2017-02-06 - Re: [GRASE-Hotspot] how to block access lan->wan (allow only 192.168.1.1 rest network blocked)

Header Data

From: Dave Wilson <da***e@argyle.com.au>
Message Hash: e4ea285026831494cd7864ecf05a796b81e57e125008ea759e263fe3bf8e9f33
Message ID: <A7336396-9B81-4779-AF5F-BDAEDA6D51E7@argyle.com.au>
Reply To: <4d0feda8-ba33-4023-a012-cc8afe661e78@grasehotspot.org>
UTC Datetime: 2017-02-06 14:00:16 UTC
Raw Date: Tue, 07 Feb 2017 08:00:16 +1100

Raw message 

There are fundamentally two ways.

1. You can write an iptables rule that simply blocks traffic from 10.1.0.0/24. To destination 192.168.1.0/24. This works primarily because the the clients should not ever need to connect to an endpoint in the 192.168.1.x network. 
Yes the packets will go through there, but the packet is not destined for it unless they have tried to connect to an ip in that space.

2. Create a third v-LAN and have the wan of grase in that third v-LAN. This effectively creates a DMZ just for grase. Just remember though that creating that v-LAN alone is not enough, you then use the firewall on your router to restrict access from the new third v-LAN (Grase DMZ) to the original wan (office) network. The main benefit of this method is that it keeps all your customised firewall / access rules in your main firewall/router rather than some in the firewall and some in grase. You probably also have a nicer interface for managing the rules on your main router. 



Regards David Wilson

> On 7 Feb 2017, at 2:29 am, bartosz <ba***z@miklaszewski.com> wrote:
> 
> 
> 
> Hi guys,
> 
> just notice something today...
> I use VLANs to separate hotspot part of the network from office network, and it works fine however... when you login to grase suddenly network 10.1.0.0/24 has access to entire network 192.168.1.0/24 over grase hotspot
> 
> as in picture attached
> 
> router-gw (192.168.1.1) <---Network 192.168.1.0/24-SwitchVLAN1--->Grase Hotspot WAN(192.168.1.111)========Grase Hotspot LAN(10.1.0.0/24-SwitchVLAN20)
> 
> so how to block 10.1.0.0 from accesing any devices in 192.168.1.1
> 
> I guess iptables could do the job, but i am not good with that can someone help me with this ?
> 
> Many thanks
> 
> Bartosz
> -- 
> This mailing list is for the Grase Hotspot Project http://grasehotspot.org
> --- 
> You received this message because you are subscribed to the Google Groups "Grase Hotspot" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to gr***e@grasehotspot.org.
> To post to this group, send email to gr***t@grasehotspot.org.
> Visit this group at https://groups.google.com/a/grasehotspot.org/group/grase-hotspot/.
> To view this discussion on the web visit https://groups.google.com/a/grasehotspot.org/d/msgid/grase-hotspot/4d0feda8-ba33-4023-a012-cc8afe661e78%40grasehotspot.org.

Thread