1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Using tomato to firewall another LAN

Discussion in 'Tomato Firmware' started by sera123k, Aug 7, 2009.

  1. sera123k

    sera123k Addicted to LI Member

    Hi all, just started working with tomato (v1.25.1720) and was wondering if anyone would be able to help me out with this situation.

    A little background, currently stationed in iraq and a few of us went in on a sat dish. It was a really simple network at first but now 2 people were moved to a place over 100m away so I cannot run cat5 to them. sad panda. However, one of my coworkers has a network already set up around our living area that daisy chain a bunch of routers to where i could run a cable to and these two people could easily get on.

    My question is this: Can I setup the firewall on (have 2 WRT54GL routers) the router that does not connect to the sat modem to use this other network as a "wan" and allow only the MACs or IPs for my other users through for 80/443/whatever?

    I know it could be done with other firewall software but I am unfamiliar with this firewall implementation. If anyone could help me out that would really make my day!

  2. baldrickturnip

    baldrickturnip LI Guru Member

    point the WAN at the other network and run the firmware with a VPN server

    supply your users with the VPN client software and certs and have them conenct to the server

    make the VPN connection the default route for the internet.

    I think it should work fine and be very secure , but you might want to see if you can get SgtPepper to comment on it as he was the one to implement the VPN gui in tomato
  3. sera123k

    sera123k Addicted to LI Member

    unfortunately some of the client devices won't be able to use a VPN tunnel (an xbox for example). I was poking around with iptables but I am not exactly sure of what i am doing yet.

    What i was hoping to get setup was really just a dual use AP/firewall that could route the traffic between the two networks and restrict access via ip without NAT.

    I have the basic concept down but I am unsure what exactly I am doing with the different chains etc. I attached a pic of the physical layout if that helps depict what i am about to describe :)

    My friends will be - .230 and the interface from my WRT will be .225. Its management interface (i am assuming the LAN side of the firewall?) will be

    What I would want to do is write a rule that allows those IPs access to anything in my network without restriction followed by a deny all rule. So from what I have read it should look something like iptables -A FORWARD -s -i vlan1 -d 0/0 -o bo0 -p TCP -j ACCEPT, is this correct or do i have this backwards?

    Any help is greatly appreciated!

    Attached Files:

  4. baldrickturnip

    baldrickturnip LI Guru Member

    could you just use another 54GL at their end and set it as client , force all traffic through it , then the tunnel would be transparent to their devices - would also have wifi access.

Share This Page