What's new
By:

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

New Subnets Can't Access Intranet Subnet

H

HarryMuscle

Senior Member
I successfully created separate subnets for some of my guest WiFi connections (wl0.2, wl1.2, wl0.3, wl1.3) as outlined here: https://www.snbforums.com/threads/seperate-dhcp-range-for-guest-wifi.40910/. However, even if I enable intranet access for a guest WiFi connection it's not actually able to connect to the intranet subnet. Any help in figuring this out would be greatly appreciated.

Here is a copy of the current IP table rules that exist on the router:
Code: 
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1       15  1061 ACCEPT     all  --  tun11  any     anywhere             anywhere
2        0     0 DROP       icmp --  eth0   any     anywhere             anywhere            icmp echo-request
3     1891  165K SECURITY_PROTECT  tcp  --  any    any     anywhere             anywhere            multiport dports ssh
4     113K   77M ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
5      165  7860 DROP       all  --  any    any     anywhere             anywhere            state INVALID
6     4480  783K ACCEPT     all  --  br0    any     anywhere             anywhere            state NEW
7        0     0 ACCEPT     all  --  wl0.2  any     anywhere             anywhere            state NEW
8        0     0 ACCEPT     all  --  wl1.2  any     anywhere             anywhere            state NEW
9        0     0 ACCEPT     all  --  wl0.3  any     anywhere             anywhere            state NEW
10       0     0 ACCEPT     all  --  wl1.3  any     anywhere             anywhere            state NEW
11   18866 3818K ACCEPT     all  --  lo     any     anywhere             anywhere            state NEW
12       0     0 ACCEPT     udp  --  any    any     anywhere             anywhere            udp spt:bootps dpt:bootpc
13       0     0 ACCEPT     icmp --  any    any     anywhere             anywhere            icmp !echo-request
14     504 63196 DROP       all  --  any    any     anywhere             anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination
1    1056K 1243M ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
2        0     0 ACCEPT     all  --  tun11  any     anywhere             anywhere
3        0     0 DROP       all  --  eth0   eth0    anywhere             anywhere
4        0     0 DROP       all  --  lo     eth0    anywhere             anywhere
5        0     0 DROP       all  --  eth0   any     anywhere             anywhere            state INVALID
6        0     0 ACCEPT     all  --  br0    br0     anywhere             anywhere
7        0     0 ACCEPT     all  --  br0    wl0.2   anywhere             anywhere
8        0     0 ACCEPT     all  --  br0    wl1.2   anywhere             anywhere
9        0     0 ACCEPT     all  --  br0    wl0.3   anywhere             anywhere
10       0     0 ACCEPT     all  --  br0    wl1.3   anywhere             anywhere
11       0     0 ACCEPT     all  --  wl0.2  br0     anywhere             anywhere
12       0     0 ACCEPT     all  --  wl0.2  wl0.2   anywhere             anywhere
13       0     0 ACCEPT     all  --  wl0.2  wl1.2   anywhere             anywhere
14       0     0 ACCEPT     all  --  wl0.2  wl0.3   anywhere             anywhere
15       0     0 ACCEPT     all  --  wl0.2  wl1.3   anywhere             anywhere
16       0     0 ACCEPT     all  --  wl1.2  br0     anywhere             anywhere
17       0     0 ACCEPT     all  --  wl1.2  wl0.2   anywhere             anywhere
18       0     0 ACCEPT     all  --  wl1.2  wl1.2   anywhere             anywhere
19       0     0 ACCEPT     all  --  wl1.2  wl0.3   anywhere             anywhere
20       0     0 ACCEPT     all  --  wl1.2  wl1.3   anywhere             anywhere
21       0     0 ACCEPT     all  --  wl0.3  br0     anywhere             anywhere
22       0     0 ACCEPT     all  --  wl0.3  wl0.2   anywhere             anywhere
23       0     0 ACCEPT     all  --  wl0.3  wl1.2   anywhere             anywhere
24       0     0 ACCEPT     all  --  wl0.3  wl0.3   anywhere             anywhere
25       0     0 ACCEPT     all  --  wl0.3  wl1.3   anywhere             anywhere
26       0     0 ACCEPT     all  --  wl1.3  br0     anywhere             anywhere
27       0     0 ACCEPT     all  --  wl1.3  wl0.2   anywhere             anywhere
28       0     0 ACCEPT     all  --  wl1.3  wl1.2   anywhere             anywhere
29       0     0 ACCEPT     all  --  wl1.3  wl0.3   anywhere             anywhere
30       0     0 ACCEPT     all  --  wl1.3  wl1.3   anywhere             anywhere
31       0     0 SECURITY   all  --  eth0   any     anywhere             anywhere
32    7094  459K NSFW       all  --  any    any     anywhere             anywhere
33    3474  231K ACCEPT     all  --  any    any     anywhere             anywhere            ctstate DNAT
34    3169  199K ACCEPT     all  --  br0    any     anywhere             anywhere
35       0     0 ACCEPT     all  --  wl0.2  any     anywhere             anywhere
36       0     0 ACCEPT     all  --  wl1.2  any     anywhere             anywhere
37       0     0 ACCEPT     all  --  wl0.3  any     anywhere             anywhere
38       0     0 ACCEPT     all  --  wl1.3  any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 117K packets, 46M bytes)
num   pkts bytes target     prot opt in     out     source               destination

Chain FUPNP (0 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain NSFW (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain PControls (0 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 ACCEPT     all  --  any    any     anywhere             anywhere

Chain SECURITY (1 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 RETURN     tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 1/sec burst 5
2        0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN
3        0     0 RETURN     tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/RST limit: avg 1/sec burst 5
4        0     0 DROP       tcp  --  any    any     anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/RST
5        0     0 RETURN     icmp --  any    any     anywhere             anywhere            icmp echo-request limit: avg 1/sec burst 5
6        0     0 DROP       icmp --  any    any     anywhere             anywhere            icmp echo-request
7        0     0 RETURN     all  --  any    any     anywhere             anywhere

Chain SECURITY_PROTECT (1 references)
num   pkts bytes target     prot opt in     out     source               destination

Chain logaccept (0 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 LOG        all  --  any    any     anywhere             anywhere            state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `ACCEPT '
2        0     0 ACCEPT     all  --  any    any     anywhere             anywhere

Chain logdrop (0 references)
num   pkts bytes target     prot opt in     out     source               destination
1        0     0 LOG        all  --  any    any     anywhere             anywhere            state NEW LOG level warning tcp-sequence tcp-options ip-options prefix `DROP '
2        0     0 DROP       all  --  any    any     anywhere             anywhere

And here is a copy of all the ebtable rules that currently exist on the router:
Code: 
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 4, policy: ACCEPT
-i wl0.1 -j DROP
-o wl0.1 -j DROP
-i wl1.1 -j DROP
-o wl1.1 -j DROP
-i wl0.3 -j DROP
-o wl0.3 -j DROP
-i wl1.3 -j DROP
-o wl1.3 -j DROP

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Bridge table: broute

Bridge chain: BROUTING, entries: 10, policy: ACCEPT
-p IPv4 -i wl1.3 -j DROP
-p ARP -i wl1.3 -j DROP
-p IPv4 -i wl0.3 -j DROP
-p ARP -i wl0.3 -j DROP
-p IPv4 -i wl1.2 -j DROP
-p ARP -i wl1.2 -j DROP
-p IPv4 -i wl0.2 -j DROP
-p ARP -i wl0.2 -j DROP
-p IPv4 -i wl0.1 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
-p IPv4 -i wl1.1 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
-p IPv4 -i wl0.3 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
-p IPv4 -i wl1.3 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP

The interfaces that I'm trying to configure to access the intranet are the wl0.2 and wl1.2.

Thanks,
Harry
 
Code: 
-p IPv4 -i wl1.2 -j DROP
-p ARP -i wl1.2 -j DROP
-p IPv4 -i wl0.2 -j DROP
-p ARP -i wl0.2 -j DROP

I suspect these will stop them accessing the intranet
 
Jack Yaz said:
Code: 
-p IPv4 -i wl1.2 -j DROP
-p ARP -i wl1.2 -j DROP
-p IPv4 -i wl0.2 -j DROP
-p ARP -i wl0.2 -j DROP

I suspect these will stop them accessing the intranet
Click to expand...

The drop statement is misleading cause when used in the broute table it actually means to route the packet instead of bridging. It's required to allow the subnets on those interfaces to communicate with the DHCP server in the router amongst other things.

Thanks,
Harry
 
Last edited:
So I've narrowed it down to somehow being related to the VPN connection. When the VPN connection is active I can't access the intranet from wl0.2 or wl1.2, but when the VPN connection is disabled things work like expected. I'm hoping this piece of info might help somehow figure out what's going on cause I'm still stuck.

Thanks,
Harry
 
So I've narrowed it down to somehow being related to the VPN connection. When the VPN connection is active I can't access the intranet from wl0.2 or wl1.2, but when the VPN connection is disabled things work like expected. I'm hoping this piece of info might help somehow figure out what's going on cause I'm still stuck.

Thanks,
Harry
Click to expand...
Can you provide screenshots of the VPN client settings?
 
Last edited by a moderator:
So it turns out this is being caused by the policy based VPN rules. If I configure VPN to be used for the LAN but not for the guest WiFi in question then the two no longer are able to communicate with each other, which kinda makes sense. As soon as both use VPN or both don't use it they are able to communicate no problem. So I think I'm just gonna treat this as a feature :).

Thanks,
Harry
 
Policy rules strict usually causes that. Normal policy rules should allow lan access to routed clients.
 
You must log in or register to reply here.

Similar threads

J
Debugging NAT traversal with a ASUS RT-AC66U B1
Replies
2
Views
1K
jp_rider
J
VeloxNEx
GT-BE98 pro DNS Director issue with my pihole?
Replies
19
Views
1K
VeloxNEx
VeloxNEx
spacemanspiff
RT-AX86U running Merlin serving DNS - possible Malware infection
2
Replies
31
Views
3K
ColinTaylor
C
G
Struggling with access from main to GN3
Replies
12
Views
724
GSpock
G
octopus
My ip cams problem
Replies
14
Views
1K
Seth Harman
Seth Harman
Similar threads
Thread starter Title Forum Replies Date
Phantomski Guest Network Pro and wider subnets (supernetting, route summarisation) Asuswrt-Merlin 0
I mDNS on different subnets via VPN Asuswrt-Merlin 4
el_pedr0 How do you specify different IPv6 subnets? Asuswrt-Merlin 1
Labdoc AX56 aimesh node shows open access (no password or security) Asuswrt-Merlin 5
M Does switching between operational modes wipe settings, and does repeater mode also send data to secondary router access point if connected via wire? Asuswrt-Merlin 2
Zirescu BE92U Semi Random Issue / Loss of Web UI access / DNS failures / wifi drops Asuswrt-Merlin 9
M Cannot access blocked devices over VPN Asuswrt-Merlin 0
C Firewall URL filter bypassed by guest networks with disabled intranet access Asuswrt-Merlin 4
A No web-gui access anymore Asuswrt-Merlin 3
T BE86U OpenVPN server denies access to LAN after a while Asuswrt-Merlin 0

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 1,469 (members: 16, guests: 1,453)
Back
Top