[SOLVED] net isolated virtual access point to usb storage

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
Howz
DD-WRT Novice


Joined: 19 Aug 2020
Posts: 14

PostPosted: Mon Jul 05, 2021 19:12    Post subject: [SOLVED] net isolated virtual access point to usb storage Reply with quote
Hi all,

I have a USB storage which can be accessed without issues. The VAP has net isolation and has internet access but it wont connect to the USB storage via SSH.

Let's say I'm working with one router so the SSH looks like this:
root@192.168.1.1

And my PC is connected to VAP at:
192.168.50.123

I'm only interested in allowing traffic from this IP only, not the whole subnet.

Which iptables rules do I need in the firewall to allow this traffic?

Thank you.
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10799
Location: Netherlands

PostPosted: Tue Jul 06, 2021 8:43    Post subject: Reply with quote
try:
Code:
iptables -I FORWARD -s 192.168.50.123 -d 192.168.1.1 -j ACCEPT


A rather crude rule as I did not specify interfaces Sad

For some better examples see:
https://pastebin.com/r4u62P0B

_________________
Routers:Netgear R7800, R7000, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Howz
DD-WRT Novice


Joined: 19 Aug 2020
Posts: 14

PostPosted: Tue Jul 06, 2021 18:08    Post subject: Reply with quote
egc,

This is what I have tried and nothing worked. I'm not sure which interface I should use. ifconfig command shows ath0.1 with the ip I've given the PC. I've even tried using the MAC address that shows under Status >> LAN >> DCHP Clients. I've no idea how to use iptables properly.

iptables -I FORWARD -s 192.168.50.123 -d 192.168.1.1 -j ACCEPT
iptables -I FORWARD -o ath0.1 -s 192.168.50.123 -d 192.168.1.1 -j ACCEPT
iptables -I FORWARD -o eth2 -s 192.168.50.123 -d 192.168.1.1 -j ACCEPT
iptables -I FORWARD -i br0 -o ath0.1 -s 192.168.50.123 -d 192.168.1.1 -j ACCEPT
iptables -I FORWARD -p tcp --dport 22 -m mac --mac-source 'my_mac' -j ACCEPT

Any other ideas?

Note: I've only run these commands one at a time. I have not added any of these rules to the firewall script.
student13
DD-WRT User


Joined: 17 Nov 2016
Posts: 91

PostPosted: Tue Jul 06, 2021 18:40    Post subject: Reply with quote
Is your USB router attached storage smb or FTP?

Why don’t you try FTP and allow pass through using variation of above rules
Howz
DD-WRT Novice


Joined: 19 Aug 2020
Posts: 14

PostPosted: Wed Jul 07, 2021 3:03    Post subject: Reply with quote
Neither, I use SSH with a file manager like WinSCP or Midnight Commander.

Let me try to clear the confusion.

I have a USB enclosure connected to a Netgear R7800 router. Then enabled Core USB Support on Services >> USB.

No FTP, no Samba.

I can connect via SSH without any problems from the default vlan. I can also connect fine from the VAP but I would have to disable net isolation which I don't want to do. What is not allowing me to connect, I think, is the router's firewall. That's why I'm trying to get a rule added to iptables for this PC.

I haven't attempted FTP as it's not a setup I desire. I normally connect using SSH with root@192.168.1.1 and then entering the password for the router. I would assume if SSH doesn't work from an isolated VAP, neither would FTP.

Perhaps you could shed some light as to why FTP would be any different.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 13112
Location: Texas, USA

PostPosted: Wed Jul 07, 2021 3:48    Post subject: Reply with quote
You have only core USB support enabled and not USB storage?
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
At some point, people just get plain tired of this place.
Because they are tired of bottom-feeders and the same old hat.

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10799
Location: Netherlands

PostPosted: Wed Jul 07, 2021 7:45    Post subject: Reply with quote
As you are using the router itself try this rule:
iptables -I INPUT -s 192.168.50.123 -j ACCEPT

_________________
Routers:Netgear R7800, R7000, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Howz
DD-WRT Novice


Joined: 19 Aug 2020
Posts: 14

PostPosted: Thu Jul 08, 2021 1:14    Post subject: Reply with quote
@kernel-panic69,

Yeap, USB storage is also enabled.

@egc,

The Input chain did the trick. I tested the previous rules one by one with some minor adjustments and they all work.

Thanks!
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum