Wi-Fi Guest Network : no internet access

Currently reading
Wi-Fi Guest Network : no internet access

Haven't analyzed the traffic with wireshark but a basic traceroute shows that ICMP packets routing stops between the guest network gateway ( 172.16.1.1 ) and the internet gateway ( 192.168.1.1 )
The gateway for the guest LAN should be the same as the Gateway for the main LAN (ie presumably your RT router at (?) 10.1.1.1)
 
Last edited:
You have enabled NAT on the Guest network, haven't you?

1695645440930.png


It's not possible to route packets across the Internet with source/destination IP that is in a reserved range.

The default gateway on a subnet should be the router's IP on that subnet: the router holds the info for where then to send packets. So for the Guest network the default gateway should be the router's IP on the Guest subnet (172.16.1.1). The router should have a default route of 192.168.1.1 (the router's next hop out to the Internet).

With VPN Plus the VPN services will be on gateway a.b.c.1 of whatever the assigned service's client subnet is (same for VPN Server on DSM).
 
You have enabled NAT on the Guest network, haven't you?
I think we covered this way back in post #19 :) (tho on looking back no definitive answer so def worth checking...)

@fredbert do you know if its possible to view the NAT rules on a Syno router via a CLI command, eg iptables -t nat -L...etc?
 
So after much searching through and not seeing any difference in the output of iptables -t nat -L -n it dawned on me that probably the rules are unchanged and a grouping is changing. All this is quite new to me but I did some searches and thought to try if ipset was being used in SRM. It is! The various 'match-set NAME' rules have NAME in ipset.

So I tested and captured ipset list output to text file and then compared them. First with my Guest network using NAT and then without. The change was to POLICY_DISABLE_NAT_LAN and it added the gbr0, the Guest network's interface name, to the list for not NATing.
Code:
Name: POLICY_DISABLE_NAT_LAN
Type: hash:net,iface
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 512
References: 1
Members:
0.0.0.0/0,gbr0

I haven't chased back this into iptables.
 
Last edited by a moderator:
Excellent sleuthing ref the use of ipset!

As ipset is generally used to BLOCK things, I'd still expect to see something positive to do with NAT in iptables: does iptables -t nat -L -n -v | grep -i 'MASQUERADE' return anything? This is the form i'd expect to see a NAT rule - most likely in the POSTROUTING chain.

If not, seems that Syno might be doing some special voodoo to implement their NAT...
 
There are three MASQUERADE rules* but I cannot see how they relate to the don't NAT name, or anything else for that matter, in ipset.

Anyway, I think we are digressing :)

*In chains: NAT_LOOPBACK_POSTROUTING; NTP_WORKAROUND_POSTROUTING; SNAT_POSTROUTING. All called within POSTROUTING chain.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Old thread notice: There have been no replies in this thread for quite some time. The last reply was on .
The content in this thread may no longer be relevant. It might be better to open a new thread instead.

Similar threads

  • Question
Hi. As a newbie I may be totally misunderstanding the concept of how Tailscale works but anyway here goes...
Replies
0
Views
467
  • Question
Reset, mode one, as suggested above should restore your connection. Going forward, create a reserved IP...
Replies
3
Views
671
  • Solved
hi im having the same problem can you tell me what you changed? I only my router to a tplink router it was...
Replies
4
Views
2,885
What I've found out: 1.) If I turn off the Kill Switch, then I'm good to go with the local devices 2.) If...
Replies
2
Views
2,003
  • Question
FWIW, I use WebDAV to map folders from my DS110j to a Win10 laptop. Perhaps importantly for this thread...
Replies
16
Views
4,988
  • Question
looking to setup adGuard home on a raspberry pi 4b to block ads for every client on LAN network. I use...
Replies
0
Views
1,131
I don't recommend exposing the NAS directly to the internet. Modem>Powerline>Router>Devices (wired/Wi-Fi)
Replies
18
Views
2,327

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Back
Top