1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Question about guest network (vlan) setup.

Discussion in 'Tomato Firmware' started by lolento, Mar 25, 2014.

  1. lolento

    lolento Reformed Router Member

    Hello,

    I am currently using shibby's latest tomato fw on my e3000.

    I have a guest network setup on the router and it works correctly for the most part - it has access to internet and cannot access my private network.

    However, I find that users on my guest network cannot access some content served from my private network to the www.

    For example, I am running a Plex server and a Slingbox and I can access them from my phone on cellular internet.

    However, when I am on my guest network, I can only access the slingbox but not my Plex server.

    It is also interesting to note that I did not do port forwarding for my slingbox but the Plex server uses port 32400 (default).

    Need some help here....
     
  2. lolento

    lolento Reformed Router Member

    noob need some help here...
     
  3. darkknight93

    darkknight93 Networkin' Nut Member

    The feature that allows guest Lan access to your slingbox using public ip address of yours is called nat loopback

    It will interfere with existing firewall rules!

    How did you set up the guest Lan?
     
  4. lolento

    lolento Reformed Router Member

    Thanks, I basically followed the generic tutorials to setup the guest lan.
    - setup a br1 bridge under basic->network
    - added a virtual wireless interface under advanced->virtual wireless

    How would I go about getting Plex to work on the guest lan as well?
     
  5. blah123

    blah123 Reformed Router Member

    You probably need some custom iptables rules to enable that. I don't think NAT loopback is enabled for other lans by default.
     
  6. lolento

    lolento Reformed Router Member

    Thanks, can you show me or guide me on how to do this?
     
  7. blah123

    blah123 Reformed Router Member

    Actually my toastman 1.28.7503.7 seems to have done it right. If you telnet or ssh to your router and run this command "iptables -t nat -L -nv" you should see something like this:

    Chain POSTROUTING (policy ACCEPT 2775 packets, 305K bytes)
    pkts bytes target prot opt in out source destination
    348K 22M MASQUERADE all -- * vlan2 0.0.0.0/0 0.0.0.0/0
    10274 3032K SNAT all -- * br0 192.168.1.0/24 192.168.1.0/24 to:192.168.1.1
    4 762 SNAT all -- * br1 192.168.2.0/24 192.168.2.0/24 to:192.168.2.1

    The 2 SNAT rules are doing the NAT loopback.
     
  8. lolento

    lolento Reformed Router Member

    Mine is saying something like this, can you let me know what I need to do? (Changed my IP to ???)

    Chain PREROUTING (policy ACCEPT 157 packets, 8391 bytes)
    pkts bytes target prot opt in out source destination
    927K 49M WANPREROUTING all -- * * 0.0.0.0/0 ???.??.??.??
    0 0 DROP all -- vlan2 * 0.0.0.0/0 192.168.2.0/24
    0 0 DROP all -- vlan2 * 0.0.0.0/0 10.10.1.0/24
    738K 38M upnp all -- * * 0.0.0.0/0 ??.??.??.??
     
  9. blah123

    blah123 Reformed Router Member

    So there wasn't a POSTROUTING chain after that?
     
  10. lolento

    lolento Reformed Router Member

    Sorry, it look like this. Let me know what I need to do. Thanks!

    Chain POSTROUTING (policy ACCEPT 9 packets, 591 bytes)
    pkts bytes target prot opt in out source destination
    596K 43M MASQUERADE all -- * vlan2 0.0.0.0/0 0.0.0.0/0
    14751 4883K SNAT all -- * br0 192.168.2.0/24 192.168.2.0/24 to:192.168.2.1
    2 376 SNAT all -- * br1 10.10.1.0/24 10.10.1.0/24 to:10.10.1.1
     
  11. blah123

    blah123 Reformed Router Member

    I think you would need to add a rule that covers * br0 10.10.1.0/24 192.168.2.0/24 to:192.168.2.1.

    iptables -t nat -A POSTROUTING -o br0 -s 10.10.1.0/24 -d 192.168.2.0/24 -j SNAT --to 192.168.2.1
     
  12. lolento

    lolento Reformed Router Member

    Tried that, it didn't work. Still unable to connect to my plex server via the guest wireless.
     
  13. i1135t

    i1135t Network Guru Member

    Before you start messing around with iptables look under "Advance --> Firewall --> NAT Loopback" is set to ALL. Few other questions, can your local LAN access plex server from WAN side? If not, it's probably an issue with either the nat loopback setting above or the actual application configuration itself. Also do you have ports open from local LAN to guest vlan for plex server? If not, you may be able to set your LAN ACCESS setting set to allow local LAN to guest LAN.
     
  14. lolento

    lolento Reformed Router Member

    thanks for the feedback!

    Something weird is happening (i guess).

    -Advance->Firewall->NAT Loopback is set to All (I never changed this)
    -From my local Lan I cannot access the plex server from WAN side but from local wifi I can
    -I don't have ports open from local lan to guest vlan for plex server (I don't know how to do this)
    -I prefer for the guest lan to access the plex server via WAN if possible...
     
  15. i1135t

    i1135t Network Guru Member

    If you cannot get your local LAN to access plex from WAN then troubleshoot that first before you try to get it to work for the Guest VLAN. My suggestion is to just open the ports to your plex server on your local LAN for the guest network. Less hassel. Unfortunately I'm not the best with iptables but you could try this:

    iptables -I FORWARD -p tcp -i brx -s plexserverIP --sport plexport -d guestlanCIDR -j ACCEPT
    brx=local lan interface
    plexserverIP=plexserver IP address
    plexport=source plex port you want to open to guestLAN
    guestlanCIDR=classless interdomain routing for guestlan (ie 192.168.0.1/24)
     
  16. lolento

    lolento Reformed Router Member

    thanks...tried your suggestion and it is not working....I still cannot figure out why on my local lan I can reach my plex server via Wan on my phone (wifi) but not via my desktop (ethernet).

    but it never worked from the guest wifi at all...
     
  17. blah123

    blah123 Reformed Router Member

    Did you disable the cellular side of the phone to be sure it doesn't just failover to it if the wifi doesn't work?
     
  18. lolento

    lolento Reformed Router Member

    The fail over is not the issue cuz my nexus 7 wifi can reach the plex server from local wifi via wan as well
     
  19. i1135t

    i1135t Network Guru Member

    Ok, sounds confusing. Forget about the WAN, just try connecting through local subnet only through private IP ranges only. Does it connect fine?

    The issue with your desktop could be a local firewall on the computer? Hard to troubleshoot without knowing your exactly network setup.
     

Share This Page