Posted: Fri Oct 18, 2013 19:42 Post subject: Guest Wifi still has access to other subnet over VPN
Pulling my hair out, I'd love some help here. I'm not the most iptables savy guy out there.
I've got a wifi router running dd-wrt that also has a guest wifi setup on it. It works great for prventing traffic to my local lan, however I just noticed that I can still see my other subnets located over the site to site VPN link.
For example:
local lan - 192.168.50.0/24
Site to Site VPN Subnet 1- 192.168.30.0/24
Site to Site VPN Subnet 2- 192.168.40.0/24
Guest Wifi - 192.168.1.0/24
While connected to the guest wifi I cannot see the 192.168.50.0/24 subnet. Perfect.
However, I can still see both of the other 2 subnets located in remote offices. Here's my current firewall commands on the DD-WRT
iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -d 192.168.30.0/24 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d 192.168.40.0/24 -m state --state NEW -j DROP _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)