The lack of information about the guest router makes it difficult to provide accurate advice. What's the make and model? Does it support DD-WRT? Are you using DD-WRT? Is the WAN NAT'd?
Typically, when dealing w/ secondary router connected WAN to LAN wrt the primary router, you prevent access of the upstream network from the secondary router using the latter's IP firewall, NOT the primary router's IP firewall. But again, knowing nothing about the guest router, I don't know if that's even possible. Not unless it supports third-party firmware like DD-WRT, FreshTomato, Merlin, etc., where you do have that capability.
FWIW, the following script is (among other things) intended specifically to prevent such access. But it assumes the use of DD-WRT.
The modem goes to wan port of a netgear r7000 running expressvpn firmware which is custom ddwrt3 with 192.x subnet.
Then one of the lan ports I have connected another r7000 running netgear firmware to create that guest 10.x subnet.
So the guest 10 net has to traverse thru the expressvpn router to get out to the internet
I was under the impression using two different subnets that the expressvpn ddwrt iptables could allow the guest to pass thru to wan but not talk to any 192.x addresses
From your link this line Is similar but different to what I did so I'll try it this way
iptables -I FORWARD -i br0 -d $WAN_NET -m state --state NEW -j REJECT
Joined: 18 Mar 2014 Posts: 12881 Location: Netherlands
Posted: Mon Sep 05, 2022 9:36 Post subject:
Bushmaster2000 wrote:
The modem goes to wan port of a netgear r7000 running expressvpn firmware which is custom ddwrt3 with 192.x subnet.
Then one of the lan ports I have connected another r7000 running netgear firmware to create that guest 10.x subnet.
So the guest 10 net has to traverse thru the expressvpn router to get out to the internet
I was under the impression using two different subnets that the expressvpn ddwrt iptables could allow the guest to pass thru to wan but not talk to any 192.x addresses
From your link this line Is similar but different to what I did so I'll try it this way
iptables -I FORWARD -i br0 -d $WAN_NET -m state --state NEW -j REJECT
@eibgrad already said it all
The rule you are referring to should be set on the secondary router so on our R7000 running stock firmware.
But not sure if that is possible as we do not support stock firmware and neither do we support expressvpn.