What's new

Guest wifi network - manage devices from the LAN

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Carlos M.

Regular Contributor
Hi,

I build a guest wifi network just for IP cameras. My idea is to add the cameras to the Parental control and block the trafic to internet. This works fine at the moment. The other desire is block the access from this guest network to the LAN. Works perfect aswell. The problem happens when I need to manage the GUI interface at the port 80 from my LAN. If I try reach a camera from a laptop in my LAN, I can't access to the IP caamera GUI.

Any idea about how can I bypass the restriction from my LAN?

Thanks in advance.
 
Hi, how can I bypass it?
What you suggesting is not really the purpose of a Guest network. After all, a Guest network is for computers you don't trust. However, this will show you how. Judicious use of ARP broadcast and ARP reply is what you need. No need to flood the network with unnecessary ARP traffic or create security holes, so we purposely specify every interface and device argument in the ebtables rules. Example:

/jffs/scripts/firewall-start
Code:
#!/bin/sh
# Allow ARP broadcast from a specific IP address on the 2.4GHz Primary Wi-Fi interface to all devices on the 2.4GHz Guest Wi-Fi interface
/usr/sbin/ebtables -t filter -I FORWARD -i eth1 -o wl0.1 -p ARP --arp-ip-src 192.168.1.111 -d ff:ff:ff:ff:ff:ff -j ACCEPT

# Allow ARP reply from a specific MAC address on the 2.4GHz Guest Wi-Fi interface to a specific IP address on the 2.4GHz Primary Wi-Fi interface
/usr/sbin/ebtables -t filter -I FORWARD -i wl0.1 -o eth1 -p ARP -s 00:35:5A:12:13:14 --arp-ip-dst 192.168.1.111 -j ACCEPT
  • vlan1 is the Ethernet LAN Ports interface
  • eth1 is the 2.4GHz Primary Wi-Fi interface
  • eth2 is the 5GHz Primary Wi-Fi interface
  • wl0.1 is the 2.4GHz Guest #1 Wi-Fi interface
  • wl1.1 is the 5GHz Guest #1 Wi-Fi interface
  • wl0.2 is the 2.4GHz Guest #2 Wi-Fi interface
  • wl1.2 is the 5GHz Guest #2 Wi-Fi interface
  • wl0.3 is the 2.4GHz Guest #3 Wi-Fi interface
  • wl1.3 is the 5GHz Guest #3 Wi-Fi interface
  • eth0 is the WAN interface
  • 192.168.1.111 is the IP address of your computer
  • 00:35:5A:12:13:14 is the MAC address of your IP camera
  • ff:ff:ff:ff:ff:ff is for broadcasting to all devices on an interface



 
Last edited:
Wow, sounds great... and complex for me :( I'll try to add the script with the adapted code inside but... what you mean with "is not really the purpose of a Guest network" I had this solved with Tomato and the virtual wifi networks so... I thought could be the same function.
If I put all the cameras together into the same network I'l have the control of this devices under "one button" and switch off the wifi or the internet access remotelly if I need it.
 
Last edited:
I was just saying that you're not really supposed to be doing it. However, I think you have a good enough reason to do it, and I think you're on the right track.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top