Firewall rules

[manierofx]

Hello guys,
I have a problem with the firewall rules I shoud put into my routers to make them communicate each other.

This is the situation:
(click for a bigger image)

I have 3 problems to solve:
1) the guests wifi from gargoyle blocks the traffic to the LAN/wifi clients connected to the same router, but those clients can see the clients on the WAN side (eg: gargoyle guests wifi cannot see 192.168.2.0/24 but can see all 192.168.1.0/24 which is not good at all;
2) the password wifi on gargoyle router can see the wan side, but I cannot see from the wan side to the lan gargoyle (eg: 192.168.2.0/24 can see 192.168.1.0/24 but not viceversa);
3) 192.168.1.0/24 192.168.2.0/24 and 192.168.3.0/24 should see each other.

How to manage all of these rules?

Thank you very much!

[manierofx]

Nothing?

[ispyisail]

I depends on what you are trying to achieve and why.

I would just have one subnet instead of three. management is so much easier.

I suspect you want a fancy setup but your doing it on the cheap?

unifi will do exactly what you want perfect but you have to spends the bucks.

Gargoyle lacks GUI VLANs and a few other things

[manierofx]

I depends on what you are trying to achieve and why.

to be able to use a guest wifi network and a wpa2 protected wifi in every router and be able to connect to any client in the lan/wifi.

I would just have one subnet instead of three. management is so much easier

I would love that too, but unfortunately with one subnet the guest wifi into gargoyle doesn't work because the clients cannot reach the dhcp (lan isolation)

I suspect you want a fancy setup but your doing it on the cheap?

I don't think so

unifi will do exactly what you want perfect but you have to spends the bucks

The problem is not the money, it MUST be easy: no extra hardware, no extra software.

Probably you didn't get the point, I am not goint to add any more complexity to my lan.

Gargoyle lacks GUI VLANs and a few other things

which can be solved with some firewall rules: the reason I opened the topic.

[ispyisail]

Yep, many more things are possible via command line

Once you get into command line your starting to get outside Gargoyle support.

OpenWRT / LEDE is more suited to power users.

I have a network similar to the one you describe and I use unifi equipment.

Unifi auto configures

[ispyisail]

having a closer look

1) the guests wifi from gargoyle blocks the traffic to the LAN/wifi clients connected to the same router, but those clients can see the clients on the WAN side (eg: gargoyle guests wifi cannot see 192.168.2.0/24 but can see all 192.168.1.0/24 which is not good at all;

can see all 192.168.1.0/24

This is expected, VLAN is a solution but you need VLAN compatible equipment (not usually found in consumer equipment)

Another method isolation is get another router

[ispyisail]

2) the password wifi on gargoyle router can see the wan side, but I cannot see from the wan side to the lan gargoyle (eg: 192.168.2.0/24 can see 192.168.1.0/24 but not viceversa);

This is expected

possible solutions

- Vlan
- Single Subnet
- OpenVPN connection
- Unifi equipment

This is what VLANS are designed for. But they are not simple to set up unless you use unifi equipment. (they have done the hard work for you)

[manierofx]

I would love to use one subnet only, but then the guests wifi on gargoyle routers doesn't work because clients cannot reach the dhcp router. I didn't find a solution for it yet, the only way was to use other subnets

[ispyisail]

3) 192.168.1.0/24 192.168.2.0/24 and 192.168.3.0/24 should see each other.

no

I have wished the same things many times

I use and OpenVPN solution to create one network. You can't subnet browse but IP address work.

e.g. say I want to remote desktop into another subnet I will use "192.168.3.12" instead of "PC office"

[ispyisail]

There are many solutions but I not aware of a firewall rule solution?

If you find one i'd be interested in it.