Bypass firewall for an internal Tomato router

Discussion in 'Tomato Firmware' started by VVarwick, Jan 28, 2009.

  1. VVarwick

    VVarwick Addicted to LI Member

    I'm trying to set up an internal wireless AP with WDS for my office. This AP is not the final gateway to the internet. I need the laptops that will connect to the wireless AP to be on a separate subnet and use a different DHCP server than my main cooperate LAN. I need to be able to fully communicate with the LAN side of the Tomato router from the WAN side. I can get the WAN to LAN communication working with DD-WRT by disabling the SPI Firewall but I cannot get WDS to be reliable with DD-WRT. I can get very reliable WDS with Tomato, but cannot get the WAN to LAN communication working. I know iptables is in the kernel of Tomato so it cannot be fully disabled without a recompile. Could someone tell me what I need to do to bypass iptables or how to poke an “ANY†hole through iptables so that full communication can happen between the WAN subnet and the LAN subnet on the Tomato Router?

    My corporate LAN is The WAN IP for the Tomato The LAN side of the Tomato router is and the LAN IP of the Tomato router is

    I know I can disable the WAN port all together on the Tomato router and toss in a different router between the Tomato wireless network and my cooperate LAN, but that is adding another piece of hardware to the equation that I really don’t need.

    Thanks for any assistance!

  2. VVarwick

    VVarwick Addicted to LI Member

    OK, I think after A LOT of trial and error I have this one licked. In case anyone else needs to, in effect, disable the firewall in Tomato, this is what I did. I added the following to the Firewall script section in the GUI and it looks like it is working!

    # Remove any existing rules from all chains
    iptables -F
    iptables -F -t nat
    iptables -F -t mangle
    # Remove any pre-existing user-defined chains
    iptables -X
    iptables -X -t nat
    iptables -X -t mangle
    # Zero counts
    iptables -Z
    # Set the default policy to Accept everything
    iptables -P INPUT   ACCEPT
    iptables -P OUTPUT  ACCEPT
    iptables -P FORWARD ACCEPT
    I'm not sure if everything above is needed, but with it, I'm able to access either side of the router from the other side which is what I was needing.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice