We finally got rid of Time Warner Cable / Spectrum / whatever they want to call themselves this week’s overpriced Internet that includes five free outages between 1100 and 1500 each day. But the firmware on the new ISP’s router doesn’t have a facility to back up the config. And if we’re going to have static IPs for all of our speakers, printers, servers … we don’t want to have to re-enter all of that data if the router config gets reset. Same with configuring the WiFi networks. And, and and. So instead of using the snazzy new router, we are using our old router on .2, the new router on .1 … and everything actually connects to the old router, uses the DHCP server on the old router. And only uses the new router as its default gateway. Worked fine until we tried to turn on the guest network.
I found someone in Internet-land who has the exact same configuration and wants to permit guests to use the LAN printer. His post included some ebtables rules to allow guest network clients access to his printer IP. Swapped his printer IP for our router IP and … nada.
And then I realized that the router is not the packet destination IP when the guest client attempts to communicate outside our network. The router is the destination MAC address. So you cannot add an ebtables rule to the router’s IP address and expect traffic to flow.
The first thing you need to do is figure out the upstream router’s MAC address. From the Asus, you can query the arp table. If the command says “No match found in # entries”, ping the router and try again.
root@ASUS-RT-AC68R:/tmp/home/root# arp -a 10.5.5.1 ? (10.5.5.1) at a3:5e:c4:17:a3:c0 [ether] on br0
The six pairs of hex numbers separated by colons – that’s the MAC address. You have to allow bidirectional communication from the guest network interface (wl0.2 for us) with the upstream router’s MAC address. You also have to allow broadcast traffic so guest devices are able to ARP for the router’s MAC address.
To have a persistent config, enable jffs and add the config lines to something like services-start:
root@ASUS-RT-AC68R:/tmp/home/root# cat /jffs/scripts/services-start #!/bin/sh logger "SERVICES-START: script start" # Prevent Echo dots from sending multicast traffic to speaker network ebtables -I FORWARD -o wl0.1 --protocol IPv4 --ip-source 10.0.0.36 --ip-destination 126.96.36.199 -j DROP # Guest network - allow broadcast traffic so devices can ARP for router MAC ebtables -I FORWARD -d Broadcast -j ACCEPT # Guest network - allow communication to and from router MAC ebtables -I FORWARD -s a3:5e:c4:17:a3:c0 -j ACCEPT ebtables -I FORWARD -d a3:5e:c4:17:a3:c0 -j ACCEPT # This should be automatically added for guest network, but it goes missing sometimes so I am adding it again ebtables -A FORWARD -o wl0.2 -j DROP ebtables -A FORWARD -i wl0.2 -j DROP
Use -L to view your ebtables rules:
root@ASUS-RT-AC68R:/tmp/home/root# ebtables -L Bridge table: filter Bridge chain: INPUT, entries: 0, policy: ACCEPT Bridge chain: FORWARD, entries: 16, policy: ACCEPT -d a3:5e:c4:17:a3:c0 -j ACCEPT -s a3:5e:c4:17:a3:c0 -j ACCEPT -d Broadcast -j ACCEPT -p IPv4 -o wl0.1 --ip-src 10.0.0.36 --ip-dst 188.8.131.52 -j DROP -o wl0.2 -j DROP -i wl0.2 -j DROP
Voila, guests who can access the Internet & DNS on the .1 router, but cannot access anything on the internal network. Of course you can add some specific IPs as allowed destinations too – like the printers in the example that started me down this path.