Hey folks,
I've setup a wifi guest network on an E2500 router running TomatoUSB, that I only want to have internet access provided for.
Did this by creating a separate bridge (br1), then putting it in it's own VLAN, created a virtual wifi interface, then set some firewall rules to isolate that network from the primary wifi network.
However, this router isn't directly connected to a modem on the WAN, it connects to another router on my local LAN (192.168.0.1) first. I've gotten ambituous and want to isolate out the local lan the other router is part of as well by keeping guests from seeing any of the devices there (except the router and the dns server), but it's not working and I can't figure out why...
here's the details:
br0 (full access wifi, 192.168.22.0)
br1 (guest access wifi, 192.168.23.0)
eth0 (E2500 WAN ip is 192.168.0.245, using 192.168.0.1 as gateway to router on local lan that is connected to modem)
I also use my own custom local dns server which is at 192.168.0.121
(ok, so here's the bit I wrote that isolates the two bridges from seeing each other which works fine)
iptables -P FORWARD DROP
iptables -A FORWARD -i eth0 -o br0 -j ACCEPT
iptables -A FORWARD -i br0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o br1 -j ACCEPT
iptables -A FORWARD -i br1 -o eth0 -j ACCEPT
(now here's the bit that I hoped would keep the guests out of the 192.168.0.0 subnet, except for the gateway and DNS ips, but it doesn't work)
iptables -A FORWARD -s 192.168.0.0/24 -o br1 -j DROP
iptables -A FORWARD -i br1 -s 192.168.0.0/24 -j DROP
iptables -A FORWARD -s 192.168.0.1 -o br1 -j ACCEPT
iptables -A FORWARD -i br1 -s 192.168.0.1 -j ACCEPT
iptables -A FORWARD -s 192.168.0.121 -o br1 -j ACCEPT
iptables -A FORWARD -i br1 -s 192.168.0.121 -j ACCEPT
I can still ping and access 192.168.0.0 devices from the guest network 
I thought maybe the ordering was the issue, so i tried this as well:
iptables -P FORWARD DROP
iptables -A FORWARD -i eth0 -o br0 -j ACCEPT
iptables -A FORWARD -i br0 -o eth0 -j ACCEPT
iptables -A FORWARD -s 192.168.0.1 -o br1 -j ACCEPT
iptables -A FORWARD -i br1 -s 192.168.0.1 -j ACCEPT
iptables -A FORWARD -s 192.168.0.121 -o br1 -j ACCEPT
iptables -A FORWARD -i br1 -s 192.168.0.121 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -o br1 -j DROP
iptables -A FORWARD -i br1 -s 192.168.0.0/24 -j DROP
iptables -A FORWARD -i eth0 -o br1 -j ACCEPT
iptables -A FORWARD -i br1 -o eth0 -j ACCEPT
Still no dice...
Any ideas?
Thanks
Mike
---------- Post updated at 11:00 AM ---------- Previous update was at 09:35 AM ----------
Nevermind! I figured it out. Also, the way it was written, communication was still happening between the bridges. Replaced all the code with this and now it's correctly blocking all traffic on both between the bridges as well as the local downstream lan..
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to 192.168.22.1
iptables -I FORWARD -i br1 -m iprange --dst-range 192.168.22.2-192.168.22.254 -j REJECT
iptables -I FORWARD -i br1 -m iprange --dst-range 192.168.0.2-192.168.22.254 -j REJECT