Struggling with access from main to GN3

[GSpock]

Hi all,
I am trying to have one-way access from main (192.168.1.0/24) to Guest Network 3 while access intranet is disabled.
GN3 devices have the following IP's: 192.168.1.150, 192.168.1.151 and 192.168.1.152

ebtables -t broute -L BROUTING --Lx --Lc
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.1 --ip-proto icmp -j ACCEPT -c 57456 4826136
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.0/24 --ip-proto tcp --ip-dport 53 -j ACCEPT -c 0 0
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.0/24 --ip-proto icmp -j DROP -c 0 0
ebtables -t broute -A BROUTING -p IPv4 -i wl0.3 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP -c 0 0

what have I to do to achieve my goal ?

Thanks,
GS

 

[bennor]

Don't know anything about ebtables but you may have to also do IPTables scripting depending on how you have guest network clients connected. Various discussion in other past posts on trying to use IPTables to open up one-way to WiFI guest.

 

[GSpock]

Don't know anything about ebtables but you may have to also do IPTables scripting depending on how you have guest network clients connected. Various discussion in other past posts on trying to use IPTables to open up one-way to WiFI guest.

Thanks,
devices are connecting via Wifi Guest Network 3 .... so, in the same subnet as main, that's why I mentioned ebtables iof iptables, but I might be wrong. I searched the forum but could not find any usefull info to me.

 

[bennor]

devices are connecting via Wifi Guest Network 3 .... so, in the same subnet as main, that's why I mentioned ebtables iof iptables, but I might be wrong. I searched the forum but could not find any usefull info to me.

Made a post a while back about using IPtables to do routing from YazFi guest wifi to main client. May (or may not) have some helpful information:
https://www.snbforums.com/threads/allowing-access-to-selected-network-devices.80405/#post-784521
Obviously its "forward" not "YazFiFORWARD" when one doesn't have YazFi installed, but the scripting might be the same or similar. YazFi unfortunately doesn't work on AiMesh nodes or AP nodes.

 

[Jeffrey Young]

May be a bit of a shot in the dark as you have not posted the current ebtable rules, but try using -I instead of -A.

Using -A append the rule to end of the current list of rules, which may mean you are hitting a reject/drop rule before getting to one of your new rules. The -I inserts the rule at the top of the list.

 

[ColinTaylor]

May be a bit of a shot in the dark as you have not posted the current ebtable rules...

Yes he has. The first line is the command he entered and the following 4 lines are the output.

 

[Jeffrey Young]

Yes he has. The first line is the command he entered and the following 4 lines are the output.

Ahh, I did not catch the first line... Yes you are right.

 

[GSpock]

May be a bit of a shot in the dark as you have not posted the current ebtable rules, but try using -I instead of -A.

Using -A append the rule to end of the current list of rules, which may mean you are hitting a reject/drop rule before getting to one of your new rules. The -I inserts the rule at the top of the list.

I have not entered any of those ebtables rules, it seems they are generated when choosing to disable intranet access ....

 

[GSpock]

Made a post a while back about using IPtables to do routing from YazFi guest wifi to main client. May (or may not) have some helpful information:
https://www.snbforums.com/threads/allowing-access-to-selected-network-devices.80405/#post-784521
Obviously its "forward" not "YazFiFORWARD" when one doesn't have YazFi installed, but the scripting might be the same or similar. YazFi unfortunately doesn't work on AiMesh nodes or AP nodes.

at this time this is a rather "may not", but thanks anyway ...

 

[Jeffrey Young]

Yeah, it's gets a little clearer as to why JackYaz went with a routing solution for his YazFi script. I'm no expert on ebtables, in fact I have never had to use ebtables before. I done a little bit of research, but have not come up with anything.

I'm guessing you want a solution that propagates the one way communications to the guest network on the Aimesh's as well? If not, YazFi is still a good solution.

 

[GSpock]

Yeah, it's gets a little clearer as to why JackYaz went with a routing solution for his YazFi script. I'm no expert on ebtables, in fact I have never had to use ebtables before. I done a little bit of research, but have not come up with anything.

I'm guessing you want a solution that propagates the one way communications to the guest network on the Aimesh's as well? If not, YazFi is still a good solution.

Thanks. No, I just try to achieve one-way to GN3. I think installing YazFi is a bit overkill for this. I have made some tests on one old routeur (87U) and YazFi did not run very well but probably due to the routeur obsolescence.

 

[bennor]

I have made some tests on one old routeur (87U) and YazFi did not run very well but probably due to the routeur obsolescence.

Note that people, including myself, ran/run YazFi on the RT-AC68U which is an old end of life router. And it runs fine. What could impact the router is if you run other add-on scripts, particularly processor/RAM intensive scripts on the old router. YazFi generally shouldn't have much of an impact at all on the hardware since it pretty much only deals with configuring IPTable (and similar) values within the router's firewall.

Generally the biggest complaint in the past with YazFi is its inability to work with AiMesh nodes and AP nodes. It only works on the main router.