How to allow "intranet" nodes access to Guest Wifi (1) subnet without YazFi?

[ez12a]

Hey All, came from an AC68 with YazFi working pretty well, to an XT8 setup hoping to extend my IOT network further to my detached garage without the use of 3rd party extenders. I've read YazFi is not supported (nor actively developed) on AiMesh so i've resorted to running my "IOT" guest network without YazFi.

Previously, my Home Assistant instance ran in my intranet subnet and could connect to devices in the YazFi guest network (2) with one way enabled. I'm not sure how to achieve the same functionality however on XT8s using Guest Network (1) with the network synced to AiMesh.

Any tips? I've played with iptables before on client devices but never within a router/Asus.

TLDR; how to get 192.168.1.0/24 ("intranet) talking to 192.168.101.0/24 (Guest Network 1) similar to YazFi's "one-way" option?

btw running gnuton's merlin build on both nodes.

 

[ez12a]

Decided to just forget the split iot wifi setup and just turned on the AiProtect IDS. Well see if it works should my IOT stuff go crazy.

 

[drinkingbird]

Decided to just forget the split iot wifi setup and just turned on the AiProtect IDS. Well see if it works should my IOT stuff go crazy.

If you leave "access intranet" enabled they will be able to access it (it works in both directions) of course that kind of defeats the purpose.

You can block intranet access then write a script with IPTABLES or possibly EBTABLES rules (not sure which your router uses) to permit only what you want to get through.

 

[ez12a]

If you leave "access intranet" enabled they will be able to access it (it works in both directions) of course that kind of defeats the purpose.

You can block intranet access then write a script with IPTABLES or possibly EBTABLES rules (not sure which your router uses) to permit only what you want to get through.

Thanks, I took another stab at setting intranet access to off and dumped what hopefully would be useful iptables, ebtables, etc output.

Turned the intranet access back to on and also dumped the same information.

I managed to get ping working from intranet to guest network but i cant figure out how to actually open ports/traffic to the guest network, even after flushing iptables and setting INPUT and FORWARD to policy ACCEPT.

from what I understand, br0 is the "intranet" and br1 contains the guest wifi #1 wl0.1 interface

with intranet access set to off, ping started working after running:

iptables -I FORWARD -i br0 -o br1 -j ACCEPT
iptables -I FORWARD 2 -i br1 -o br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o br1 -s 192.168.1.0/24 -d 192.168.101.0/24 -j MASQUERADE

 

[drinkingbird]

Thanks, I took another stab at setting intranet access to off and dumped what hopefully would be useful iptables, ebtables, etc output.

Turned the intranet access back to on and also dumped the same information.

I managed to get ping working from intranet to guest network but i cant figure out how to actually open ports/traffic to the guest network, even after flushing iptables and setting INPUT and FORWARD to policy ACCEPT.

from what I understand, br0 is the "intranet" and br1 contains the guest wifi #1 wl0.1 interface

with intranet access set to off, ping started working after running:

iptables -I FORWARD -i br0 -o br1 -j ACCEPT
iptables -I FORWARD 2 -i br1 -o br0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o br1 -s 192.168.1.0/24 -d 192.168.101.0/24 -j MASQUERADE

Look at the ebtables brouting output, that seems to be where access intranet restrictions are put in place from your outputs. I didn't look to deep at your iptables outputs, but you need to let it through ebtables brouting before it will hit iptables as far as I know.

Keep in mind their implementation is totally different for GW1 than it is for GW2 and 3. But if you're using aimesh, the GW1 is the one to use.