* [Cerowrt-devel] zones for other subnets
@ 2012-11-21 2:03 Michael Richardson
2012-11-21 7:24 ` Dave Taht
0 siblings, 1 reply; 3+ messages in thread
From: Michael Richardson @ 2012-11-21 2:03 UTC (permalink / raw)
To: cerowrt-devel
I have a routed wifi in my Den.
It's not directly connected to my cerowrt.
It's routed on a wired network that the cerowrt.
Is there a way in the UI for me to write a firewall rule to let
packets in/out of it? If I could create a zone based upon just
the subnet, it would work, but it seems that I can only define
covered networks by defining an interface on that network.
Basically, I need to put:
iptables -I FORWARD -s 209.87.252.192/28 -d 0.0.0.0/0 -j ACCEPT
iptables -I FORWARD -d 209.87.252.192/28 -s 0.0.0.0/0 -j ACCEPT
and I've even put this into "Custom Rules", but it doesn't seem to take.
--
] He who is tired of Weird Al is tired of life! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
then sign the petition.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Cerowrt-devel] zones for other subnets
2012-11-21 2:03 [Cerowrt-devel] zones for other subnets Michael Richardson
@ 2012-11-21 7:24 ` Dave Taht
2012-11-21 14:17 ` Michael Richardson
0 siblings, 1 reply; 3+ messages in thread
From: Dave Taht @ 2012-11-21 7:24 UTC (permalink / raw)
To: Michael Richardson; +Cc: cerowrt-devel
It's not quite clear what you want from the description. in the case
of two cerowrt routers on different subnets connected over ethernet or
the babel ssid, they just route automatically, no firewall rules
required, so long as they are on different IP subnets
If the other router is not running babel, then you need to inject a
static route on both sides, to get between points A and B.
So that would be something like
ip route add 209.87.252.192/28 via the_den_routers_ip
and vice versa on the den router. There is also a gui option for this.
From a firewalling perspective, dealing with guest interfaces in
particular is trickier.
On Wed, Nov 21, 2012 at 3:03 AM, Michael Richardson <mcr@sandelman.ca> wrote:
>
> I have a routed wifi in my Den.
> It's not directly connected to my cerowrt.
> It's routed on a wired network that the cerowrt.
>
> Is there a way in the UI for me to write a firewall rule to let
> packets in/out of it? If I could create a zone based upon just
> the subnet, it would work, but it seems that I can only define
> covered networks by defining an interface on that network.
>
> Basically, I need to put:
>
> iptables -I FORWARD -s 209.87.252.192/28 -d 0.0.0.0/0 -j ACCEPT
> iptables -I FORWARD -d 209.87.252.192/28 -s 0.0.0.0/0 -j ACCEPT
>
> and I've even put this into "Custom Rules", but it doesn't seem to take.
>
> --
> ] He who is tired of Weird Al is tired of life! | firewalls [
> ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
> ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
> Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
> then sign the petition.
>
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
--
Dave Täht
Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Cerowrt-devel] zones for other subnets
2012-11-21 7:24 ` Dave Taht
@ 2012-11-21 14:17 ` Michael Richardson
0 siblings, 0 replies; 3+ messages in thread
From: Michael Richardson @ 2012-11-21 14:17 UTC (permalink / raw)
To: Dave Taht; +Cc: cerowrt-devel
>>>>> "Dave" == Dave Taht <dave.taht@gmail.com> writes:
Dave> It's not quite clear what you want from the description. in
Dave> the case of two cerowrt routers on different subnets connected
Dave> over ethernet or the babel ssid, they just route
Dave> automatically, no firewall rules required, so long as they are
Dave> on different IP subnets
It's not the static IP routes that matter.
It's the firewall rules that matter.
Dave> From a firewalling perspective, dealing with guest interfaces
Dave> in particular is trickier.
... yes.
Other router is a classic wrt54gl (8M flash, I think), so it does not
speak babel at this time, as it runs at least one release behind.
I will write FAQ about doing multiple networks via VLAN tags.
Secret: ignore all of the stuff about the switch itself.
--
] He who is tired of Weird Al is tired of life! | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE>
then sign the petition.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2012-11-21 14:18 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-11-21 2:03 [Cerowrt-devel] zones for other subnets Michael Richardson
2012-11-21 7:24 ` Dave Taht
2012-11-21 14:17 ` Michael Richardson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox