expend, given the script provides ample help and examples for its intended original design usage.

The script probably won't fully address your non-standard requirements, but should show what commands are required to achieve your unique goal.

So I created the file "BlockWiFiClient.sh" in /jffs/scripts/ and did the chmod a+rx on it.

You should then be able to test the script interactively and also display its helpful syntax and examples.

From what I understand I should create another script in the same folder called "firewall-start".

And in this I should include:
"/jffs/scripts/BlockWiFiClient.sh 192.168.1.51 192.168.1.23 accept"

Is that correct?

Once you are satisfied with the interactive script testing, and have identified the appropriate parameters then yes you will need to use firewall-start to ensure your custom rules are applied during the boot process.

How do I block a range of IP adresses (192.168.1.51-192.168.1.254) from accessing a range of other IP's? 192.168.1.1-192.168.1.50

The script defaults to the following three psuedo rules (assuming .22 and .33 are the two LAN resources you wish to grant access to from the nominated client IP range)

Rule1 - ALLOW access from 192.168.1.51-192.168.1-254 to 192.168.1.22   -j ACCEPT
Rule2 - ALLOW access from 192.168.1.51-192.168.1-254 to 192.168.1.33   -j ACCEPT

Rule3 - BLOCK access from 192.168.1.51-192.168.1-254 to 192.168.1.0/24 -j DROP

so clearly Rule3 will need to be altered to

Rule3 - BLOCK access from 192.168.1.51-192.168.1-254 to 192.168.1.1-192.168.1.50 -j DROP

which unfortunately the script doesn't do.

Furthermore, as you require two non-contiguous CIDR IP ranges, Rules 1-3 will each need to be expanded into multiple CIDR rules.

EDIT: Having reviewed your unusual requirements, I suspect that a simplified bespoke BlockWiFiClient.sh script will be required.

 

[JoQ]

I write scripts for personal use - the amount of time and effort to 'publish it officially' and adapt it to accommodate every weird user environment isn't something I need to expend, given the script provides ample help and examples for its intended original design usage.

The script probably won't fully address your non-standard requirements, but should show what commands are required to achieve your unique goal.

You should then be able to test the script interactively and also display its helpful syntax and examples.

Once you are satisfied with the interactive script testing, and have identified the appropriate parameters then yes you will need to use firewall-start to ensure your custom rules are applied during the boot process.

The script defaults to the following three psuedo rules (assuming .22 and .33 are the two LAN resources you wish to grant access to from the nominated client IP range)

Rule1 - ALLOW access from 192.168.1.51-192.168.1-254 to 192.168.1.22   -j ACCEPT
Rule2 - ALLOW access from 192.168.1.51-192.168.1-254 to 192.168.1.33   -j ACCEPT
Rule3 - BLOCK access from 192.168.1.51-192.168.1-254 to 192.168.1.0/24 -j DROP

so clearly Rule3 will need to be altered to

Rule3 - BLOCK access from 192.168.1.51-192.168.1-254 to 192.168.1.1-192.168.1.50 -j DROP

which unfortunately the script cannot do.

Furthermore, as you require two non-contiguous CIDR IP ranges, Rules 1-3 will each need to be expanded into multiple CIDR rules.

EDIT: Having reviewed your unusual requirements, I suspect that a simplified bespoke BlockWiFiClient.sh script will be required.

But if I understand correctly:

Rule1 - ALLOW access from 192.168.1.51-192.168.1-254 to 192.168.1.22   -j ACCEPT
Rule2 - ALLOW access from 192.168.1.51-192.168.1-254 to 192.168.1.33   -j ACCEPT
Rule3 - BLOCK access from 192.168.1.51-192.168.1-254 to 192.168.1.0/24 -j DROP

Using this would mean that All devices in the range 192.168.1.51-192.168.1-254 will have access to the two IP's 192.168.1.22 and 192.168.1.33.
And it will also block access to everything else in the LAN? This is what I am looking for, I may not have been clear. Why I said to block access to 192.168.1.1-192.168.1.50 is because in this range the important devices are. But it doesn't matter if everything is blocked instead.

 

[Martineau]

But if I understand correctly:

Rule1 - ALLOW access from 192.168.1.51-192.168.1-254 to 192.168.1.22   -j ACCEPT
Rule2 - ALLOW access from 192.168.1.51-192.168.1-254 to 192.168.1.33   -j ACCEPT
Rule3 - BLOCK access from 192.168.1.51-192.168.1-254 to 192.168.1.0/24 -j DROP

Using this would mean that All devices in the range 192.168.1.51-192.168.1-254 will have access to the two IP's 192.168.1.22 and 192.168.1.33.
And it will also block access to everything else in the LAN? This is what I am looking for, I may not have been clear. Why I said to block access to 192.168.1.1-192.168.1.50 is because in this range the important devices are. But it doesn't matter if everything is blocked instead.

So you need to test the script to see if a single IP in your nominated range can access one of the two LAN resources yet is completely BLOCKED from the rest of the LAN

e.g. Allow a nominated WiFi device access to only the (wired) NAS on the LAN

cd /jffs/scripts/

./BlockWiFIClient.sh   Nexus-7   DS-416   accept

(BlockWiFiClient.sh): 10644 v1.04 WiFi Client LAN/WAN blocking.... [Nexus-7 DS-416 accept]

  hh:mm:ss  WiFi Client 10.88.8.155 (Nexus-7.Martineau.home) access to 10.88.8.197 (DS-416.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED

 

[Martineau]

Using this would mean that All devices in the range 192.168.1.51-192.168.1-254 will have access to the two IP's 192.168.1.22 and 192.168.1.33.....And it will also block access to everything else in the LAN?

This is what I am looking for

If it is now deemed acceptable to block the source IP range from ALL of the LAN (except for the two nominated LAN resources), then you will need to retrieve v1.05 of the script. (v1.04 doesn't support CIDR ranges)

i.e. IP Range 192.168.1.51-192.168.1.254 requires eleven discrete CIDR ranges

CIDR_RANGE=".51/32,.52/30,.56/29,.64/26,.128/26,.192/27,.224/28,.240/29,.248/30,.252/31,.254/32"

So instead of having three rules, you will need thirty-three rules.
However, rather than enter the CIDR ranges explicitly on each command invocation, the script already supports a config file.

Issue the following to create a persistent IP Group lookup config file

echo "RANGE51_254  192.168.1.51/32,192.168.1.52/30,192.168.1.56/29,192.168.1.64/26,192.168.1.128/26,192.168.1.192/27,192.168.1.224/28,192.168.1.240/29,192.168.1.248/30,192.168.1.252/31,192.168.1.254/32" >>/jffs/configs/IPGroups

Now if you run

./BlockWiFiClient.sh   RANGE51_254   192.168.1.22,192.168.1.33   accept

the CIDR rules will be created for the two LAN resources....

Spoiler: Example showing script v1.05 creating the CIDR rules

./BlockWiFiClient.sh   range51_254   10.88.8.131,10.88.8.132   accept

(BlockWiFiClient.sh): 8884 v1.05 WiFi Client LAN/WAN blocking.... [range51_254 10.88.8.131,10.88.8.132 accept]

  hh:mm:ss  WiFi Client 192.168.1.51 () access to 10.88.8.131 (CLP-680ND.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.51 () access to 10.88.8.132 (ML-3710N.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.52/30 (CIDR) access to 10.88.8.131 (CLP-680ND.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.52/30 (CIDR) access to 10.88.8.132 (ML-3710N.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.56/29 (CIDR) access to 10.88.8.131 (CLP-680ND.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.56/29 (CIDR) access to 10.88.8.132 (ML-3710N.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.64/26 (CIDR) access to 10.88.8.131 (CLP-680ND.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.64/26 (CIDR) access to 10.88.8.132 (ML-3710N.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.128/26 (CIDR) access to 10.88.8.131 (CLP-680ND.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.128/26 (CIDR) access to 10.88.8.132 (ML-3710N.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.192/27 (CIDR) access to 10.88.8.131 (CLP-680ND.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.192/27 (CIDR) access to 10.88.8.132 (ML-3710N.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.224/28 (CIDR) access to 10.88.8.131 (CLP-680ND.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.224/28 (CIDR) access to 10.88.8.132 (ML-3710N.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.240/29 (CIDR) access to 10.88.8.131 (CLP-680ND.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.240/29 (CIDR) access to 10.88.8.132 (ML-3710N.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.248/30 (CIDR) access to 10.88.8.131 (CLP-680ND.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.248/30 (CIDR) access to 10.88.8.132 (ML-3710N.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.252/31 (CIDR) access to 10.88.8.131 (CLP-680ND.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.252/31 (CIDR) access to 10.88.8.132 (ML-3710N.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.254 () access to 10.88.8.131 (CLP-680ND.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.254 () access to 10.88.8.132 (ML-3710N.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED

NOTE: If you can isolate the nominated source IP range to a single CIDR
e.g.

# IP Range 192.168.1.128-192.168.1.255
CIDR_RANGE="192.168.1.128/25"

or

# IP Range 192.168.1.64-192.168.1.127
CIDR_RANGE="192.168.1.64/26"

then you reduce the number of physical rules back to three.
e.g. 2 explicit LAN resource rules and the (hidden) default LAN BLOCK rule for the CIDR.

./BlockWiFiClient.sh   192.168.1.128/25   10.88.8.131,10.88.8.132   accept

(BlockWiFiClient.sh): 7797 v1.05 WiFi Client LAN/WAN blocking.... [192.168.1.128/25 10.88.8.131,10.88.8.132 accept]

  hh:mm:ss  WiFi Client 192.168.1.128/25 (CIDR) access to 10.88.8.131 (CLP-680ND.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.128/25 (CIDR) access to 10.88.8.132 (ML-3710N.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED