Posted: Sat Jan 21, 2023 17:49 Post subject: Exempt printer from guest network rules
I've been living with this issue for a year, "solution" being go to the printer and plug it in via USB.
I've searched over and over but only found examples of very (relatively) complex setups
My setup:
2 isolated, unbridged (GUI) VAPs, one is 5ghz, the other 2.4. I have 2 additional DHCP servers showing in Setup -> Networking. The 5ghz and 2.4ghz are on 192.168.2.1/24 and 192.168.3.1/24, respectively. (I couldn't get DNS working having both on the same subnet, would have liked to, but didn't work out, perhaps another separate iptables nightmare)
This may be a simple iptables thing, as a Linux user of 15yrs and experience with many programming/scripting languages, iptables is a NIGHTMARE, finally requesting any help from someone that can make heads of tails.
Can provide any additional details if necessary
Not sure if it matters, but this code is saved in my current Firewall rules, it appears to be forwarding DNS (port 53), but again, iptables ....grumble
Code:
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr
iptables -I INPUT -i br1 -d 192.168.2.1 -p udp --dport 53 -j ACCEPT
Joined: 08 May 2018 Posts: 14217 Location: Texas, USA
Posted: Sat Jan 21, 2023 21:20 Post subject:
As much as it may seem irrelevant, router model and DD-WRT version number information may be applicable here as well. For all we know, you zeroed in on the router database and are running 44715/44719. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Joined: 18 Mar 2014 Posts: 12882 Location: Netherlands
Posted: Sun Jan 22, 2023 7:36 Post subject:
If this is a router in default gateway mode e.g. its WAN port connected to the internet, then those rules you have do not make much sense.
If the VAP's you have made are for Guest access and you do not want those to be able to see your main network then Enable Net Isolation.
BTW it is fairly easy to make a bridge and assign both the VAP's (the 2.4 and 5 GHz) to that bridge.
If you want both VAP's to be able to see your printer then add for each VAP:
iptables -I FORWARD -i <VAP> -o br0 -d <ip-address-printer> -m state --state NEW -j ACCEPT
You can even further narrow it down if you now the port and protocol e.g.:
iptables -I FORWARD -i <VAP> -o br0 -p tcp -d <ip-address-printer> --dport 9100 -m state --state NEW -j ACCEPT
Your VAP is usually something like wl0.1 or wlan0.1 (of if you have made a bridge e.g. br1 then use that)
I have not tested it and it is very early so there could be typos in it
As much as it may seem irrelevant, router model and DD-WRT version number information may be applicable here as well. For all we know, you zeroed in on the router database and are running 44715/44719.
Sorry should have included, WRT3200ACM r51043 (12/19/22)
egc wrote:
If this is a router in default gateway mode e.g. its WAN port connected to the internet, then those rules you have do not make much sense.
If the VAP's you have made are for Guest access and you do not want those to be able to see your main network then Enable Net Isolation.
BTW it is fairly easy to make a bridge and assign both the VAP's (the 2.4 and 5 GHz) to that bridge.
If you want both VAP's to be able to see your printer then add for each VAP:
iptables -I FORWARD -i <VAP> -o br0 -d <ip-address-printer> -m state --state NEW -j ACCEPT
You can even further narrow it down if you now the port and protocol e.g.:
iptables -I FORWARD -i <VAP> -o br0 -p tcp -d <ip-address-printer> --dport 9100 -m state --state NEW -j ACCEPT
Your VAP is usually something like wl0.1 or wlan0.1 (of if you have made a bridge e.g. br1 then use that)
I have not tested it and it is very early so there could be typos in it
Attached my personal notes maybe you find those useful
Yes, the WAN port is connected to the internet and it's in gateway mode, it must be there from when I was fighting with DNS not working on one of my guest networks awhile back
I ran the following commands:
Code:
iptables -I FORWARD -i wlan0.2 -o br0 -d 192.168.1.83 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i wlan0.2 -o br0 -d 192.168.1.101 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i wlan1.2 -o br0 -d 192.168.1.83 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i wlan1.2 -o br0 -d 192.168.1.101 -m state --state NEW -j ACCEPT
my printer is the .101, .83 is a working configured pi-hole(just to test), I was only able to ping the printer(192.168.1.101) via wlan1.2 only, but neither the web interface nor printer connectivity were available. The pi-hole test was a fail also on both interfaces
Of course, the rules work.
But looking at your other posts, I'm not sure what you're doing.
In the forum there are stickies how to configure a Pi-Hole and create guests VAPs.
If you follow the instructions there are no problems with the DNS and you don't need any iptable rules.