Posted: Fri Feb 12, 2021 20:53 Post subject: From VAP to an ftp server behind WAN on second router
What I can do:
vlans can connect to the internet
I have port forwarding on router 2 port 21
Any pc on vlan1 (default lan) on router 1 can connect to the ftp server on router 2 without problems
What I'm trying to achieve:
I want to isolate all vlans and virtual ap from each other as well as from the main lan on router 1 (not sure if it's possible because router 2 is connected to the lan on router 1)
But I want to connect any pc ftp client located on virtual ap on router 1 to the filezilla server on router 2.
Problems I'm having:
virtual ap can't connect to the ftp server
I need help getting this setup with iptables, maybe?
This is not so much about what is the best method for file sharing as it is an exercise of how to setup up or gain some routes while restricting others. Any help is greatly appreciated.
If you do not want that you can just add the LAN port of the ftp server on the same VLAN as the WAN port, so it actually is sitting on the WAN, so instead of VLAN1 just add that LAN port to VLAN2.
It might even work via the GUI (Switch Config) usually setting VLANs does not work via the GUI and the CLI has to be used.
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Sun Feb 14, 2021 8:42 Post subject:
If you want to have seamless access between ftp client and server you can consider setting the LAN port of the FTP server on the same vlan as the WAN as described earlier.
Sorry for the delay and thanks for the document provided. The document seems to be about configuring router 2 to get a static ip and to create a static route between subnets on each router.
That's fine but the problem I'm trying to solve is isolating the VAP at 192.168.50.109 (or 192.168.50.0/24) on router 1 from everything else but still give the VAP access to the ftp server on router 2 with the forwarded port.
When I say VAP, I'm referring to the virtual wireless interface. I hope I'm not missleading you!
These are the most pertinent settings for the VAP under Wireless > Basic Settings > Virtual Interfaces (with advanced settings enabled):
Wireless Mode: AP
Wireless Nework Name (SSID): MY_SSID
Wireless SSID Broadcast: Enabled
Advanced Settings: Checked
Protection Mode: None
RTS Theshold: Disabled
Frame Compression: Disabled
WMM Support: Enabled
AP Isolation: Disabled
Max Associated Clients: 256
STIM Interval: 2
Network Configuration: Unbridged
Multicast forwarding: Disabled
Masquerade/Nat: Enabled
Net Isolation Enabled
Forced DNS Redirection Disabled
IP Address: 192.168.50.1
Subnet Mask: 255.255.255.0
With the most important perhaps being Net Isolation.
When I disable Net Isolation I'm ABLE to connect the VAP to FTP server without issues. But that's the point isn't? I'm trying to isolate this virtual interface from everything else in the subnet while at the same time using the forwarded port on router 2 to connect to the ftp server. This is why I was mentioning iptables rules in my previous post. How is a static route going to help with this? I just don't understand that.
Anyways thanks for the efforts and I hope you are all doing well. I'm in the US.
Joined: 18 Mar 2014 Posts: 12889 Location: Netherlands
Posted: Wed Feb 17, 2021 8:41 Post subject:
Ok now I understand that you are using port forward on router 2 to reach the ftp server (missed that somehow).
When you enable Net isolation you block traffic to the local LAN, so you cannot reach 192.168.1.138
One way out is setting the static route and opening the firewall like described but then you can reach the whole192.168.200.0 subnet and maybe that is not what you want.
If that is not what you want then consider making a rule to allow traffic from the ftp client to the server something like:
NAT (or more precisely Gateway mode) *might* not be needed on the internal router. It depends on knowing the full scope of any given configuration. Router mode *also* (at least last time I checked) disables connection tracking (presumably to improve performance)! But a dd-wrt router is commonly used for more than pure routing purposes. It's an applications platform too, and if those apps are creating their own firewall rules that rely on state information (NEW, ESTABLISHED, etc.), they won't work! Connection tracking has to be enabled. User scripts could be effected as well.
That's why you can't just make a blanket statement that Router mode should be used for internal routers, just because the WAN has a private IP. In a world where a router was *just* a router, nothing more, YES. But that's not what we have here. Users routinely take advantage of apps on those internal routers. You have to be careful when choosing Router mode and understand its *full* implications.
FWIW, this issue of Gateway vs. Router mode became such a problem w/ FT (FreshTomato), the developers recently removed the Router mode option entirely. It just caused too many problems given what little benefits it offers.
Personally, it's my recommendation that if you want to eliminate NAT, and intend to use any of the built-in apps, you either maintain Gateway mode and delete the NAT rule, or else use Router mode, but remove the NOTRACK rule from the raw table of the firewall. At least then connection tracking remains enabled.