This can be done. I did a quick test on my own network using a wireless printer. I could ping from the guest network to only the printer and no other devices of the main LAN. You will have to add some ebtables rules to allow the the printer and only the printer to access from the guest network. Here are the commands that I used. These can be added to the firewall rules in jffs partition to make it so that it saves through reboot.
Code:
ebtables -I FORWARD -i (interface that printer connects to) -s (MAC address of printer) -o (virtual interface of guest wireless network) -j ACCEPT
ebtables -I FORWARD -p arp -i (virtual interface of guest wireless network) -o (interface that the printer is connected to) -j ACCEPT
For instance my ebtables filter tables are as follows:
Code:
Bridge table: filter
Bridge chain: INPUT, entries: 0, policy: ACCEPT
Bridge chain: FORWARD, entries: 4, policy: ACCEPT
-s 2c:76:8a:76:a7:f9 -i eth1 -o wl0.1 -j ACCEPT
-p ARP -i wl0.1 -o eth1 -j ACCEPT
-i wl0.1 -o ! eth0 -j DROP
-i ! eth0 -o wl0.1 -j DROP
The setting for arp allows arp requests from the guest network to the other devices so that it can dynamically assign a mac address to an IP address. The other additional command only allows traffic from the printer on the main lan to the guest SSID. The last 2 limit traffic from the guest network to the internet and vice versa. If anyone else has a better way please let me know. ebtables seems pretty straight forward, but I don't use them a lot so there probably is a better way of doing this. I will look at the second question later. I think the only way is to set static IP's or know that mac address of the devices that connect to the main SSID in order to limit who they can talk to. Let me know if this works for you.
Guest Printer
Linear Mode
