From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ie0-f171.google.com (mail-ie0-f171.google.com [209.85.223.171]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id CE58821F126 for ; Tue, 20 Nov 2012 23:24:53 -0800 (PST) Received: by mail-ie0-f171.google.com with SMTP id 17so5569081iea.16 for ; Tue, 20 Nov 2012 23:24:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=zOoVzOqzJK067UsFYmZuCOOK+OrRvjM0082x2tC0AuM=; b=xjlGi5NrLlb/AN4OqoDUfcx0hyK4zRBWUTrqVUqzUlEckmlIC0W4EaxFew/Z4nRjiX mRxHKHWHD1dQTZ6IAt5I04tI5MWIx7yeuCTCTpSiKr5/wK7Iorz4dSbhwHl4CRzh2/gv 5dxG8rHtAXmXnV3+Gkkp/MAAnPhvJ2UVMvd/2cXlhFz9ph28DQUxjY/FU9SeU1vSuDL5 osMg6lCUgBamWeDkaPySQ1tLKGW1CNo+rLLU7z+a+EreEndmScw0jrqmSWo4GxnM6uCG Bd2xG5xH48i1o90Tbogekanqvy6pymLbLW2BuWEZpVp6fTSvmL67h8YHSLxJoHn1Wu6e IgQw== MIME-Version: 1.0 Received: by 10.50.158.201 with SMTP id ww9mr13015612igb.22.1353482692768; Tue, 20 Nov 2012 23:24:52 -0800 (PST) Received: by 10.64.135.39 with HTTP; Tue, 20 Nov 2012 23:24:52 -0800 (PST) In-Reply-To: <19144.1353463409@obiwan.sandelman.ca> References: <19144.1353463409@obiwan.sandelman.ca> Date: Wed, 21 Nov 2012 08:24:52 +0100 Message-ID: From: Dave Taht To: Michael Richardson Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: cerowrt-devel Subject: Re: [Cerowrt-devel] zones for other subnets X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Nov 2012 07:24:54 -0000 It's not quite clear what you want from the description. in the case of two cerowrt routers on different subnets connected over ethernet or the babel ssid, they just route automatically, no firewall rules required, so long as they are on different IP subnets If the other router is not running babel, then you need to inject a static route on both sides, to get between points A and B. So that would be something like ip route add 209.87.252.192/28 via the_den_routers_ip and vice versa on the den router. There is also a gui option for this. >From a firewalling perspective, dealing with guest interfaces in particular is trickier. On Wed, Nov 21, 2012 at 3:03 AM, Michael Richardson wrot= e: > > I have a routed wifi in my Den. > It's not directly connected to my cerowrt. > It's routed on a wired network that the cerowrt. > > Is there a way in the UI for me to write a firewall rule to let > packets in/out of it? If I could create a zone based upon just > the subnet, it would work, but it seems that I can only define > covered networks by defining an interface on that network. > > Basically, I need to put: > > iptables -I FORWARD -s 209.87.252.192/28 -d 0.0.0.0/0 -j ACCEPT > iptables -I FORWARD -d 209.87.252.192/28 -s 0.0.0.0/0 -j ACCEPT > > and I've even put this into "Custom Rules", but it doesn't seem to take. > > -- > ] He who is tired of Weird Al is tired of life! | firewa= lls [ > ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net arch= itect[ > ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device d= river[ > Kyoto Plus: watch the video > then sign the petition. > > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel --=20 Dave T=E4ht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.= html