I have two subnets at home, 192.168.1.x and 192.168.9.x. The 9.x is the “guest” network, but within the security settings I have AP Isolation disabled.
I just upgraded from 4.7.7 to 4.8.2. After doing this, my network is acting like the subnets are isolated and I can no longer ping across the subnets. Unfortunately, I did not get a backup of my settings before upgrading the firmware and I worry if I downgraded, I’d break even more aspects of my network.
I am an amateur when it comes to networking and my head hurts after using ChatGPT for the last few hours trying to help resolve this.
So does 192.168.1.0/24 (LAN) requires one or two way to 192.168.9.0/24? As it's the guest subnet I assume one way so guest client devices don't have access to your LAN proper.
If you jump into LuCI (GL GUI -> System -> Advanced Settings) & go to its Network -> Firewall you should see a 'zone' where you can define the flow. 'Allow forward from source zones: LAN' should do the trick for one-way traffic from LAN. You'll probably need Masquerading & MSS Clamping too due to the different subnets. DROP, ACCEPT, DROP is more secure than REJECT, ACCEPT, REJECT but the latter is faster to notify downstream clients they can't connect.
Yeah, you've got a mess to contend with; the v4.8.x series introduced new VPN routing features & apart of that underlying ability is related to the DHCP daemon dnsmasq. Any previous configurations aren't backwards compatible. You're going to have to rebuild your setup from scratch.
Here's a script to help you quickly save 'snapshot' backups while you get it all sorted:
Thanks. I will give that a shot. The backup script is quite useful too.
I’m pretty sure my previous setup didn’t really make sense. So I might have to just re-think what it is I exactly want and why I even have two different subnets.
Your OP makes sense. If you want to have LAN -> Guest traffic you'd need to set the firewall zones/rules accordingly. Usually Guest is completely isolated to just have WAN/Internet access.
One way/incoming traffic from LAN to a VLAN is very common to manage a IOT VLAN, for example.
A correction: you'll need openssh-sftp-server (not openssh-server) to pull down the tarballs via SFTP.