I’m not real sure what I might be doing wrong here, but I have 2 networks 192.168.11.x and 192.168.16.x. I have finally gotten the .11.x network to see the other, but not in reverse. Both networks have access to the internet and I’m drawing a blank as to why the .16.x network cannot see the other.
So you have everything except WAN bridged together. At the same time, you have IP addresses on individual interfaces instead on bridge where they should be. And you even have VLAN bridged together with its parent interface. That does not look right to me at all.
That aside, I don’t see anything in firewall that would prevent those two networks seeing each other, unless their addresses are on one of the lists (ads_list, dshield_list, openbl_list), but if what you posted is your whole config, those are empty (so your forward chain currently does not block anything at all). As long as the hosts on those networks have 192.168.16.1 and 192.168.11.1 (or 192.168.11.2) as their default gateways, it should work.
I would start by removing vlan1 from bridge1, that might be enough.
Well your right, something did break while I was gone for the night. I came back and I could not get anything from my workstation. Something I did screwed up everything that was connected to wlan1. Luck was with me though because I did make a backup before I starting breaking things just in case.
Here’s a diagram that might help a little. What I’m trying to do is add a 192.168.16.x (ConSpec) subnet to the system that is separate from the rest, and hopefully only accessible by a few machines on the 192.168.11.x network. That network runs a system that tracks equipment and personnel underground, but I need to display some of that information on a few machines on the other subnet.
I’m not a real network guy, just someone who has enough knowledge to get himself in trouble. Any help in cleaning this up would help me out.
I hope this hasn’t confused anyone like it’s done to me.
Ok, so important parts here are main RB433 and RB433GL on the left. Now we need a little more info about RB433GL and beyond, how exactly is everything connected, including WRT54G.
Is it RB433GL’s wireless client interface (connected to Outside) bridged with AP Underground, with WRT54G connected as wireless client to that, and ConSPEC, Staging and Underground Manager connected to WRT54G using ethernet? Or is it something different?
Does ConSPEC need to be separated also from Staging and Underground Manager?
How well do you need ConSPEC separated?
You could do it quick’n’easy way by simply dropping vlan1 and adding 192.168.16.1/24 directly to bridge1 on RB433. Then you could add few firewall rules, allow which 192.168.11.x addresses can access 192.168.16.x and reject the rest. That would work well against lets say accidental access. But it’s not good enough if someone wants to purposedly tamper with it. Proper isolation may be a little harder to do, if WRT54G is in the way as I think it is (I believe that DD-WRT does have the ability to be configured properly for it, but I don’t have experience with it).
That is exactly right regarding the WRT54G. It’s connected via wireless to the Underground AP, think of something like a CPE. All systems mentioned are connected to the WRT54G via ethernet cables.
I would prefer not to allow anything, save for a few machines, to access ConSpec if I can help it. (Safety, Underground Manager, and Staging systems need to be able to connect to the ConSpec system.)
Edit: I might be able to remove the WRT54G in favor of a SXT that was bought for another purpose but was scrapped. Would that work any better for what I’m trying to do?
The most secure way would be to isolate ethernet port on WRT used for ConSpec and do filtering there (on WRT). But I’m not sure if you can split one port from its HW switch. Plus if you would like to make it efficient and avoid unnecessary packet trips over wireless, it would require static routes set on all hosts allowed to access ConSPEC.
Another option is to do filtering on RB433GL. All hosts behind it (Staging and Underground Manager) are allowed to access ConSpec anyway, so you would only have to protect it from the rest of LAN. It could be partially done by bridge filters, but if you want ConSpec on separate IP subnet, it would still have to involve routing and static routes. It is possible, but it starts to feel unnecessarily complicated.
Which brings me to last idea. Do you really need ConSpec on separate IP subnet? What if it was still part of .11 subnet, but protected from unauthorized access from rest of LAN? That could be done using just bridge filters on RB433GL:
It can also use MAC filtering instead of IP. Staging and Underground Manager are at the same side of bridge, so their access to ConSpec is not limited.
Thank you so much for the info sir! That last idea is exactly what I needed.
The problem that I had was that ConSpec is actually a group of systems comprised of a server and networked RFID readers taking up a lot of space on the network. (or they will before we are done with them). That was the reason that I wanted them on a separate subnet, but given what you suggested and me looking at the hardware I think I can make it all work. I didn’t know that the server hosting the data had a separate NIC, so I can add it to the .11.x subnet and filter it as you suggested.
Didn’t know you could do that!! (stated in Dave Chappelle’s voice)
Again thank you soooo much for the insight. I’d upvote you more than +3 if the system would allow me to.
