I've set up my wireless network to be a guest one on a different subnet which can only retrieve DNS and DHCP and I also enabled the option "Isolate clients" in Advanced settings but I can't print with my Epson printer (WorkForce R8590; I initially did all of this because I noticed this printer was doing something strange...) whilst this option is checked.
Now, how can I make my computer (192.168.55.198) communicate with the printer (192.168.55.106) with the option "Isolate clients" activated?
Ummm...you can't if your printer is wireless...that's actually the point for the setting you enabled.
alright, I thought it'd be possible by adding a firewall rule. I don't know that much about networking so I was thinking about this:
what if I go to the wireless tab and add a network with the same SSID as the other one, set the channel to auto but allow different MAC addresses on them so I put them on different networks where one has the Isolate option on and the other doesn't?
You can't have two APs with the same SSID on the same radio. You should set up another SSID only for the printer, put the printer in its own network then firewall it as needed.
I did what I wrote in my previous post and it seems to be working. I placed them on different subnets and firewall settings, same SSID, MAC and radio. They have different MAC ACL settings though
Nope, the Isolate button under the WiFi page is hardware-based, not firewall-based (at least on my Atheros ath9k-based chip).
It sound like you rigged it, and got the subnets to route.
lol finally got something working at first try... I have another question: I want to have LAN ports to act the same way as a wireless guest network (devices are only able to obtain DNS and IP via DHCP but not connect to the routers gateway) unless one uses a static ip, how would one do so?
I went to the interface page and pressed add, now I need to select which network to cover and I have eth or eth0.1 (lan), which one do I select?
Then I just need to disable the dhcp server for lan and add it to the new vlan network on a different subnet, right?
Also is there a way to make only certain mac addresses access the lan subnet where the gateway is located?
Ummm...I'm not sure what you're trying to further accomplish since you can print now.
To be honest...I'm not sure, as I'm confused about how you rigged the SSID and have no clue why you're creating an interface now. In my suggestion, this would already exist and be configured for the LAN and Guest networks/SSIDs, respectively.
Perhaps, you should post your /etc/config/network and /etc/config/wireless
I'm unable to assist further on the non-standard setup without seeing configs. Be sure to obscure your keys.
yes it's a bit messy.
I can print so the wireless part is done.
Now when I plug an ethernet cable into the router it gets IP from DHCP server of the LAN1 subnet which can't access LAN subnet where the router gateway is.
What I want to do is limit the devices which can access the LAN subnet. I disabled DHCP for this interface so one has to manually use the correct IP to access it but do you know if there is a way to add a MAC filter or ipfilter so only my computer can access the router's gateway?
Yes.
You can use firewall rules by MAC or IP to prevent forward from LAN to another network (e.g. WAN). Obviously forwarding is handed by the router.
To prevent "access" to the router itself you make INPUT BLOCK rules.
Alright so to allow my computer to access the router I have to go into the firewall tab and select reject in the input voice of the LAN interface and then add two firewall rules to allow my computer's MAC to access the router's IP via port 443, 80, 22 over TCP right?
Can you describe more detail about what you want overall? Something like "I want LAN1 and LAN2 with mostly X computers in LAN1 and Y computers and printers etc in LAN2 and exactly a certain set of MAC addresses can access from LAN1 into LAN2 but no one can access from LAN2 back into LAN1 and LAN2 can't access the router itself, and a cherry on top." or whatever. Just give us more details what you want.
I would like to have:
a computer and a printer in guest1 (192.168.55.1) whith the option "isolate clients" unchecked
All other wireless clients in guest (192.168.54.1) with option "isolate clients" checked
only my computer can access the LAN network with manual ip
all other LAN clients connect via DHCP to LAN1 which doesn't have access to LAN subnet
Right now I have 3 problems:
I can't browse the internet from any network (Lan, or guest)
LAN 1 doesn't work
DHCP doesn't work
am I correct in thinking you want 4 separate networks
Can I suggest better naming for less confusion? Maybe
Now, basic outline of steps:
Create VLANs on your switch for Special and LAN (there's already one for LAN probably).
create 4 interfaces in Luci with these names, put the physical settings to be the VLANS for Special and LAN
create 4 firewall zones in Luci with these names
put each interface into its associated firewall zone
set up forwarding rules between firewall zones, for example:
allow forwarding from LAN to Printers and WAN
allow forwarding from Special to LAN, Printers, and WAN
allow forwarding from Guest to Printers and WAN
allow forwarding from Printers to WAN only, or maybe nowhere
allow input to router from Special (this is where you config your router I assume)
Now create associated SSIDs for Guest and Printers, with isolated checked for Guest and unchecked for Printers
Hope that helps!
yes
my mind is messy my bad
yes
yes
this should be the regular LAN (which is created by default settings) but with no DHCP. I would like to have only my computer (MAC address) with static IP able to access this interface and the router's gateway. The other interfaces can only get IP via DHCP and DNS and surf the internet
I did create a new VLAN with the name LAN 1 but it says this (the phsyical settings are also shown):
https://imgur.com/a/7MJBM7w
done, the pictures in my previous post show that
I have only one radio (TP-Link WR841N V11.1) and the SSID is the same but ACL MAC list and the subnet is different
done
done, I didn't change the interface's names because I don't know how to do that in LuCI GUI, maybe it's possible via SSH... would this mess with the firewall zones?
I still can't access the internet nor get IPs via DHCP...
/etc/config/network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option netmask '255.255.255.0'
option delegate '0'
option ipaddr 'routerssubnet'
config interface 'wan'
wan settings
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 0t'
config interface 'guest'
option proto 'static'
option netmask '255.255.255.0'
option delegate '0'
option ipaddr 'isolatewifisubet'
config interface 'guest1'
option proto 'static'
option delegate '0'
option ipaddr 'printers subnet'
option netmask '255.255.255.0'
config interface 'lan1'
option proto 'static'
option ifname 'lan1'
option ipaddr '"guest"'s lan subnet'
option netmask '255.255.255.0'
option delegate '0'
/etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option nonwildcard '1'
option localservice '1'
option noresolv '1'
option allservers '0'
option resolvfile '/etc/resolv-crypt.conf'
list server 'dnscrypt'
list server '/pool.ntp.org/xxxx'
config dhcp 'lan'
option interface 'lan'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config dhcp 'guest'
option interface 'guest'
option start '100'
option limit '150'
option leasetime '12h'
config host
option name 'nameofdevice'
option mac 'macaddressofdevice'
config dhcp 'guest1'
option interface 'guest1'
option start '100'
option limit '150'
option leasetime '12h'
config dhcp 'lan1'
option start '100'
option leasetime '12h'
option limit '150'
option interface 'lan1'
/etc/config/firewall
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option family 'ipv4'
option src 'lan'
option src_mac 'mycomputermac'
option src_ip 'mycomputerip'
option name 'DNSSpecial'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option family 'ipv4'
option src 'guest'
option name 'DNSGuest'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option family 'ipv4'
option src 'guest1'
option name 'DNSPrinters'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option dest_port '53'
option family 'ipv4'
option src 'lan1'
option name 'DNSLan1'
config rule
option proto 'udp'
option target 'ACCEPT'
option family 'ipv4'
option src 'guest'
option dest_port '67-68'
option name 'DHCPGuest'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option family 'ipv4'
option src 'guest1'
option name 'DHCPPrinters'
config rule
option target 'ACCEPT'
option proto 'udp'
option dest_port '67-68'
option family 'ipv4'
option src 'lan1'
option name 'DHCPlan1'
config rule
option target 'ACCEPT'
option proto 'tcp'
option dest_port '443'
option family 'ipv4'
option src 'lan'
option src_mac 'mycomputermac'
option src_ip 'mycomputerip'
option dest_ip 'mycomputerip'
option name 'ForwardSpecialToRouter'
option dest 'lan'
config rule
option target 'ACCEPT'
option src 'lan'
option family 'ipv4'
option src_mac 'mycomputermac'
option src_ip 'mycomputerip'
option name 'ForwardSpecialToWan'
option dest 'wan'
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan'
option family 'ipv4'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option network 'wan'
option family 'ipv4'
config include
option path '/etc/firewall.user'
config zone
option name 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option network 'guest'
option input 'REJECT'
option family 'ipv4'
config zone
option name 'guest1'
option forward 'REJECT'
option output 'ACCEPT'
option network 'guest1'
option input 'REJECT'
option family 'ipv4'
config forwarding
option dest 'wan'
option src 'guest'
config forwarding
option dest 'wan'
option src 'guest1'
config forwarding
option dest 'wan'
option src 'lan'
config zone
option name 'lan1'
option forward 'REJECT'
option output 'ACCEPT'
option network 'lan1'
option family 'ipv4'
option input 'REJECT'
config forwarding
option dest 'wan'
option src 'lan1'
config rule
option target 'ACCEPT'
option src 'lan1'
option name 'ForwardLan1ToWan'
option family 'ipv4'
option dest 'wan'
config rule
option target 'ACCEPT'
option src 'guest1'
option name 'ForwardPrintersToWan'
option family 'ipv4'
option dest 'wan'
config rule
option target 'ACCEPT'
option src 'guest'
option name 'ForwardGuestToWan'
option family 'ipv4'
option dest 'wan'
config rule
option target 'ACCEPT'
option proto 'tcp udp'
option family 'ipv4'
option src 'lan'
option src_mac 'mycomputermac'
option src_ip 'mycomputerip'
option name 'AllowSpecialInputAnything'
/etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option hwmode '11g'
option path 'platform/qca953x_wmac'
option htmode 'HT20'
option country 'US'
option legacy_rates '1'
option channel 'auto'
config wifi-iface
option device 'radio0'
option mode 'ap'
option network 'printers'
option macfilter 'allow'
option encryption 'psk2+ccmp'
option wpa_disable_eapol_key_retries '1'
option ssid 'ssid'
option key 'pwd'
list maclist 'macs'
config wifi-iface
option device 'radio0'
option mode 'ap'
option network 'guest'
option macfilter 'allow'
option isolate '1'
option encryption 'psk2+ccmp'
option key 'samepwd'
option wpa_disable_eapol_key_retries '1'
option ssid 'samessid'
list maclist 'diffrentmacs'
Make the relevant guest network a bridge and add an SSID. Then permit traffic to the printer.
aaah I had some mac addresses in both guest and printers network and some hostnames in dhcp with some spaces. Once I corrected that everything started working lol
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.