Help with routing guest to printer

Installing and Using OpenWrt Network and Wireless Configuration
1

I have searched this forum and read related topics, but I'm unable to configure what I want.

I am using a GL-inet Flint, which runs OpenWrt 21.02-SNAPSHOT r16399+157-c67509efd7 / LuCI openwrt-22.03 branch git-21.284.67084-e4d24f0.

I am using the Flint solely as a WiFi access point, not a router. I have a guest network configured and WiFi isolation activated.

I want computers on the guest network to be able to use a printer on my main network. The next sentences are a guess: Clearly the Flint is routing my guest network onto my main network via the main network's default route because guest network clients do have internet access. I need a way so that traffic for the printer goes to the printer instead of the default route.

If someone can help, please tell me how to do this via the LuCi interface as I am not that great with config files.

Thank you.

2

If you go in luci and then:

firewall->traffic rules

there you can create a firewall rule.

Lets say you got two firewall zones for guest and lan and you want guest accessible in lan you can do this:

name: forward-guestprinter-to-lan

src zone: lan

dst zone: guest

dst ip: <your printer ip> (optional, if empty all guests can be reached in lucis dhcp settings you can give it a fixed ip)

dst port: <your printer port>(optional)
target: accept

If you use a vpn and especially something with pbr routing, best is to make a ignore rule.

3

Thank you for the reply. I guess I wasn't clear enough - your answer is backwards of what I want. The printer is on the main LAN, and I want guests to be able to access it (but guests should have no other access to the main LAN besides the printer).

Also, I see there is already a firewall rule to drop traffic from the guest LAN to the main LAN. How do I override that just for the printer?

1 Like
4

Ah!, Gotcha.

Then it should be:

src: guests
dst: lan
dst ip: <printer ip>
dst port: ?? (If you know it you can lockdown access even more)
target: accept

basicly this translates to: anything from zone guests to zone lan with dest ip of x gets accepted as forward to zone.

Edit
I see you edited it.

you may could do a few things here, my guess is to move the drop rule above the current rule or after, if that doesn't work you can edit the drop rule and at dst ip you put !192.168.1.5 where 192.168.1.5 is your printer.

The problem is the guest rule may be added from a gl script so it might be better to use the priority by dragging it either before or after the drop rule.

5

I really appreciate your help.
So far I have been unable to get this to work.
I can ping the printer from the guest network, but curiously I could ping before I added the firewall rule.
From a Windows laptop on the guest network, I tried to install the printer. I'm able to get it to install, but a test page won't print. I tried disabling the Windows firewall.
I tried moving the new firewall rule both above and below the existing rule that blocks guest access to the LAN.
Yes, the block rule is added by gl-inet automatically, so I didn't want to edit it.
Any ideas?

6

ok, i suppose you have some kind of main router
and you use this router to make your main lan

furthermore, you attached dumb AP flint to this existing main lan

maybe block diagram would be helpful ?

7

Exactly right - GL-Inet Flint is a wireless access point only, not my main router. The Flint is just labeled "Wireless AP" in the diagram.

MyNetwork
MyNetwork912×831 51.3 KB

8

well, it is a problem
you could not expect to somehow "magic way" guest will be separated from main network.
because main SSID and guest SSID use the same way to output packets, aka gateway is common

so, best way is to create separate VLAN for guest SSID, trunk port on flint facing upstream, and on your main router (dd-wrt) create same VLAN , dhcp server and firewall rules

this way, main and guest network will be really separated by L2 (vlan) and could not interfere.

9

Main and guest network are already not interfering due to guest isolation firewall rule. No need for VLAN.

You may have missed the point. The previous posts should make it clear what I'm trying to do.

10

as you wish ... :slight_smile:

11

Hmm just to make sure:

Flint still uses its own dhcp and firewall?, If so its not a dumbap but just a AP like OP mentoided.

In that case you need to forward to wan from flint I think that also count if you add 2 or more NATs in the same subnet, which I think you do(?)

for both scenario:

in Flint you create a traffic rule like:

src zone: guests
dest zone: wan
dest ip: printerip
target: accept

If im correct you dont need to change anything on dd-wrt afaik, because once A talks to B then B is allowed to talk back on the same line, if not you may need to portforward in flint and in dd-wrt forward it to flint.

12

READ THE LAST PARAGRAPH FIRST IF YOU DON'T WANT ALL THE DETAILS.

Flint does not supply localnet DHCP or firewall. Localnet DHCP is handled by a completely different (not Flint and not DD-WRT) DHCP server. WAN firewall is handled by DD-WRT. Although, there is a firewall rule automatically installed by GL-Inet in the Flint that isolates the guest network. (The rule says source zone guest (no IP), destination zone LAN, IP my locallan address, dROP.)

Flint is (without me apparently configuring anything) supplying DHCP for the guest network only.

Since this is all working, and guest devices have internet access, I presume the Flint is somehow automatically handling guest->WAN forwarding and is also handling any NAT needed from the guest network. Flint is not handling NAT for the localnet, that's in DD-WRT.

The difference in the traffic rule you are proposing from what we tried yesterday is that the destination zone is WAN instead of LAN. I gave it a try. The result is the same as yesterday - I can ping the printer from the guest network, but not print.

Just as a test, I tried disabling the rule that blocks guest access to the localnet, and right away I was able to print. I then re-enabled that rule, and tried the forwarding rule just for the printer both above and below the blocking rule but was unable to print either way. I then tried adding !printerIP to the destination address for the rule that blocks guest from localnet, but still no printing.

So, it's clear that the rule that isolates the guest network from the localnet is what's blocking printing. But I'm unable to figure out why I can't override that rule for the printer IP alone.

So, as a last gasp, I tried disabling all the guest firewall rules in the Flint, editing them without making changes, saving all the rules. And MYSTERIOUSLY it started working fine! This was with switching the destination zone back to LAN from WAN.

Thank you for your help!

1 Like
13

Note sometimes wifi isolation can cause issues to, but as you said it might be the guest zone firewall rule, the only solution is to either remove it or change the firewall zone of guest to a new one and maybe recreate guest interface as a different name, l know that GL-inet sometimes also have internal scripts and logic which may conflict with the inbuild firewall.

On my own setup my modem sents all the vlan including for wifi with their own firewall zones, basicly
I segregate everything to one NAT which is the modem, and on my own flint I removed all firewall zones, disabled dhcp, and added vlans as dhcp client from eth0 which I then select as interface for my wireless networks, its important that in the bridge device the checkbox bring up empty bridge is off otherwise clients cannot connect I experienced.

14

This is certainly more complicated than I expected.

Thanks again for your help in getting this to work.

1 Like
15

as you wish ... :slight_smile:

16

Deleted, my mistake.

17

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.