My setup: Asus RT-N66U
Ethernet ports, Private 2,4Ghz, Private 5Ghz, Guest 2,4Ghz, Guest 5Ghz, Shared devices 2,4Ghz
My setup as of now is:
Ethernet ports (vlan1): NAS/MediaPC/Home automation box
Private 2,4Ghz & 5Ghz (eth1 & eth2) - just my WiFi devices
Guest 2,4 & 5Ghz (wl0.1 & wl1.1) - for guest WiFi
Shared devices 2,4Ghz (wl0.2): Printer/Sonos speakers/ChromeCast
The system is setup to block guests from vlan1, eth1 and eth2, while gaining them access to wl0.2. Both private and guests can connect to all the shared devices. This works perfect -no problem.
However, I wanted to make it even more secure. I just want to allow the nessacery IPs, ports and protocols for the shared devcies on the shared network.
To test this I logged into Guest 2,4Gh (wl0.1) and did:
I saw all of the devices in my shared devices network (via the Fing app), but I could not connect to the printer via the iPrint app. I am allowing ALL ARP request between the interfaces, and allowing ALL IPv4 protocols to and from the printer, yet it won't connect.
I then tried this:
It worked when I opened up the IPv4 protocol across the interfaces, so to me it looks like device IP forwarding to/from a certain destination doesn't seem to work, or am I missing something here? I tried with --ip-dst and --ip-src as well. Didn't help.
Ethernet ports, Private 2,4Ghz, Private 5Ghz, Guest 2,4Ghz, Guest 5Ghz, Shared devices 2,4Ghz
My setup as of now is:
Ethernet ports (vlan1): NAS/MediaPC/Home automation box
Private 2,4Ghz & 5Ghz (eth1 & eth2) - just my WiFi devices
Guest 2,4 & 5Ghz (wl0.1 & wl1.1) - for guest WiFi
Shared devices 2,4Ghz (wl0.2): Printer/Sonos speakers/ChromeCast
The system is setup to block guests from vlan1, eth1 and eth2, while gaining them access to wl0.2. Both private and guests can connect to all the shared devices. This works perfect -no problem.
Code:
Bridge chain: FORWARD, entries: 12, policy: ACCEPT
-i wl1.1 -o vlan1 -j DROP
-i vlan1 -o wl1.1 -j DROP
-i wl1.1 -o eth2 -j DROP
-i eth2 -o wl1.1 -j DROP
-i wl1.1 -o eth1 -j DROP
-i eth1 -o wl1.1 -j DROP
-i wl0.1 -o vlan1 -j DROP
-i vlan1 -o wl0.1 -j DROP
-i wl0.1 -o eth2 -j DROP
-i eth2 -o wl0.1 -j DROP
-i wl0.1 -o eth1 -j DROP
-i eth1 -o wl0.1 -j DROPHowever, I wanted to make it even more secure. I just want to allow the nessacery IPs, ports and protocols for the shared devcies on the shared network.
To test this I logged into Guest 2,4Gh (wl0.1) and did:
Code:
ebtables -F
ebtables -t filter -I FORWARD -i wl0.2 -o wl0.1 -j DROP
ebtables -t filter -I FORWARD -o wl0.2 -i wl0.1 -j DROP
ebtables -t filter -I FORWARD -s MAC-OF-PRINTER -i wl0.2 -o wl0.1 -p IPv4 -j ACCEPT
ebtables -t filter -I FORWARD -d MAC-OF-PRINTER -o wl0.2 -i wl0.1 -p IPv4 -j ACCEPT
ebtables -t filter -I FORWARD -i wl0.2 -o wl0.1 -p ARP -j ACCEPT
ebtables -t filter -I FORWARD -o wl0.2 -i wl0.1 -p ARP -j ACCEPTI saw all of the devices in my shared devices network (via the Fing app), but I could not connect to the printer via the iPrint app. I am allowing ALL ARP request between the interfaces, and allowing ALL IPv4 protocols to and from the printer, yet it won't connect.
I then tried this:
Code:
ebtables -t filter -I FORWARD -i wl0.2 -o wl0.1 -p IPv4 -j ACCEPT
ebtables -t filter -I FORWARD -o wl0.2 -i wl0.1 -p IPv4 -j ACCEPT
Last edited:
