Page 1 of 1
isolate hotspot from office lan
Posted: Tue Jul 23, 2013 10:04 pm
by rilliam
I would like to isolate my hotspot network from the office lan. My lan is plugged into ether5. I have a wireless access point plugged into ether3-hotspot.
I have put these rules in but they have no effect:
add action=drop chain=forward comment=\
"Hotspot custom - isolate public/internal LAN" disabled=no in-interface=\
ether5 out-interface=ether3-hotspot
add action=drop chain=forward disabled=no in-interface=ether3-hotspot \
out-interface=ether5
Thanks!
Re: isolate hotspot from office lan
Posted: Tue Jul 23, 2013 10:35 pm
by tws101
Your doing it by interface... Based on this I am guess that this is not working because the data is going through the switch chip and not the router.
Is Eth 3 on the same switch with the rest of the network?
If it is that is your problem. You must isolate it.
Re: isolate hotspot from office lan
Posted: Wed Jul 24, 2013 3:13 am
by rilliam
No its not on the same switch, I have a wireless access point plugged into ether3-hotspot.
I ran the hotspot setup and specified ether3 as the interface to use.
The hotspot works the way I want but I can't let hotspot people into my office lan.
Thanks,
Re: isolate hotspot from office lan
Posted: Wed Jul 24, 2013 5:28 pm
by tws101
Assuming they are independent master ports and are not assigned to the same bridge. What you did looks good. Regardless this is what I am doing and I know it works.
Network Setup
10.0.0.0/22 Office (Protected Secure Network)
10.255.1.0/29 Printer (Office and other networks need access)
10.1-5.X.X/22 (Multiple other network that can print but can't reach the office network.
Here are my exported rules to do this. Filter rule is to drop local packets not from office going to office. First mangle rule exempts the print network from being considered local to local. Second mangle tags everything else in 10.0.0.0/8 as local to local so the filter rule triggeres correctly.
Filter
add action=drop chain=forward comment="Drop incoming to Office" dst-address=10.0.0.0/22 packet-mark="Local to Local" src-address=!10.0.0.0/22
Mangle
add chain=forward comment="Local to Local Printers" dst-address=10.0.0.0/8 out-interface="Ether5-Out to Switch" src-address=10.255.1.0/29
add action=mark-packet chain=forward comment="Local to Local Mark" dst-address=10.0.0.0/8 new-packet-mark="Local to Local" out-interface="Ether5-Out to Switch" passthrough=no src-address
I know this is way more complicated but it is working no issues. If you are sure your issue is not a bridge or switch.... Try blocking the traffic my IP as I have done and it should work.