Understanding the Guest Network (iptables and ebtables)

rafwes · Mar 14, 2013

Hello!

I have set up a guest network and I am in need of hardening its security, that means learn how it works to fix the issues. As for now, I've seen that "Intranet disabled" means dropping forwards on layer 2 with ebtables. What I do not get is why PING/DNS/DHCP/FORWARDING works but when I try to ssh the router or access its web interface from the guest network it will fail. I've searched for iptables rules for this but found none. What am I missing?

Code:

admin@RT-N66U:/tmp/home/root# ebtables -Lnv
Bridge table: filter
Bridge chain: INPUT, entries: 0, policy: ACCEPT
Bridge chain: FORWARD, entries: 2, policy: ACCEPT
-i wl0.1 -o ! vlan2 -j DROP 
-i ! vlan2 -o wl0.1 -j DROP 
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

admin@RT-N66U:/tmp/home/root# iptables -Lnv
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           state NEW 
   77  5467 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
 1872  658K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
   78  6635 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           state NEW 
  575 74799 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW 
  102 11288 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1129  179K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 DROP       all  --  !br0   vlan2   0.0.0.0/0            0.0.0.0/0           
   18  2390 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       icmp --  vlan2  *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           ctstate DNAT 
  206 12255 ACCEPT     all  --  br0    vlan2   0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  tun0   br0     0.0.0.0/0            0.0.0.0/0           state NEW 
   36  3004 ACCEPT     all  --  br0    tun0    0.0.0.0/0            0.0.0.0/0           state NEW 

Chain OUTPUT (policy ACCEPT 2097 packets, 716K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FUPNP (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain PControls (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain logaccept (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW LOG flags 7 level 4 prefix `ACCEPT ' 
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain logdrop (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW LOG flags 7 level 4 prefix `DROP' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

jobongo · Mar 15, 2013

The SSH and the web interface don't work because you are trying to access something that is not going out the vlan2 interface but instead the local router.

Code:

-i wl0.1 -o ! vlan2 -j DROP 
-i ! vlan2 -o wl0.1 -j DROP

Are you able to ping local devices on your lan with this setup or only devices that are going out the wan interface?

There is another rule in the ebtables under the broute table. I am pretty sure that this gets added when you disable access to local intranet. Check the output of this:

Code:

ebtables -t broute -L BROUTING

This might also be affecting what you are trying to do.

rafwes · Mar 15, 2013

Thanks for the brouting tip. There is a rule there I missed. It drops tcp. Gotta learn how this works....

Thread starter	Title	Forum	Replies	Date
F	Understanding IPTABLES - asus ROG ax6000	Asuswrt-Merlin	14	Sep 11, 2024
P	Asus aimesh node disconnects frequently, corresponding log entries recorded. Need help understanding the log.	Asuswrt-Merlin	5	Aug 22, 2024
I	Guest net / subnet for wired connections?	Asuswrt-Merlin	4	Sep 13, 2024
J	Devices connected through wifi extender are showing up under guest IP subnet	Asuswrt-Merlin	3	Sep 5, 2024
M	Any workaround to expand Guest Network 'features' on Mesh for IoT Devices \| AX86U	Asuswrt-Merlin	2	Aug 28, 2024
	Solved Guest network On VPN on 3004-388.8_2	Asuswrt-Merlin	2	Aug 14, 2024
F	Best 5ghz Guest Wifi	Asuswrt-Merlin	5	Aug 1, 2024
B	Asus - RT-AX88U - USB Application - Network Place (Samba) Share / Cloud Disk - Problem when enabling Allow guest login	Asuswrt-Merlin	4	Jul 29, 2024
	RT-AX88U Guest Network connection issue when Access Intranet is set to Disable	Asuswrt-Merlin	5	Jun 12, 2024
G	Access webserver on lan synology from guest network on AX88u router	Asuswrt-Merlin	1	Jun 1, 2024

Search

Search

Understanding the Guest Network (iptables and ebtables)

rafwes

New Around Here

jobongo

Regular Contributor

rafwes

New Around Here

Similar threads

Similar threads

Latest threads

Support SNBForums w/ Amazon

Sign Up For SNBForums Daily Digest

Staff online

Members online