How to access lan ressources from guest network

Hi there,

My network-data:
Turris omnia:

  • internal IP:
  • public access via:
  • internal IP:
  • webservice running on port: 40000

What I’d like to achive:
I’d like to grant friends connected to my guest-network so they are able to access my public domain without being routed over the internet.
My actual rules are as followed (just like the common turris guest-setup)

config zone 'gast'
	option name 'gast'
	option forward 'REJECT'
	option output 'ACCEPT'
	option input 'REJECT'
	list network 'gast'

config forwarding
	option name 'Allow Gast forwarding'
	option src 'gast'
	option dest 'wan'

config rule
	option name 'Allow Gast DHCP request'
	option src 'gast'
	option proto 'udp'
	option src_port '67-68'
	option dest_port '67-68'
	option target 'ACCEPT'

config rule
	option name 'Allow Gast DNS Queries'
	option src 'gast'
	option proto 'tcpudp'
	option dest_port '53'
	option target 'ACCEPT'

Any suggestions are appreciated!


Goal 1)
I’d like to enter into my browser and my Turris omnia should directly route this traffic to without accessing the internet.
In order to achive that I used to enter the following line to /etc/hosts

but that won’t work on Turris Omnia.

Hi, the solution should be using /etc/kresd/hints as hosts file.

putting “” in it should do the trick. Don’t forget to reboot the router - or -> Somebody please suggest what to restart after hints are edited instead of full reboot.

I forgot this:

  • in /usr/bin/ create
  • chmod +x /usr/sbin/

this is the content of the file:


HACK=`mktemp -t kres_hack.XXXXXX`
echo "modules.load('hints > iterate')" > $HACK
echo "hints.config('/etc/kresd/hints')" >> $HACK

socat $HACK UNIX-CONNECT:/tmp/kresd/tty/$(pidof kresd)

rm $HACK
  • in /etc/rc.local add “/usr/sbin/” before “exit 0”

I found out, that my config is broken, so I will let you know if I find out I forgot some other config. But this should propably do the trick.

Thank you - for me it works fine.
So as Goal 1) ist reached - do you have suggestions how to reach Goal 2), too?

2, if the friend uses your DNS resolver, it will just work. If not, you will need to use destination NAT (or source NAT? not sure now). Basically, you would translate the real public IP to the local one and back, so the server would think it goes from inside and the client will think it comes from outside.

Unfortunatelly the problem is: turris omnia seems to get rid of your hack after some time - i have to rerun /usr/sbin/
Any suggestions on that? Could I not enter this hack somehow permanently into a file? Running a cron-job seems somewhat wrong…

  1. I’d assume to not be working out of the box - there’s no forwarding between lan- and guest-interfaces. And I somehow until now could not find out how to give a member of guest-network access to one single lan IP:port. :frowning:

It’s because of a change in latest update.

edit (create) /etc/kresd/hints as hosts file (IP DOMAIN). Do not forget empty line in the end!
in file /etc/config/resolver
into block: config resolver 'kresd’
add: list hostname_config '/etc/kresd/hints’
restart resolver: /etc/init.d/resolver restart

Working again, thank you!

My last goal would be that members of the guest-network can access one single ressource on lan-network: =
Any suggestions on that?

That would be most likely in the firewall – I think that’s where guests are blocked from LAN (only IPs on that level, not names). Unfortunately I don’t dare to guess more.

I need some sort of access rule that allows a guest user to access solely the one named server-port.
All other communication between guest and lan shall furthermore be dropped.

Bump. Does anybody know how to do this?

Does noone have the need to grant a guest access to a local server?

This should somehow just be a forward option for one single IP from one zone/VLAN to another.

Edit: maybe found the solution at Will try it soon and afterwards post results here.

Here is my result:
To access a server from a seperate firewall zone (e.g. guest_turris), you need the following configuration, assuming
Guest-if:, name "guest_turris"

config rule
	option name 'guest-access to webserver'
	option src 'guest_turris'
	option proto 'tcp'
	option dest 'lan'
	option dest_ip ''
	option dest_port '40000'
	option target 'ACCEPT'

With that rule it works without any problems :slight_smile:

Putting both things

It works for me also (specific wifi client - src_ip) to to the specific port on router, but for some reason I struggling allow single IP from Wifi access all lan resources, and all others not allowing to access lan :frowning:

It just work for all clients, or none.

P.S.: I dont need LAN resolving particulary, I would be happy just for client-specific acess (based on IP) from wifi to lan (I kind dont wanna have even non-guest wifi opened to LAN, but for a few machines its really convienient to access NAS, digital camera upload photos through wifi etc.)

Something like

config rule
	option name 'guest-access to webserver'
	option src_ip / src_mac 'IP' / 'MAC'
	option src 'wifi-zone-name'
	option proto 'tcp' / 'tcpudp'
	option dest 'lan'
	option target 'ACCEPT'

does not work?

In case

config zone
option name ‘wifi’
option network ‘wifi’
option forward ‘REJECT’
option output ‘ACCEPT’
option input ‘ACCEPT’

It works for all clients, no-IP client specific :frowning: