NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

andlid's avatar
andlid
Aspirant
Apr 16, 2021

Orbi IPTABLES and TUN interface

uname -a : Linux RBR50 3.14.77 #1 SMP PREEMPT Fri Jan 8 20:10:05 CST 2021 armv7l GNU/Linux   Aid needed.   Background: I want to enable VPN server and only allow a handfull of ports to be allowe...
CrimpOn's avatar
CrimpOn
Guru - Experienced User
Apr 16, 2021

Could you please describe the intended result in more general terms?  Such as:

When a remote device joins my Orbi LAN through OpenVPN, I want this device to be able to (a) only do certain things, or (b) not be able to do certain things, (1) on the local LAN or (2) when it accesses the internet.

And, this restriction applies only to devices on the VPN and not "regular devices"?

  • andlid's avatar
    andlid
    Aspirant
    Apr 16, 2021

    Sure : 

     

    When this device joins my network through VPN and get the IP 192.168.2.x I want it only to be able to access the following IP: 192.168.1.150 with tcp/udp port 25000

     

    Cheers

     

    • CrimpOn's avatar
      CrimpOn
      Guru - Experienced User
      Apr 16, 2021
      andlid wrote:

      When this device joins my network through VPN and get the IP 192.168.2.x I want it only to be able to access the following IP: 192.168.1.150 with tcp/udp port 25000

      That would be any (every) device that joins the network through VPN.  Seems to that this sorts of defeats the general purpose of having a VPN.  I am guessing that the remote device can be 'anywhere' and thus have a different IP address every time it connects.

       

      Does 192.168.1.150 have no firewall or password capability?

      This sounds like what port forwarding is intended to accomplish. i.e. a connection attempt to port 25000 goes only to one IP on the LAN and that IP can decide to accept or decline the connection, and then can require whatever authentication it wants before granting access.

       

      Another consideration is that anything done to iptables will disappear if the Orbi reboots

       

      Frankly, I am impressed that you know so much about iptables. I made a couple of attempts to figure out how Orbi was implementing things and got SO confused that I gave up.

      • andlid's avatar
        andlid
        Aspirant
        Apr 16, 2021

        Hmm ok not what I wanted to see I guess :)

         

        Since the VPN feature doesnt allow for usernamne and password or further settings I'd like to be able to control the whole subnet say and only allow it access to a certain IP / port. This is since the ORBI has a flat network structure, otherwise I would be able to host the service on say a DMZ and only have the port exposed to that. But with the move in IOT and 20+ devices per household it would be good practise to at least try and restrict this somehow.

         

        Cheers

        A.