Need some help with my home network

[akirru]

The firewall rules I provided should prevent access to anything on the private network (br0) from the guest network (br1). So when you say the router or NAS is still accessible, are you referring to the AP? You would need additional firewall rules to limit the guest network's access to the AP itself.

The following limits guests to only dhcp, dns, and icmp (ping) on the AP.

iptables -I INPUT -i br1 -j REJECT
iptables -I INPUT -i br1 -p icmp -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT

icmp is obviously optional, but I like to offer it for diagnostic purposes. And you could eliminate DNS if you chose to configure the guests w/ public DNS servers (I usually do) in the DHCP/DNS custom config field.

dhcp-option=br1,option:dns-server,8.8.8.8,8.8.4.4

As far as searching for LAN shares, if you're referring to network discovery, it typically doesn't work across different ethernet/IP networks. Not without the aid of a mDNS reflector (e.g., Avahi). But again, the firewall rules I provided would NOT allow access to anything on the private network anyway, even if you could "discover" resources there. So I don't know if your comment is just an observation or a complaint.

Thanks again for a really informative reply. So when I say that I have access to router and nas admin page. I mean that if I connect my phone to the guest wireless on the ap-point I can still access the router page on the primary router dhcp.

 

[eibgrad]

Thanks again for a really informative reply. So when I say that I have access to router and nas admin page. I mean that if I connect my phone to the guest wireless on the ap-point I can still access the router page on the primary router dhcp.

I just realized I had a typo. Here are the corrected FORWARDing rules.

iptables -I FORWARD -i br1 -o br0 -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -j REJECT

I also corrected the prior posting of these rules.

 

[Tech9]

Copy and save of @eibgrad instructions for future FT experiments. Thank you!

 

[akirru]

I just realized I had a typo. Here are the corrected FORWARDing rules.

iptables -I FORWARD -i br1 -o br0 -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -j REJECT

I also corrected the prior posting of these rules.

Thanks so much This has worked brilliantly. I am so grateful for your help guys!

Saved post for future reference.

 

[follower]

Thanks for your reply. Why is it insecure? And I'm not actually doing it anymore anyway.

It is impossible to hide your SSID actually. Hiding SSID is nothing. We can find hidden SSID so easily. Don't trust WiFi. WiFi is not secure even if you use
encrypted long password.
"Use long password for WiFi", "Use the encryption for WiFi". It doesn't mean it's safe. It only means consumers can feel safe.
Anyway, here is why.

Why SSID Hiding Is Not Secure

SSID hiding is the process of hiding the network name from being publicly broadcast. If an SSID is hidden via the network setup page, the name typically becomes null.

www.accessagility.com

Recommended settings for Wi-Fi routers and access points - Apple Support

For the best security, performance, and reliability, we recommend these settings for Wi-Fi routers, base stations, or access points used with Apple products.

support.apple.com

 

[Tech9]

There is nothing wrong with hidden and secured network, as long as no SSID broadcast is okay for the devices connected.