how can i make a hole in guest isolation on asuswrt-merlin on ac66u?

[donbowman]

i have this printer wifi widget (TP-LINK TL-WPS5510U) that doesn't support WPA2 AES (only TKIP). And the
No problem, i'll just put it on the guest network, that's Open anyway.
However, now i cannot print from the non guest hosts, the isolation is both ways (e.g. the guest network cannot be reached from non-guest hosts).

I tried a bunch of ideas....
1. iptables D/SNAT redirect:
iptables -t nat -A PREROUTING -p tcp --dport 9100 --dst 172.16.0.1 -j DNAT --to 172.16.0.222:9100
iptables -t nat -A POSTROUTING -p tcp --src 172.16.0.222 --sport 9100 -j SNAT --to-source 172.16.0.1

but that didn't work (i'm not sure why... the router (.0.1) can reach the printer).

2. Installed 'entware' and ncat, ran:
ncat -l 9100 -k --sh-exec "/opt/bin/ncat 172.16.0.222 9100
(after killing lpd).

but that didn't work. I'm not sure why, it does connect, data flows, but the printer doesn't seem happy with the stream, and ultimately doesn't print.

I've been using this widget+printer for the last few years on my previous router (which supported WPA2-TKIP so i didn't bother with using it on the guest network).

What i'd really prefer is some way to allow non-guest hosts to reach the guest network but not vice-versa (i'm ok w/ guests being able to print, who cares).

I can't figure out how the guest isolation is done, it doesn't seem to be an iptable rule. and the guest network seems to be on the same bridge (br0) and vlan.

So, questions...

a) how is the guest isolation achieved?
b) how can I allow non-guest hosts to reach a certain TCP port on the guest network device?
c) any other suggestions on how to make this work?

 

[RMerlin]

Have you tried simply setting the "Access Intranet" option to "on" when setting up the Guest network? In theory that's all you should need.

 

[donbowman]

Have you tried simply setting the "Access Intranet" option to "on" when setting up the Guest network? In theory that's all you should need.

Ah, i should have mentioned. i don't want the guests to access the intranet. I'd rather have the printer in the intranet, but can't make that work.

so i'd like the intranet to access guests (like it does the internet), guests to access the internet, but guests to not access the intranet.

I added these lines to /jffs/scripts/services-start, and it works as desired. This one device (by MAC) is pinholed through the guest<->Intranet isolation.

PRINTER=74:EA:3A:F0:1C:37

# Need to allow ARP, ICMP, TCP(9100)
ebtables -I FORWARD -o wl0.1 -i ! eth0 -p ARP -j ACCEPT
ebtables -I FORWARD -i wl0.1 -o ! eth0 -p ARP -j ACCEPT
ebtables -I FORWARD -i wl0.1 -o ! eth0 -s $PRINTER -j ACCEPT
ebtables -I FORWARD -o wl0.1 -i ! eth0 -d $PRINTER -j ACCEPT

 

[donbowman]

ah, i see...

when "Access Intranet" is disabled, these 2 *ebtables* rules come into being:
-i wl0.1 -o ! eth0 -j DROP
-i ! eth0 -o wl0.1 -j DROP

so if i add one that allows my port in question as an override i should be good to go.

 

[RMerlin]

Ah, i should have mentioned. i don't want the guests to access the intranet. I'd rather have the printer in the intranet, but can't make that work.

Setup two separate Guest networks. One for the printer, without isolation enabled, and a separate one for "real" guests, with isolation enabled.