Exempt printer from guest network rules

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
covid19
DD-WRT Novice


Joined: 21 Jan 2023
Posts: 2

PostPosted: Sat Jan 21, 2023 17:49    Post subject: Exempt printer from guest network rules Reply with quote
I've been living with this issue for a year, "solution" being go to the printer and plug it in via USB.
I've searched over and over but only found examples of very (relatively) complex setups

My setup:
2 isolated, unbridged (GUI) VAPs, one is 5ghz, the other 2.4. I have 2 additional DHCP servers showing in Setup -> Networking. The 5ghz and 2.4ghz are on 192.168.2.1/24 and 192.168.3.1/24, respectively. (I couldn't get DNS working having both on the same subnet, would have liked to, but didn't work out, perhaps another separate iptables nightmare)

This may be a simple iptables thing, as a Linux user of 15yrs and experience with many programming/scripting languages, iptables is a NIGHTMARE, finally requesting any help from someone that can make heads of tails.
Can provide any additional details if necessary

Not sure if it matters, but this code is saved in my current Firewall rules, it appears to be forwarding DNS (port 53), but again, iptables ....grumble
Code:

iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr
iptables -I INPUT -i br1 -d 192.168.2.1 -p udp --dport 53 -j ACCEPT


Thanks in advance for any insight
Sponsor
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6856
Location: Romerike, Norway

PostPosted: Sat Jan 21, 2023 19:44    Post subject: Reply with quote
I cannot see anything for printers in iptables. HP Jetdirect is ususlly port 9000.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Sat Jan 21, 2023 21:20    Post subject: Reply with quote
As much as it may seem irrelevant, router model and DD-WRT version number information may be applicable here as well. For all we know, you zeroed in on the router database and are running 44715/44719.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Sun Jan 22, 2023 7:36    Post subject: Reply with quote
If this is a router in default gateway mode e.g. its WAN port connected to the internet, then those rules you have do not make much sense.

If the VAP's you have made are for Guest access and you do not want those to be able to see your main network then Enable Net Isolation.

BTW it is fairly easy to make a bridge and assign both the VAP's (the 2.4 and 5 GHz) to that bridge.

If you want both VAP's to be able to see your printer then add for each VAP:
iptables -I FORWARD -i <VAP> -o br0 -d <ip-address-printer> -m state --state NEW -j ACCEPT

You can even further narrow it down if you now the port and protocol e.g.:
iptables -I FORWARD -i <VAP> -o br0 -p tcp -d <ip-address-printer> --dport 9100 -m state --state NEW -j ACCEPT

Your VAP is usually something like wl0.1 or wlan0.1 (of if you have made a bridge e.g. br1 then use that)

I have not tested it and it is very early so there could be typos in it

Attached my personal notes maybe you find those useful

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
covid19
DD-WRT Novice


Joined: 21 Jan 2023
Posts: 2

PostPosted: Thu Jan 26, 2023 16:44    Post subject: Reply with quote
Thanks for the quick responses

kernel-panic69 wrote:
As much as it may seem irrelevant, router model and DD-WRT version number information may be applicable here as well. For all we know, you zeroed in on the router database and are running 44715/44719.


Sorry should have included, WRT3200ACM r51043 (12/19/22)

egc wrote:
If this is a router in default gateway mode e.g. its WAN port connected to the internet, then those rules you have do not make much sense.

If the VAP's you have made are for Guest access and you do not want those to be able to see your main network then Enable Net Isolation.

BTW it is fairly easy to make a bridge and assign both the VAP's (the 2.4 and 5 GHz) to that bridge.

If you want both VAP's to be able to see your printer then add for each VAP:
iptables -I FORWARD -i <VAP> -o br0 -d <ip-address-printer> -m state --state NEW -j ACCEPT

You can even further narrow it down if you now the port and protocol e.g.:
iptables -I FORWARD -i <VAP> -o br0 -p tcp -d <ip-address-printer> --dport 9100 -m state --state NEW -j ACCEPT

Your VAP is usually something like wl0.1 or wlan0.1 (of if you have made a bridge e.g. br1 then use that)

I have not tested it and it is very early so there could be typos in it

Attached my personal notes maybe you find those useful


Yes, the WAN port is connected to the internet and it's in gateway mode, it must be there from when I was fighting with DNS not working on one of my guest networks awhile back

I ran the following commands:
Code:
iptables -I FORWARD -i wlan0.2 -o br0 -d 192.168.1.83 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i wlan0.2 -o br0 -d 192.168.1.101 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i wlan1.2 -o br0 -d 192.168.1.83 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i wlan1.2 -o br0 -d 192.168.1.101 -m state --state NEW -j ACCEPT

my printer is the .101, .83 is a working configured pi-hole(just to test), I was only able to ping the printer(192.168.1.101) via wlan1.2 only, but neither the web interface nor printer connectivity were available. The pi-hole test was a fail also on both interfaces
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Thu Jan 26, 2023 17:35    Post subject: Reply with quote
Of course, the rules work.
But looking at your other posts, I'm not sure what you're doing.

In the forum there are stickies how to configure a Pi-Hole and create guests VAPs.
If you follow the instructions there are no problems with the DNS and you don't need any iptable rules.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Thu Jan 26, 2023 20:17    Post subject: Reply with quote
The rules look OK.

But let's see if it works.
Show output (telnet, putty etc) of:
iptables -vnL FORWARD

To be sure your printer is on the main lan e.g. br0?

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Fri Jan 27, 2023 9:02    Post subject: Reply with quote
Code:
root@DD-WRT:~# iptables -I FORWARD -i wlan0.1 -o br0 -d 192.168.1.110 -m state --state NEW -j ACCEPT

:~$ ifconfig
wlp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.3.101  netmask 255.255.255.0  broadcast 192.168.3.255


:~$ ping 192.168.1.110
PING 192.168.1.110 (192.168.1.110) 56(84) Bytes Daten.
64 Bytes von 192.168.1.110: icmp_seq=1 ttl=63 Zeit=3.88 ms
64 Bytes von 192.168.1.110: icmp_seq=2 ttl=63 Zeit=2.88 ms

root@DD-WRT:~# iptables -vnL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    84 ACCEPT     all  --  wlan0.1 br0     0.0.0.0/0            192.168.1.110        state NEW


Code:
root@DD-WRT:~# iptables -D FORWARD -i wlan0.1 -o br0 -d 192.168.1.110 -m state --state NEW -j ACCEPT

:~$ ping 192.168.1.110
PING 192.168.1.110 (192.168.1.110) 56(84) Bytes Daten.
Von 192.168.3.1 icmp_seq=1 Zielport nicht erreichbar
Von 192.168.3.1 icmp_seq=2 Zielport nicht erreichbar


Code:
root@DD-WRT:~# iptables -I FORWARD -i wlan1.1 -o br0 -d 192.168.1.110 -m state --state NEW -j ACCEPT

:~$ wlp4s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.4.145  netmask 255.255.255.0  broadcast 192.168.4.255

:~$ ping 192.168.1.110
PING 192.168.1.110 (192.168.1.110) 56(84) Bytes Daten.
64 Bytes von 192.168.1.110: icmp_seq=1 ttl=63 Zeit=4.81 ms
64 Bytes von 192.168.1.110: icmp_seq=2 ttl=63 Zeit=4.28 ms

root@DD-WRT:~# iptables -vnL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    1    84 ACCEPT     all  --  wlan1.1 br0     0.0.0.0/0            192.168.1.110        state NEW


Code:
root@DD-WRT:~# iptables -D FORWARD -i wlan1.1 -o br0 -d 192.168.1.110 -m state --state NEW -j ACCEPT

:~$ ping 192.168.1.110
PING 192.168.1.110 (192.168.1.110) 56(84) Bytes Daten.
Von 192.168.4.1 icmp_seq=1 Zielport nicht erreichbar
Von 192.168.4.1 icmp_seq=2 Zielport nicht erreichbar
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum