I want a public LAN and a private one. It is security-privacy measure. I don’t want, for example, that the surveillance cameras might be hacked.
So this is the sketch of what I want to achive:
I think is possible to plug the eth0 WAN port in a network (say 192.168.x) and plug eth1 LAN port to other network (192.168.2.x).
My GL.Inet GL-MTN300-V2 will do the DHCP server for 192.168.2.x and it will be the gateway for that LAN.
Can it do some port filtering? In the beginning I imagined to use an old raspberry, but then I figured out that this device has been made just for this kind of jobs.
For what I read in the past 3Ds it should be possible (beside that they are focused in wifi->wired, while I don’t want wifi at all), but how?
The device can do that, but configuring it to do that will be fun! You have to re-do the firewall rules and possible disable NAT/Masquerade.
Can you create static routes on your modem? In case you can, you can disable NAT/Masquerade. Otherwise you will be doing port-forwarding on the GL-inet for the devices in 192.168.2.x.
No, I just checked; the modem can just create static reserved IP based on the MAC address but nothing about routes.
So I connect the WAN cable port to the 192.168.1.x switch and the LAN cable port to the 192.168.8.x switch (from now on is useless to call the private network 192.168.2.x, just leave it as it is).
Then I have to configure the modem to do a virtual server for port 80 to the GL’s IP in the network 192.168.1.x and then set the GL to do port forwarding the port 80 to what? Several machines use port 80, but I can do port-forwarding to just one.
Postgres reply to port 5432 will be on a different machine, but ther is only a postgres server, it is not a problem with port-forwarding.
How to deal with port 22, it has to do port-forwarding only from my local static IP?
You have to re-do the firewall rules
How to do that? I guess that this answer will answer to the questions 1-3, too.
I couldn’t give you the correct answer before I knew if NAT would be enabled or not.
Given it is enabled you will need to do the port-forwarding section: Firewall - GL.iNet Docs
You can only route 1 external port once. So if you have a devices 192.168.2.2 and 192.168.2.3 both needing port 80, you can only have 1 of them on external port 80.
The port forwarding for this could be:
This way 192.168.2.2:80 is reachable on 192.168.1.X:80 and 192.168.2.3:80 is reachable on 192.168.1.X:81 (X being the IP given to the GL Inet). Same would apply to port 22. You gotta pick another port and remap it to 22.
In the advanced GUI under Network → Firewall → Tab “Traffic rules” you can setup rules which block all traffic except traffic coming from the allowed IPs. Be careful with the firewall rules, you can block more than you might want! The order of the rules is important! Allow then block, not block and never reach allow.
Saying it is a weird behaviour is little. Today I placed my unit in the data cabinet wiring the WAN port to the public switch (which in turn is also connected to the modem). My ISP’s router shows that it is on the address 192.168.1.89 . The LAN port is wired to the switch for the private network, that, for now, is totally empty.
Then I point the browser to 192.168.1.89 expeting to see the familiar green landing page, but with my big surprise, Firefox doesn’t find the site. Doing ssh admin@192.168.1.89, with very low expectatieve actually, doesn’t work either.
The device has just a led on and it has a red color.
The last week I tried it connect in my local network and it worked as expected.
I went in the basement with the laptop, I wire-connect on the private switch, so the laptop got a IP on the same network of the GL router, finally I pointed the laptop’s browser to 192.168.8.1, logged in the GL’s web console and enabled the port 80 (web).
At the and my regular PC can access 192.168.1.89. Good
From the web console I select ADVANCE → ADMIN PANEL; i logged with admin parameters then I select Networks->Firewall, and finally I pressed onPort Forwards` and i set the router like in the picture
