how to block access lan->wan (allow only 192.168.1.1 rest network blocked)

[bartosz]

Hi guys,

just notice something today...

I use VLANs to separate hotspot part of the network from office network, and it works fine however... when you login to grase suddenly network 10.1.0.0/24 has access to entire network 192.168.1.0/24 over grase hotspot

as in picture attached

router-gw (192.168.1.1) <---Network 192.168.1.0/24-SwitchVLAN1--->Grase Hotspot WAN(192.168.1.111)========Grase Hotspot LAN(10.1.0.0/24-SwitchVLAN20)

so how to block 10.1.0.0 from accesing any devices in 192.168.1.1

I guess iptables could do the job, but i am not good with that can someone help me with this ?

Many thanks

Bartosz

[Dave Wilson]

There are fundamentally two ways.

1. You can write an iptables rule that simply blocks traffic from 10.1.0.0/24. To destination 192.168.1.0/24. This works primarily because the the clients should not ever need to connect to an endpoint in the 192.168.1.x network. 

Yes the packets will go through there, but the packet is not destined for it unless they have tried to connect to an ip in that space.

2. Create a third v-LAN and have the wan of grase in that third v-LAN. This effectively creates a DMZ just for grase. Just remember though that creating that v-LAN alone is not enough, you then use the firewall on your router to restrict access from the new third v-LAN (Grase DMZ) to the original wan (office) network. The main benefit of this method is that it keeps all your customised firewall / access rules in your main firewall/router rather than some in the firewall and some in grase. You probably also have a nicer interface for managing the rules on your main router. 

Regards David Wilson

--
This mailing list is for the Grase Hotspot Project http://grasehotspot.org
---
You received this message because you are subscribed to the Google Groups "Grase Hotspot" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grase-hotspo...@grasehotspot.org.
To post to this group, send email to grase-...@grasehotspot.org.
Visit this group at https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
To view this discussion on the web visit https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/4d0feda8-ba33-4023-a012-cc8afe661e78%40grasehotspot.org.