Bekijk de volledige versie : 500g, NAT from LAN ports to WLAN ports

15-01-2007, 12:25

I would like to accomplish something like the following setup:


500g: <-> NAT <-> (WLAN)

DSL-Router: (WLAN)

This setup should separate 2 Networksegments (192.168.100.X and 192.168.1.X)

Segement 192.168.100.X should only be able to connect to the internet, but should not be able to recieve/send any internal traffic (i.e. SMB-Shares) form/to segment 192.168.1.X

TIA for any sugesstions


16-01-2007, 21:35
Except for the upstream connection, the one that usually connects to an ISP through a modem, I doubt that the Asus will support more than one value at a time in the first three ipa bytes. By that I mean that if, for example, you choose to set your downstream subnet to 192.168.100.x then all your downstream addresses must have the same first three bytes---they can vary only in the last byte.

But I should think that you could form your downstream hosts into two groups by using static addressing (so no one can move from one group to the other) and using routing table commands to control where the two groups can connect. The Linux Documentation Project has good tutorials on routing.

Good luck!

.EDIT 25Jan2007: I now realize that the above part of this post is misleading and I apologize for that. I remembered that I had had this problem a year or so ago but I did not correctly remember how I had solved it.

The routing table alone won't do the job because it specifies "to" addresses only, not "from" addresses. iptables may be able to handle this but I can't tell you how because I don't understand the relationships among the INPUT, OUTPUT, FORWARDING, NAT & Mangle chains. Maybe if I could find a block diagram . . .

The way I solved the problem was simply to connect another router downstream of the Asus. The hosts that I want restricted connect to the Asus and those I want unrestricted connect to the downstream router. The downstream router by default blocks incoming port 139 traffic (which blocks Windows sharing) unless a downstream host has requested it. I think it wise to block outgoing port 139 traffic also, to protect the unrestricted subnet from a compromised host.

Where the routing table is involved in this is that, if you want to use the Asus' downstream http interface to administer the Asus, you may need to add to the downstream router's routing table an entry which lets you send port 80 packets directly to the Asus. 1 eth0
(destination, mask, gateway, metric, interface) is an example of what you need.

There is one other potential problem in this setup: some routers cannot be used to define a subnet (as this downstream router does) because their firmware requires them to connect upstream to a modem, not a router. The only way I can suggest to deal with this problem is to try it and see; asking the vendor or even the manufacturer is not likely to help because of the difficulty of finding someone who even understands the question.