Allow all traffic to a specific IP address

Post new topic   Reply to topic    DD-WRT Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.)
Author Message
mightyeric
DD-WRT Novice


Joined: 31 Jul 2021
Posts: 5

PostPosted: Sat Jul 31, 2021 17:14    Post subject: Allow all traffic to a specific IP address Reply with quote
Router NameDD-WRT
Router ModelLinksys WRT1900ACS
Firmware VersionDD-WRT v3.0-r44715 std (11/03/20)
Kernel VersionLinux 4.9.241 #2174 SMP Tue Nov 3 02:44:43 +03 2020 armv7l

I'm trying to allow all traffic to/from a specific IP address (my network printer)

Main network (wired and wireless) is 192.168.1.x

Guest newtowrk (wireless) is 192.168.2.x

I've implemented these firewall rules:

iptables -I INPUT -s 192.168.1.50 -j ACCEPT
iptables -I OUTPUT -d 192.168.1.50 -j ACCEPT
iptables -I FORWARD -s 192.168.1.50 -j ACCEPT
iptables -I FORWARD -d 192.168.1.50 -j ACCEPT

and no other rules.

When I call iptables -L I get (truncated to only show the tops of the chains)

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.1.50 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc

and...

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.1.50
ACCEPT all -- 192.168.1.50 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere 192.168.1.0/24 state NEW
upnp all -- anywhere anywhere

and...

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere 192.168.1.50
ACCEPT all -- anywhere anywhere


This all seems to be in order, but I cannot ping the printer (192.168.1.50) from my guest network (192.168.2.x)

I should note that I have AP isolation and NET isolation ENABLED for both wireless networks - but disabling these did not change the outcomes.

Any ideas?
Sponsor
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Sat Jul 31, 2021 17:59    Post subject: Reply with quote
Does both the client and the printer have the correct gateway address set?

Any rules in the NAT table?
mightyeric
DD-WRT Novice


Joined: 31 Jul 2021
Posts: 5

PostPosted: Sat Jul 31, 2021 18:38    Post subject: Reply with quote
Does both the client and the printer have the correct gateway address set?

Both have gateway set to 192.168.1.1

Any rules in the NAT table?

No NAT rules set at all
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Sat Jul 31, 2021 19:42    Post subject: Reply with quote
mightyeric wrote:
Both have gateway set to 192.168.1.1


That is the error. All nodes at 192.168.2.x must have 192.168.2.1 as gateway (if that is the router's address on that interface).
mightyeric
DD-WRT Novice


Joined: 31 Jul 2021
Posts: 5

PostPosted: Sat Jul 31, 2021 20:56    Post subject: Reply with quote
OK, now I'm feeling foolish..

While the IP address of my guest network is 192.168.2.1
with subnet mask 255.255.255.0, I can't find a setting for gateway on any of the 3 wireless networks (ath0 5GHz, ath1 2.4GHZ, or ath1.1 Guest Network).

So when I said the gateways were both 192.168.1.1, I was wrong.

On the main (wired) setup is the only place I can find a gateway setting, and the only setting that seems to allow internet traffic is 0.0.0.0

What am I missing?
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Sat Jul 31, 2021 21:05    Post subject: Reply with quote
It's set on the client machines, not the router.
mightyeric
DD-WRT Novice


Joined: 31 Jul 2021
Posts: 5

PostPosted: Sat Jul 31, 2021 21:41    Post subject: Reply with quote
By "client machine" you must mean my phone, right? Not the printer on the 192.168.1.1 network...
feliciano
DD-WRT Guru


Joined: 24 Oct 2008
Posts: 1079
Location: Latin America

PostPosted: Sun Aug 01, 2021 0:23    Post subject: Reply with quote
mightyeric wrote:
While the IP address of my guest network is 192.168.2.1
with subnet mask 255.255.255.0, I can't find a setting for gateway on any of the 3 wireless networks (ath0 5GHz, ath1 2.4GHZ, or ath1.1 Guest Network).

So when I said the gateways were both 192.168.1.1, I was wrong.

On the main (wired) setup is the only place I can find a gateway setting, and the only setting that seems to allow internet traffic is 0.0.0.0

What am I missing?

If your phone and others are obtaining a dhcp lease, the dhcp server (the router) should provide the gateway address (which should be itself).

BTW: don't set network isolation on.

_________________
If you want support, please read first the announcements and forum rules.
Si usted desea ayuda, por favor lea primero los anuncios y las reglas del foro.
mightyeric
DD-WRT Novice


Joined: 31 Jul 2021
Posts: 5

PostPosted: Sun Aug 01, 2021 13:07    Post subject: Reply with quote
Quote:


BTW: don't set network isolation on.


Obviously this works, but effectively negates the firewall entirely. The firewall rules I've used are designed to specifically be the ONLY exception to the firewall.

Is this just a shortcoming of DDWRT?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sun Aug 01, 2021 13:52    Post subject: Reply with quote
You are using an old build with known (small) safety issues (most probably not related to your problem).

See the forum guidelines:
To get the best out of DDWRT and the forum read the forum guidelines with helpful pointers:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087

For someone setting rules in the OUTPUT chain and giving your neighbour access to your printer (if this router is connected to the internet, luckily there seems an error in your setup or the printer has its own local firewall allowing only its on subnet) it is a rather bold claim that the software is at fault (but impossible it is not).

For some light reading:
https://wiki.dd-wrt.com/wiki/index.php/Iptables_command
https://pastebin.com/r4u62P0B

It helps if we know more e.g.:
Post a picture of your VAP settings
Did you also create br1 and placed the VAP on that (normally not necessary)
Remove all your own rules, reboot and post output of:
iptables -vnL FORWARD

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.) All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum