You are here

WAN (internet) access from specific node(s) only

12 posts / 0 new
Last post
AH6LE
WAN (internet) access from specific node(s) only
Scenario - running private Allstar Nodes on the Mesh that generally aren't accessible by the outside world. However, there are times it would be advantageous to allow someone not on your local Mesh access to one or more of those nodes. Also (and for other reasons such as updating a computer on the Mesh) it might be useful to allow internet access to a specific node otherwise. Of course, right now the only option is to open the WAN Mesh wide.

Has any thought been given to this or am I shooting for the moon?
 
KF7BWS
KF7BWS's picture
WAN (internet) access from specific node(s) only
This scenario has been anticipated by AREDN. 
The MiroTek haP Lite is your answer. There are Ethernet ports for your devices and an internet link. Every device plugged into it has internet access without giving internet access to the Mesh network. This is how I have mine set up in my shack. I use it for the workstations in my shack so that they have access to the Internet and the Mesh network without the mesh network having access to my internet access point. Port five also has 24 volt feed through for a POE device.
AH6LE
I get that (I'm running a hAP

I get that (I'm running a hAP at my QTH now with Internet access on Port 1).

I'm talking about a node that is deployed remotely (for example on a mountain top) and the only wireless connection is to the Mesh. It would be nice to be able to tell my hAP to forward the WAN VLAN to that remote node ONLY without the entire Mesh having access

My local Mesh Network is a stickler about keeping Parts 15 and 97 apart

KF7BWS
KF7BWS's picture
The hap lite in setup and

The hap lite in "setup" and "port forwarding and DHCP services" this can be done.  Open a port from the internet to the Allstar Nodes on the Mesh.

I have a Raspberry Pi web server on the haP Lite for the mesh network that needs Word-Press updates. I opened port 21 on the haP and now my Pi on the mesh can get updates from the Internet. If you open the appropriate port on the inbound traffic from the Internet to the remote Allstar node then traffic from the Internet can access the Allstar node without allowing general access to the internet from the Mesh. 

K5DLQ
K5DLQ's picture
use a proxy server like
use a proxy server like Privoxy to control access to the "WAN" from other devices/software apps.
iz5fsa
iz5fsa's picture
privoxy
AREDN is a OPENWRT "special flavour"... take a look at https://openwrt.org/docs/guide-user/services/proxy/privoxy.

I hope this can help.

--
73 de Leo IZ5FSA
AH6LE
Thanks
Thanks
Unfortunately, http://www.privoxy.org/ isn't reachable but it does give me some ideas
 
K5DLQ
K5DLQ's picture
Squid, TinyProxy, and HAProxy
Squid, TinyProxy, and HAProxy are others.
 
N2JWC
ON the Node or on a RPi
Does this mean you can install accessory software from OpenWRT or are you suggesting this would have been on a Raspberry Pi?

N2JWC
AH6LE
In my hAP anyway..... I can

In my hAP anyway..... I can only forward to IPs that are part of its DHCP pool. I don't see how to forward to a remote IP on the mesh.

AH6LE
It was suggested to me that
It was suggested to me that since I need to pass UDP packets, it looks like I'll need to use iptables to do so as the usual proxies don't support that
kp4djt
Looks like what we need
I am wanting to test a remote DMR repeater which would be linked to the internet over the AREDN network.  The repeater will be 3 nodes distant (hAP is WAN entry point, <> LGH 5 <> LDF 5 <> admin'd switch <> DMR repeater. 
I can of course get the repeater to talk to the network from the hAP but once I get out on the mesh I cannot get there. I have been trying to sort this out, still learning about AREDN.  The future is to have AREDN nodes co-located with our DMR repeaters and at some point the public network becomes needed only for out of state linking. Of course that is still far off but we need to get started on testing the bits and pieces and start getting the parts that can link over AREDN to do so. 

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer