Lan to Guest

[palito]

Hello,

i have search for days, but i do not understand where my problem is on a RT-AC88U with 386.14_2 firmware,
My setup is simple, after factory reset, i only do this setup : (with Wan unplug)
Set language to english, Enable ssh, Set router ip to 192.168.2.1 and enable wifi 2hgz guest (Access Intranet disable)

After a reboot if i try to ping from lan 192.168.2.x to wifi 2hgz guest 192.168.101.x it do not work
but if i add this rule, it's ok : iptables -I FORWARD -i br0 -o br1 -s 192.168.2.10 -j ACCEPT

after that if i plug wan cable it do not work anymore, even after reboot, even after add the rule again

Any advise ?

 

[bennor]

If you want main LAN clients to access Guest WiFi clients then try using YazFi. You can setup one-way to Guest within the YazFi GUI which should accomplish the same as your IPTables rule.

YazFi - YazFi v4.x

v4.4.4 Updated 2023-11-26 Feature expansion of guest WiFi networks on AsusWRT-Merlin, including, but not limited to: * Dedicated VPN WiFi networks * Separate subnets for organisation of devices * Restrict guests to only contact router for ICMP, DHCP, DNS, NTP and NetBIOS * Allow guest networks...

www.snbforums.com

GitHub - jackyaz/YazFi: Feature expansion of guest WiFi networks on AsusWRT-Merlin, including SSID -> VPN, separate subnets per guest network, pinhole access to LAN resources (e.g. DNS) and more!

Feature expansion of guest WiFi networks on AsusWRT-Merlin, including SSID -> VPN, separate subnets per guest network, pinhole access to LAN resources (e.g. DNS) and more! - jackyaz/YazFi

github.com

wl01_ONEWAYTOGUEST​

Should LAN be able to initiate connections to Guest Network clients (but not the opposite)? (true/false) Cannot be enabled if _TWOWAYTOGUEST is enabled

 

[palito]

Sorry, i should have add this to the post, but as YazFi cannot work with aimesh, i cannot use it, as i have nodes involved
i almost succeeded to enable lan to guest adding the iptable rules
my problem is that as long as i connect wan, it do not work anymore

 

[octopus]

Hello,

i have search for days, but i do not understand where my problem is on a RT-AC88U with 386.14_2 firmware,
My setup is simple, after factory reset, i only do this setup : (with Wan unplug)
Set language to english, Enable ssh, Set router ip to 192.168.2.1 and enable wifi 2hgz guest (Access Intranet disable)

After a reboot if i try to ping from lan 192.168.2.x to wifi 2hgz guest 192.168.101.x it do not work
but if i add this rule, it's ok : iptables -I FORWARD -i br0 -o br1 -s 192.168.2.10 -j ACCEPT

after that if i plug wan cable it do not work anymore, even after reboot, even after add the rule again

Any advise ?

Move to GN2 then you are on same net as main.
GN1 is on other net, used with Aimesh.

 

[palito]

i don't want to be on the main network
i want to use Guest Wifi for IOT devices, so on 192.168.101.x network (Access Intranet disable)
but i also want to acces them from LAN 192.168.2.x
An before plug wan port i can do it by adding this rule iptables -I FORWARD -i br0 -o br1 -s 192.168.2.10 -j ACCEPT
but after i plug wan port, it do not work anymore

 

[octopus]

i don't want to be on the main network
i want to use Guest Wifi for IOT devices, so on 192.168.101.x network (Access Intranet disable)
but i also want to acces them from LAN 192.168.2.x
An before plug wan port i can do it by adding this rule iptables -I FORWARD -i br0 -o br1 -s 192.168.2.10 -j ACCEPT
but after i plug wan port, it do not work anymore

You can put your script in a firewall-start script which persists a reboot.

User scripts

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

 

[palito]

it's not a problem about persisting to a reboot
even if i reboot and add the rule again, it do not work
after wan is plugged , it do not work anymore

 

[octopus]

it's not a problem about persisting to a reboot
even if i reboot and add the rule again, it do not work
after wan is plugged , it do not work anymore

Have you tried wan-event or wan-start script ? Read more on user script wiki.

 

[palito]

for now, i don't need scripts, i don't care if it do not persists to a reboot

i need the rule or other command to make this work (enable Lan to Guest )
i will automate this after i succeeded to make it work

 

[palito]

i even try to flush all iptables rules and then accept all :
iptables -F
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

but after wan is pluged still the same issue,
i cannot ping 192.168.101.x network (Access Intranet disable) from Lan
it do not work

 

[octopus]

i even try to flush all iptables rules and then accept all :
iptables -F
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

but after wan is pluged still the same issue,
i cannot ping 192.168.101.x network (Access Intranet disable) from Lan
it do not work

Do you get anything with this comand?
ebtables -t broute -L BROUTING --Lx --Lc

 

[palito]

i get this :

ebtables -t broute -A BROUTING -p IPv4 -i wl0.1 --ip-dst 192.168.101.1 --ip-proto icmp -j ACCEPT -c 0 0
ebtables -t broute -A BROUTING -p IPv4 -i wl0.1 --ip-dst 192.168.101.0/24 --ip-proto icmp -j DROP -c 0 0
ebtables -t broute -A BROUTING -p IPv4 -i wl0.1 --ip-dst 192.168.2.0/24 --ip-proto icmp -j DROP -c 0 0
ebtables -t broute -A BROUTING -p IPv4 -i wl0.1 --ip-dst 192.168.101.0/24 --ip-proto tcp -j DROP -c 0 0
ebtables -t broute -A BROUTING -p IPv4 -i wl0.1 --ip-dst 192.168.2.0/24 --ip-proto tcp -j DROP -c 0 0

 

[octopus]

Run this se if you can ping, 192.168.2.10

ebtables -t broute -D BROUTING -p IPv4 -i wl0.1 --ip-dst 192.168.2.0/24 --ip-proto tcp -j DROP -c 0 0

This removing that rule.

 

[palito]

thanks a lot, i was not aware of ebtables

i sitll don't understand why before plug wan port it works with adding an iptables rule only

but after plug wan port i have to do some change on ebtables