Last active
October 29, 2024 07:50
-
-
Save tienthanh2509/d26bc727c05eef2d6d4573cb1d981010 to your computer and use it in GitHub Desktop.
Isolated guest network setup for Padavan firmware
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # DHCP Setting | |
| # LAN > DHCP Server > Custom Configuration File "dnsmasq.conf" | |
| interface=br-guest | |
| listen-address=192.168.3.1 | |
| dhcp-range=set:guest,192.168.3.100,192.168.3.200,255.255.255.0,1h | |
| # Router address | |
| dhcp-option=tag:guest,3,192.168.3.1 | |
| # DNS V4 | |
| dhcp-option=tag:guest,6,8.8.8.8,8.8.4.4 | |
| # Domain | |
| dhcp-option=tag:guest,15,guest.lan | |
| # Detach guest wifi interface to isolated network | |
| # Customization > Scripts > Run After Router Started | |
| brctl addbr br-guest | |
| brctl delif br0 ra1 | |
| brctl addif br-guest ra1 | |
| ifconfig br-guest up | |
| ifconfig br-guest 192.168.3.1 | |
| # Allow guest network access internet | |
| # Customization > Scripts > Run After WAN Up/Down Events | |
| if [ "$1" = "up" ]; then | |
| iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o $2 -j SNAT --to-source $3 | |
| else | |
| iptables -t nat -D POSTROUTING -s 192.168.3.0/24 -o $2 -j SNAT --to-source $3 | |
| fi | |
| # Allow guest network request IP address & common rule for guest network | |
| # Customization > Scripts > Run After Firewall Rules Restarted | |
| iptables -A FORWARD -i br-guest -o ppp0 -j ACCEPT | |
| iptables -A FORWARD -i br-guest -o br-guest -j ACCEPT | |
| iptables -A INPUT -i br-guest -p udp --dport 67:68 --sport 67:68 -j ACCEPT |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| ### Custom user script | |
| ### Called after internal iptables reconfig (firewall update) | |
| #wing resume | |
| # MAC ACL | |
| ## Create the custom chain named 'maclist' | |
| iptables -F maclist || true | |
| iptables -X maclist || true | |
| iptables -N maclist | |
| ## Whitelist, anti lockout | |
| iptables -I FORWARD -m mac --mac-source xx:xx:xx:xx:xx:xx -j ACCEPT # hp-400-g6 | |
| iptables -I FORWARD -s 192.168.2.15 -j ACCEPT | |
| ## Add rules to accept traffic from the whitelisted MAC addresses | |
| iptables -A maclist -m mac --mac-source xx:xx:xx:xx:xx:xx -j RETURN # TV | |
| ## Allow traffic from other devices during permitted hours (05:00 to 23:00) | |
| iptables -A maclist -m time --timestart 02:00 --timestop 23:00 --kerneltz -j RETURN | |
| ## Drop any other traffic not matched by the above rules | |
| iptables -A maclist -j DROP | |
| ## Update br0 rule | |
| iptables -D FORWARD -i br0 -j ACCEPT || true | |
| iptables -A FORWARD -i br0 -j maclist | |
| iptables -A FORWARD -i br0 -j ACCEPT || true | |
| # Allow guest network request IP address & common rule for guest network | |
| ## Customization > Scripts > Run After Firewall Rules Restarted | |
| iptables -A INPUT -i br-guest -p udp --dport 67:68 --sport 67:68 -j ACCEPT | |
| iptables -tnat -A POSTROUTING -s 192.168.3.0/24 -d 192.168.3.0/24 -o br-guest -j SNAT --to-source 192.168.3.1 | |
| ip_wan=$(iptables -t nat -S | grep '192.168.2.0/24 -o ppp0' | awk '{print $10}') | |
| iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o ppp0 -j SNAT --to-source $ip_wan | |
| ## | |
| iptables -A FORWARD -i br-guest -o br-guest -j ACCEPT | |
| iptables -A FORWARD -i br-guest -j maclist | |
| iptables -A FORWARD -i br-guest -o ppp0 -j ACCEPT | |
| #iptables -A FORWARD -s 192.168.3.0/24 -d 192.168.2.15 -p tcp --dport 53 -j ACCEPT | |
| #iptables -A FORWARD -s 192.168.3.0/24 -d 192.168.2.15 -p udp --dport 53 -j ACCEPT | |
| #iptables -A FORWARD -s 192.168.3.0/24 -d 192.168.2.16 -p tcp --dport 53 -j ACCEPT | |
| #iptables -A FORWARD -s 192.168.3.0/24 -d 192.168.2.16 -p udp --dport 53 -j ACCEPT | |
| #iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -o ppp0 -j SNAT --to-source $ip_wan | |
| #iptables -t nat -A POSTROUTING -s 192.168.10.0/24 -d 192.168.10.0/24 -o br0 -j SNAT --to-source 192.168.2.15 |
# Allow guest network request IP address & common rule for guest network
# Customization > Scripts > Run After Firewall Rules Restarted
iptables -A FORWARD -i br-guest -o ppp0 -j ACCEPT
iptables -A FORWARD -i br-guest -o br-guest -j ACCEPT
iptables -A INPUT -i br-guest -p udp --dport 67:68 --sport 67:68 -j ACCEPT
iptables -A POSTROUTING -s 192.168.3.0/24 -d 192.168.3.0/24 -o br-guest -j SNAT --to-source 192.168.3.1
ip_wan=$(iptables -t nat -S | grep '192.168.2.0/24 -o ppp0' | awk '{print $10}')
iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o ppp0 -j SNAT --to-source $ip_wan
Update for WAN PPPoE
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
ra1is wifi guest networkbr-guestisolated bridge for guest network