Jump to content

Prevent guest on wifi to emby server

t123thomas

By t123thomas
in General/Windows

 Share

Recommended Posts

t123thomas

t123thomas 63

Posted
Posted (edited)

Hi if anyone can assist, my emby server is on subnet 192.168.1.1/24,

In my DDWRT router I have a separated the guest by diff bridge  br1  subnet (192.168.2.1/24)

I have test every possible connections to determine that guest access is limited to 192.168.2.1, it works except for emby server which on 192.168.1.105:8096

Any thoughts on how to prevent guest from accessing emby on subnet 192.168.1.1/24 port 8096.

 

 

Edited by t123thomas
GrimReaper

GrimReaper 4749

Posted
Posted

Have you tried forcing only 192.168.1.1/24 subnet as local and then Blacklist filtering subnet 192.168.2.1/24 as remote? 

  • Agree 1
Happy2Play

Happy2Play 9783

Posted
Posted

Was just typing that.

Or Firewall changing local scope.

  • Like 1
Darkseidd

Darkseidd 59

Posted
Posted

simple firewall rule could achieve this

rbjtech

rbjtech 5284

Posted
Posted (edited)

Err... the entire point of a 'Guest' network is for them to NOT have access to any other local LAN network.

You appear to be doing this the wrong way around.

You should block everything (by default, no need for a firewall - the two networks should not be 'bridged') - and then use the 'firewall' as a 'router' to cross the networks.

ie if you just enable a f/w rule from 192.168.2.0/24 (ie all the Guest Network) to 192.168.1.x (emby server IP) on port 8096 - then they can connect to emby (and ONLY emby - nothing else).

If you did want to just bridge the networks (for some reason, maybe you just want it for a separate AP? ) - then a simply f/w rule to drop traffic from the Guest source network (192.168.2.0/24) to the emby IP destination is also a way to achieve this - as said above.  Make sure this appears before any other rules.

Edited by rbjtech
t123thomas

t123thomas 63

Posted
  • Author
Posted
7 hours ago, rbjtech said:

Err... the entire point of a 'Guest' network is for them to NOT have access to any other local LAN network.

You appear to be doing this the wrong way around.

You should block everything (by default, no need for a firewall - the two networks should not be 'bridged') - and then use the 'firewall' as a 'router' to cross the networks.

ie if you just enable a f/w rule from 192.168.2.0/24 (ie all the Guest Network) to 192.168.1.x (emby server IP) on port 8096 - then they can connect to emby (and ONLY emby - nothing else).

If you did want to just bridge the networks (for some reason, maybe you just want it for a separate AP? ) - then a simply f/w rule to drop traffic from the Guest source network (192.168.2.0/24) to the emby IP destination is also a way to achieve this - as said above.  Make sure this appears before any other rules.

Thanks for your thought, I am no expert in iptable fire chain, I have search various sites on this subject if I will get a scripts but no luck.

My router firmware is ddwrt appreciate if someone's can write the iptable rules that prevent the guest 192.168.2.1/24 from 192.168.1.1/24 while the guest can access internet.

Thanks

Happy2Play

Happy2Play 9783

Posted
Posted

Does your guest network have "Wireless Isolation" option?  Could have may other isolation names though.

t123thomas

t123thomas 63

Posted
  • Author
Posted
1 hour ago, Happy2Play said:

Does your guest network have "Wireless Isolation" option?  Could have may other isolation names though.

Yes 

t123thomas

t123thomas 63

Posted
  • Author
Posted (edited)
2 hours ago, t123thomas said:

Yes 

Here is my Iptable rules, what seem to be the issue is the forward rules, when I removed it local guest was not able able to access emby

However, I the the portforward rules are needed  for external  client to access emby server

Any idea on how to rewrite the rules? Otherwise I will use emby blacklist rules

 

iptables -I FORWARD -i br0 -o br1 -j ACCEPT

iptables -I FORWARD -i br1 -o br0 -m state --state RELATED.ESTABLISED -j ACCEPT

iptables -I FORWARD -i br1 -o br0 -j DROP

 

ext_port=8096

int_port=8096

int_ip=192.168.1.104

iptables -t nat -I PREROUTING -p tcp -d $(nvram get oet1_ipaddr) --dport $ext_port -j DNAT --to $int_ip:$int_port

iptables -I FORWARD -p tcp -d $int_ip --dport $int_port -j ACCEPT

 

 

 

 

 

Edited by t123thomas
rbjtech

rbjtech 5284

Posted
Posted
8 hours ago, t123thomas said:

Here is my Iptable rules, what seem to be the issue is the forward rules, when I removed it local guest was not able able to access emby

However, I the the portforward rules are needed  for external  client to access emby server

Any idea on how to rewrite the rules? Otherwise I will use emby blacklist rules

 

iptables -I FORWARD -i br0 -o br1 -j ACCEPT

iptables -I FORWARD -i br1 -o br0 -m state --state RELATED.ESTABLISED -j ACCEPT

iptables -I FORWARD -i br1 -o br0 -j DROP

 

ext_port=8096

int_port=8096

int_ip=192.168.1.104

iptables -t nat -I PREROUTING -p tcp -d $(nvram get oet1_ipaddr) --dport $ext_port -j DNAT --to $int_ip:$int_port

iptables -I FORWARD -p tcp -d $int_ip --dport $int_port -j ACCEPT

 

 

 

 

 

You may need to ask on the ddwrt forums - this is a networking/ddwrt issue rather than an Emby issue.

Happy2Play

Happy2Play 9783

Posted
Posted

Doesn't Guest network Wireless Isolation accomplish this?

t123thomas

t123thomas 63

Posted
  • Author
Posted (edited)

I have resolve the issue through emby blacklist I prefer this approach its easy to isolate specific IP or and subnet.

The iptable works fine, the issue because is I opened internal and external port forward which allows guest into emby once I removed the port forward guest are completely isolated.

Edited by t123thomas
  • Thanks 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...