Is there any way that my Guest Switch/AP can go online, for example to install/update packages ?
Could this work via static routes (Static IPv4 Routes) ?
edit: nvm i've set the gateway and dns server for the LAN interface to the IP address of my main router (192.168.1.1) and it works now. 
Yes, set default route to be your router on eth0.1 or whatever vlan tag you use for regular non guest lan
As i need more ports soon i bought a sealed Cisco Sg300-10PP PoE+ Switch for a decent price (~125eur).
Hopefully that was a good choice, i might need PoE anytime soon so i went for PoE+ version... 
Back again with another problem and this time i'm not sure if it can be solved with my isolated ebtable setup.
I would like to grant some guest clients access to my printer which is connected to my main lan.
Guest Client: 192.168.55.245
Printer: 192.168.1.111
Would this work with my current setup ? Maybe via static router and or Firewall Traffic rules ? Any hints ?
I think this is just a specialized forwarding rule in the firewall, nothing about ebtables needs to change.
I'll try to look that up... Ty.
Haven't found anything usefull yet (forum + google) but (for me) i think it would be more easy to connect my printer via USB to my WRT3200ACM and install the needed kmod module and luci app.
A bit of a waste because my printer does support Wifi and LAN but i always struggle with firewall rules and i dont want to mess up my isolated guest setup...
Anyway i'm thankful for any hint
I think this is a fairly common thing to do. Might be nice if any answer to this question gets added to the wiki.
Just add traffic rule allowing forward from the given IP to the given IP?
It worked just fine, i didn't thought it will be that easy ! 
So a Firewall Traffic rule from Source Guest Mac Address (Guest Client) >> Destination Zone LAN (Destination Adress Printer IP, static IP via DHCP) made it working !!
I used the Epson iPrint app to verify... Ty.
Mac addresses are trivial to spoof, so don't rely on them for security.
I know... But i dont have any evil/unknown guest clients in my network, only people that i know personally. It's not a open Network without password.
But anyway what would u recommend to make it more secure ?
I don't think there's a good way to only allow 1 client to use the printer. You either open it up to the guest network, or you don't. At the moment, you have it opened up with a minor hurdle (MAC address filtering). There's nothing wrong with that decision per se of course, but I just wanted to make sure that you are aware not the rely on MAC address filtering for security 
I'm glad it worked that way without touching/changing my isolated guest setup.
My question would be how can a attacker spoof the mac adress without knowing the guest client mac adress which i put the firewall rule for ?
Guest clients can't see each other thanks to the isolation with ebtables so an attacker would need to access Luci or SSH over my private LAN to read out the associated guest clients and their MAC adresses.
Well maybe i have a thinking error about this but otherwise the guest isolation would not make any sense... ?
MAC addresses can be viewed unencrypted when devices have WiFi turned on. No need to be even connected to the network to grab the MAC address of devices using WiFi. So they are really easy to spoof 
The client isolation is helpful, because clients are unable to reach other, since those rules do not work with MAC addresses. I'm just saying you should not consider your printer inaccessible
A moment ago i googled "how to spoof mac address over wifi" because i kinda had something like this in mind.
Thanks for the clarification.
I mean it's just a printer but i should deny access to it's web GUI, because if my printer is getting hacked someone could maybe access my private LAN over it.
I'll try to read more about it !!
Personally, what I would do:
Simply leave out the MAC address based filtering, because it is not secure anyway. And it should greatly simplify your setup IMO.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.