Printing from Guest Network (ASUSWRT-Merlin 3004.388.8_2)

[Siff]

Hi All,

I'm looking to configure printing from a guest network to a printer, which is in the main network. I'm using AsusWRT-Merlin 3004.388.8_2 on RT-AX88U Pro. I have AiMesh with one RT-AX88U Pro node and I have 2 guest networks which I need to be available on the node as well.

I also have a USB printer, connected to the main router, which I would like to be used from the main network as well as one of the guest networks. I tried with iptables and with ebtables, I looked at @Martineau's scripts, but I couldn't make it work from the "Guest" guest network (see below). The printer works flawlessly from the main network, of course. I'm sure that I'm missing something and I would appreciate your help.

Here are the details:

• Main router: 192.168.1.1, RT-AX88U PRO
• AiMesh node, RT-AX88U PRO
• "IoT" guest network, Guest Network #1 on 2.4 GHz, wl0.1, br1, no need to access the printer, 192.168.101.0/24, access to main LAN disabled in order to get a different IP range from the main network
• "Guest" guest network, Guest Network #1 on 5 GHz, wl1.1, br2, this is the guest network which I would like to access the printer, 192.168.102.0/24, access to main LAN disabled in order to get a different IP range from the main network
• Both "IoT" and "Guest" guest networks have to be available on the AiMesh node, i.e. I cannot use YazFi and they both have to be set as Guest Network #1

What I have tried:

iptables -I FORWARD -i br2 -o br0 -d 192.168.1.1/32 -j ACCEPT

and

ebtables -I FORWARD -p IPv4 -i wl1.1 --ip-dst 192.168.1.1 --ip-proto tcp -j ACCEPT
ebtables -I FORWARD -p IPv4 -o wl1.1 --ip-src 192.168.1.1 --ip-proto tcp -j ACCEPT

Neither works.

Thank you!

 

[eibgrad]

What you've tried so far won't work since the wl1.1 network interface is assigned to a bridge (br2). Also, it's probably not a good idea to enable ALL tcp traffic to the router (that would include the GUI, SSH, etc.).

What you probably need is the BROUTING chain of the broute table.

admin@lab-merlin1:/tmp/home/root# ebtables -t broute -L
Bridge table: broute

Bridge chain: BROUTING, entries: 5, policy: ACCEPT
-p IPv4 -i wl1.1 --ip-dst 192.168.102.1 --ip-proto icmp -j ACCEPT
-p IPv4 -i wl1.1 --ip-dst 192.168.102.0/24 --ip-proto icmp -j DROP
-p IPv4 -i wl1.1 --ip-dst 192.168.1.0/24 --ip-proto icmp -j DROP
-p IPv4 -i wl1.1 --ip-dst 192.168.102.0/24 --ip-proto tcp -j DROP
-p IPv4 -i wl1.1 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP

Since the printer is apparently running on the router itself (192.168.1.1), it may already be listening on the Guest #1 network as well (192.168.102.1). So first try that IP.

ebtables -t broute -I BROUTING -p IPv4 -i wl1.1 --ip-dst 192.168.102.1 --ip-proto tcp --ip-dport 9100 -j ACCEPT

If that doesn't work (perhaps the printer is only bound to 192.168.1.1), then change the rule from 192.168.102.1 to 192.168.1.1.

 

[Siff]

Thank you @eibgrad!

Yes, my first ties included the protocol and the port, but since they didn't work, I removed them to see whether that will make it work (it didn't).

I tried with both 192.168.102.1 and 192.168.1.1, but neither worked.

Here is my current broute table:

ebtables -t broute -L
Bridge table: broute

Bridge chain: BROUTING, entries: 13, policy: ACCEPT
-p IPv4 -i wl1.1 --ip-dst 192.168.1.1 --ip-proto tcp --ip-dport 9100 -j ACCEPT
-p IPv4 -i wl0.1 --ip-dst 192.168.101.1 --ip-proto icmp -j ACCEPT
-p IPv4 -i wl0.1 --ip-dst 192.168.101.0/24 --ip-proto icmp -j DROP
-p IPv4 -i wl0.1 --ip-dst 192.168.1.0/24 --ip-proto icmp -j DROP
-p IPv4 -i wl0.1 --ip-dst 192.168.101.0/24 --ip-proto tcp -j DROP
-p IPv4 -i wl0.1 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
-p IPv4 -i wl0.1 --ip-dst 192.168.101.0/24 -j SKIPLOG
-p IPv4 -i wl1.1 --ip-dst 192.168.102.1 --ip-proto icmp -j ACCEPT
-p IPv4 -i wl1.1 --ip-dst 192.168.102.0/24 --ip-proto icmp -j DROP
-p IPv4 -i wl1.1 --ip-dst 192.168.1.0/24 --ip-proto icmp -j DROP
-p IPv4 -i wl1.1 --ip-dst 192.168.102.0/24 --ip-proto tcp -j DROP
-p IPv4 -i wl1.1 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
-p IPv4 -i wl1.1 --ip-dst 192.168.102.0/24 -j SKIPLOG

I also tried adding ICMP, but ping didn't work either.

 

[eibgrad]

I have what I hope is a better idea.

What I suggest is that you *enable* intranet access for Guest #1 (both 2.4GHz and 5GHz). Normally you don't want to do this w/ Guest #2 and #3 because they share the same IP network as the private network (br0). You use ebtables to enforce isolation between the Guest wireless network interfaces and the private portion of that IP network.

But Guest #1 is special (due to AiMesh) given it uses its own unique IP networks (192.168.101.x and 192.168.102.x) and bridges (br1/br2). So strictly speaking, isolation via ebtables isn't really required. It can all be managed at the iptables level.

In such a configuration, there appears to be no access to br0 from either br1 or br2, nor between br1 and br2. There is a certain minimal access to DHCP, DNS, etc., on the router for obvious reasons. You could add an ACCEPT rule for the printer on the router's INPUT chain, and add REJECT rules for anything you feel should be offbase (e.g., SSH).

iptables -I INPUT -i br+ -p tcp --dport 9100 -j ACCEPT

IOW, turn it from an ebtables problem into an iptables problem, the latter being much easier to manage, esp. for scripting purposes. That's another problem w/ ebtables; where and how do you control the addition of your own rules.

One thing I don't know is if this approach will have any negative effects on AiMesh. ASUS has messed w/ Guest #1 a LOT, and so it's just something you'll have to try and see what happens. But if it was me, that's the approach I would try at this point.

 

[Siff]

Thanks again @eibgrad!

Unfortunately, if I enable intranet access for Guest Network #1, its clients will use the IP range of the main network, so that won't work for me. BTW, the bridge goes away too:
With intranet disable on both GN#1s:

brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.e89c25493908       no              eth1
                                                        eth2
                                                        eth3
                                                        eth4
                                                        eth5
                                                        eth6
                                                        eth7
                                                        wds0.0.1
                                                        wds1.0.1
br1             8000.e89c25493909       yes             eth1.501
                                                        eth2.501
                                                        eth3.501
                                                        eth4.501
                                                        eth5.501
                                                        eth6.501
                                                        eth7.501
                                                        wds0.0.1.501
                                                        wds1.0.1.501
                                                        wl0.1
br2             8000.e89c2549390d       yes             eth1.502
                                                        eth2.502
                                                        eth3.502
                                                        eth4.502
                                                        eth5.502
                                                        eth6.502
                                                        eth7.502
                                                        wds0.0.1.502
                                                        wds1.0.1.502
                                                        wl1.1

with intranet enable on GN#1 on 5 GHz br2 is gone:

brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.e89c25493908       no              eth1
                                                        eth2
                                                        eth3
                                                        eth4
                                                        eth5
                                                        eth6
                                                        eth7
                                                        wds0.0.1
                                                        wds1.0.1
                                                        wl1.1
br1             8000.e89c25493909       yes             eth1.501
                                                        eth2.501
                                                        eth3.501
                                                        eth4.501
                                                        eth5.501
                                                        eth6.501
                                                        eth7.501
                                                        wds0.0.1.501
                                                        wds1.0.1.501
                                                        wl0.1

I think that there is something else crazy done by Asus for guest network #1s, especially when they are also available on the AiMesh node(s)...

I might try with 3006 stock firmware to see whether I'll be able to manually create bridges and VLANs, similarly to my current Tomato setup.