1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

IPTables, Routing and Firewall

Discussion in 'Tomato Firmware' started by Zaka, Feb 13, 2009.

  1. Zaka

    Zaka LI Guru Member

    I have installed a wireless AP(WDS) for a camp. The subnet of the WDS is 192.168.3.0/24. The camp also has an office (with some wireless) which is in the 192.168.2.0/24 subnet.

    192.168.2.1 is configured as a Gateway with RIP enabled on the LAN
    192.168.3.1 is configures as a Router with RIP enabled on the WAN and a static WAN IP of 192.168.2.2

    Please see attached jpg.

    I would like to keep the office private from the camp so I added the command:

    Code:
    iptables -I FORWARD -s 192.168.3.0/24 -d 192.168.2.0/24 -j DROP
    
    to the Firewall Scripts on the Camp_A router/AP 192.168.3.1, as per http://www.linksysinfo.org/forums/showthread.php?t=58805

    This works. :thumbup: It is possible to connect to the WDS/AP 192.168.3.0/24 and surf the web. But you cannot ping or see the 192.168.2.0/24 subnet.

    Since I can remotely connect to the camp office network I would like to be able to manage the WDS/AP's remotely form the 192.168.2.10 machine.

    So i added:

    Code:
    iptables -I FORWARD -s 192.168.3.0/24 -d 192.168.2.0/24 -j DROP
    iptables -I FORWARD -s 192.168.3.1 -d 192.168.2.10 -j ACCEPT
    iptables -I FORWARD -s 192.168.3.2 -d 192.168.2.10 -j ACCEPT
    iptables -I FORWARD -s 192.168.3.3 -d 192.168.2.10 -j ACCEPT
    
    I also set CAMP_A (192.168.3.1) Administration >> Admin Access to:
    Remote Access: HTTP
    Port: 80
    Remote Web/SSH Admin Restriction
    Allowed IP Address: 192.168.2.10

    The problem is:
    I can ping 192.168.3.1, 3.2, 3.3 from 192.168.2.10.
    I can get to Camp_B (3.2) and Camp_C (3.3) using HTTP from 192.168.2.10.
    I cannot get to Camp_A 192.168.3.1 using HTTP from 192.168.2.10.
    Nor can I get to 192.168.2.2 using HTTP from 192.168.2.10.

    :confused: What am I doing wrong?? Is this a firewall issue??

    Regards,
    John
     

    Attached Files:

  2. Zaka

    Zaka LI Guru Member

    I resolved the issue. I still do not know the root cause, but here is what I did.

    1):
    Change remote access port to 8080
    Change Remote Web/SSH Admin Restriction
    Allowed IP Address: to blank
    Change to Gateway mode.

    2):
    Login to 192.168.2.2:8080

    3):
    Change to Router Mode

    I can now login to 192.168.3.1 from the WAN side with no problem.
     

Share This Page