Menu
What's new
By:
Filters Better Search

New Subnets Can't Access Intranet Subnet

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

H

HarryMuscle

Senior Member
I successfully created separate subnets for some of my guest WiFi connections (wl0.2, wl1.2, wl0.3, wl1.3) as outlined here: https://www.snbforums.com/threads/seperate-dhcp-range-for-guest-wifi.40910/. However, even if I enable intranet access for a guest WiFi connection it's not actually able to connect to the intranet subnet. Any help in figuring this out would be greatly appreciated.

Here is a copy of the current IP table rules that exist on the router:
Code: 
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       15  1061 ACCEPT     all  --  tun11  any     anywhere             anywhere
2        0     0 DROP       icmp --  eth0   any     anywhere             anywhere            icmp echo-request
3     1891  165K SECURITY_PROTECT  tcp  --  any    any     anywhere             anywhere            multiport dports ssh
4     113K   77M ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
5      165  7860 DROP       all  --  any    any     anywhere             anywhere            state INVALID
6     4480  783K ACCEPT     all  --  br0    any     anywhere             anywhere            state NEW
7        0     0 ACCEPT     all  --  wl0.2  any     anywhere             anywhere            state NEW
8        0     0 ACCEPT     all  --  wl1.2  any     anywhere             anywhere            state NEW
9        0     0 ACCEPT     all  --  wl0.3  any     anywhere             anywhere            state NEW
10       0     0 ACCEPT     all  --  wl1.3  any     anywhere             anywhere            state NEW
11   18866 3818K ACCEPT     all  --  lo     any     anywhere             anywhere            state NEW
12       0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp spt:bootps dpt:bootpc
13       0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp !echo-request
14     504 63196 DROP       all  --  any    any     anywhere             anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    1056K 1243M ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
2        0     0 ACCEPT     all  --  tun11  any     anywhere             anywhere
3        0     0 DROP       all  --  eth0   eth0    anywhere             anywhere
4        0     0 DROP       all  --  lo     eth0    anywhere             anywhere
5        0     0 DROP       all  --  eth0   any     anywhere             anywhere            state INVALID
6        0     0 ACCEPT     all  --  br0    br0     anywhere             anywhere
7        0     0 ACCEPT     all  --  br0    wl0.2   anywhere             anywhere
8        0     0 ACCEPT     all  --  br0    wl1.2   anywhere             anywhere
9        0     0 ACCEPT     all  --  br0    wl0.3   anywhere             anywhere
10       0     0 ACCEPT     all  --  br0    wl1.3   anywhere             anywhere
11       0     0 ACCEPT     all  --  wl0.2  br0     anywhere             anywhere
12       0     0 ACCEPT     all  --  wl0.2  wl0.2   anywhere             anywhere
13       0     0 ACCEPT     all  --  wl0.2  wl1.2   anywhere             anywhere
14       0     0 ACCEPT     all  --  wl0.2  wl0.3   anywhere             anywhere
15       0     0 ACCEPT     all  --  wl0.2  wl1.3   anywhere             anywhere
16       0     0 ACCEPT     all  --  wl1.2  br0     anywhere             anywhere
17       0     0 ACCEPT     all  --  wl1.2  wl0.2   anywhere             anywhere
18       0     0 ACCEPT     all  --  wl1.2  wl1.2   anywhere             anywhere
19       0     0 ACCEPT     all  --  wl1.2  wl0.3   anywhere             anywhere
20       0     0 ACCEPT     all  --  wl1.2  wl1.3   anywhere             anywhere
21       0     0 ACCEPT     all  --  wl0.3  br0     anywhere             anywhere
22       0     0 ACCEPT     all  --  wl0.3  wl0.2   anywhere             anywhere
23       0     0 ACCEPT     all  --  wl0.3  wl1.2   anywhere             anywhere
24       0     0 ACCEPT     all  --  wl0.3  wl0.3   anywhere             anywhere
25       0     0 ACCEPT     all  --  wl0.3  wl1.3   anywhere             anywhere
26       0     0 ACCEPT     all  --  wl1.3  br0     anywhere             anywhere
27       0     0 ACCEPT     all  --  wl1.3  wl0.2   anywhere             anywhere
28       0     0 ACCEPT     all  --  wl1.3  wl1.2   anywhere             anywhere
29       0     0 ACCEPT     all  --  wl1.3  wl0.3   anywhere             anywhere
30       0     0 ACCEPT     all  --  wl1.3  wl1.3   anywhere             anywhere
31       0     0 SECURITY   all  --  eth0   any     anywhere             anywhere
32    7094  459K NSFW       all  --  any    any     anywhere             anywhere
33    3474  231K ACCEPT     all  --  any    any     anywhere             anywhere            ctstate DNAT
34    3169  199K ACCEPT     all  --  br0    any     anywhere             anywhere
35       0     0 ACCEPT     all  --  wl0.2  any     anywhere             anywhere
36       0     0 ACCEPT     all  --  wl1.2  any     anywhere             anywhere
37       0     0 ACCEPT     all  --  wl0.3  any     anywhere             anywhere
38       0     0 ACCEPT     all  --  wl1.3  any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 117K packets, 46M bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain FUPNP (0 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain NSFW (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain PControls (0 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  any    any     anywhere             anywhere

Chain SECURITY (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 RETURN     tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
2        0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN
3        0     0 RETURN     tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
4        0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/RST
5        0     0 RETURN     icmp --  any    any     anywhere             anywhere            icmp echo-request limit: avg 1/sec burst 5
6        0     0 DROP       icmp --  any    any     anywhere             anywhere            icmp echo-request
7        0     0 RETURN     all  --  any    any     anywhere             anywhere

Chain SECURITY_PROTECT (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain logaccept (0 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 LOG        all  --  any    any     anywhere             anywhere            state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
2        0     0 ACCEPT     all  --  any    any     anywhere             anywhere

Chain logdrop (0 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 LOG        all  --  any    any     anywhere             anywhere            state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
2        0     0 DROP       all  --  any    any     anywhere             anywhere

And here is a copy of all the ebtable rules that currently exist on the router:
Code: 
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 4, policy: ACCEPT
-i wl0.1 -j DROP
-o wl0.1 -j DROP
-i wl1.1 -j DROP
-o wl1.1 -j DROP
-i wl0.3 -j DROP
-o wl0.3 -j DROP
-i wl1.3 -j DROP
-o wl1.3 -j DROP

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Bridge table: broute

Bridge chain: BROUTING, entries: 10, policy: ACCEPT
-p IPv4 -i wl1.3 -j DROP
-p ARP -i wl1.3 -j DROP
-p IPv4 -i wl0.3 -j DROP
-p ARP -i wl0.3 -j DROP
-p IPv4 -i wl1.2 -j DROP
-p ARP -i wl1.2 -j DROP
-p IPv4 -i wl0.2 -j DROP
-p ARP -i wl0.2 -j DROP
-p IPv4 -i wl0.1 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
-p IPv4 -i wl1.1 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
-p IPv4 -i wl0.3 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
-p IPv4 -i wl1.3 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP

The interfaces that I'm trying to configure to access the intranet are the wl0.2 and wl1.2.

Thanks,
Harry
 
Code: 
-p IPv4 -i wl1.2 -j DROP
-p ARP -i wl1.2 -j DROP
-p IPv4 -i wl0.2 -j DROP
-p ARP -i wl0.2 -j DROP

I suspect these will stop them accessing the intranet
 
Jack Yaz said:
Code: 
-p IPv4 -i wl1.2 -j DROP
-p ARP -i wl1.2 -j DROP
-p IPv4 -i wl0.2 -j DROP
-p ARP -i wl0.2 -j DROP

I suspect these will stop them accessing the intranet
Click to expand...

The drop statement is misleading cause when used in the broute table it actually means to route the packet instead of bridging. It's required to allow the subnets on those interfaces to communicate with the DHCP server in the router amongst other things.

Thanks,
Harry
 
Last edited:
So I've narrowed it down to somehow being related to the VPN connection. When the VPN connection is active I can't access the intranet from wl0.2 or wl1.2, but when the VPN connection is disabled things work like expected. I'm hoping this piece of info might help somehow figure out what's going on cause I'm still stuck.

Thanks,
Harry
 
So I've narrowed it down to somehow being related to the VPN connection. When the VPN connection is active I can't access the intranet from wl0.2 or wl1.2, but when the VPN connection is disabled things work like expected. I'm hoping this piece of info might help somehow figure out what's going on cause I'm still stuck.

Thanks,
Harry
Click to expand...
Can you provide screenshots of the VPN client settings?
 
Last edited by a moderator:
So it turns out this is being caused by the policy based VPN rules. If I configure VPN to be used for the LAN but not for the guest WiFi in question then the two no longer are able to communicate with each other, which kinda makes sense. As soon as both use VPN or both don't use it they are able to communicate no problem. So I think I'm just gonna treat this as a feature :).

Thanks,
Harry
 
Policy rules strict usually causes that. Normal policy rules should allow lan access to routed clients.
 
You must log in or register to reply here.

Similar threads

v.y.k
iptables pkts & bytes numbers are too low on Merlin 3004.388
Replies
13
Views
1K
v.y.k
v.y.k
N
Skynet SkyNet/Firewall blocking all ping requests, including outbound
Replies
6
Views
718
nearlyheadlessarvie
N
octopus
  • Locked
Solved Can you connect to Wireguard server from wan side?
Replies
17
Views
2K
octopus
octopus
A
Policy-based port routing to bypass NordVPN client
Replies
10
Views
2K
Don->
D
P
How would you check or change the router's http or https webinterface port via telnet (only)?
Replies
2
Views
260
powersupply
P
Similar threads
Thread starter Title Forum Replies Date
S OpenVPN LAN access + one external IP Asuswrt-Merlin 3
Preskitt.man Access Router Admin from Chrome Flex OS Asuswrt-Merlin 2
E RT AX88U problem with update 3004 388-8-1 and 2: loss of internet access Asuswrt-Merlin 8
R Lost console access Asuswrt-Merlin 4
N OpenVPN - Local Access on a DDNS to forwarded ports. Asuswrt-Merlin 1
M Openvpn access problems Asuswrt-Merlin 4
postoronnim-v How to prevent WireGuard VPN server clients from accessing the local network (allow only Internet access)? Asuswrt-Merlin 18
U Loss of access to user interface after application of VPN rule and Killswitch (3004.388.8) Asuswrt-Merlin 14
L Access to certain IPs in LAN blocked somehow? Asuswrt-Merlin 4
L "Block internet access" toggle in Client Status GUI doesn't stick Asuswrt-Merlin 3

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 1,025 (members: 19, guests: 1,006)
Top