Disable Internet for Guest Network

[canufrank]

Yes, that's right

I'd like to be able to give certain clients access to the intranet, but not the internet. I figured the easiest way to do so would be using a guest SSID. I was wondering what the next steps were. I'm assuming I drop packets coming from a particular interface, but wonder if there's a better method or starting point.

Running Asuswrt-Merlin 378.55 on RT-AC68U

 

[ASAT]

This piece of script will show you how.

/jffs/scripts/firewall-start

#!/bin/sh

/usr/sbin/iptables -I FORWARD -i wl0.1 -j DROP # Disable Internet for 2.4GHz Wi-Fi Guest SSID#1
/usr/sbin/iptables -I FORWARD -i wl0.2 -j DROP # Disable Internet for 2.4GHz Wi-Fi Guest SSID#2
/usr/sbin/iptables -I FORWARD -i wl0.3 -j DROP # Disable Internet for 2.4GHz Wi-Fi Guest SSID#3
/usr/sbin/iptables -I FORWARD -i wl1.1 -j DROP # Disable Internet for 5.0GHz Wi-Fi Guest SSID#1
/usr/sbin/iptables -I FORWARD -i wl1.2 -j DROP # Disable Internet for 5.0GHz Wi-Fi Guest SSID#2
/usr/sbin/iptables -I FORWARD -i wl1.3 -j DROP # Disable Internet for 5.0GHz Wi-Fi Guest SSID#3

 

[canufrank]

Thanks boss. I created the script, restarted the firewall, enabled the interface and can see the rule at the top it's chain.

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  wl0.1  any     anywhere             anywhere
15079   11M ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED

However, devices connected on the guest SSID (only one of them is enabled) can still browse the internet. (I tried moving the rule to the end of the chain, but it obviously made no difference.) Any ideas?

 

[ASAT]

Devices can still browse the internet...

You're right, my example script does not work because the router sees the guest wi-fi client traffic as coming from the bridge interface "br0", not the actual guest wi-fi interface. I had to turn on logging to see what was going on.

Log iptables & ebtables hits to /tmp/syslog.log

/usr/sbin/iptables -I FORWARD -j LOG --log-level 7
/usr/sbin/iptables -t nat -I PREROUTING -j LOG --log-level 7
/usr/sbin/iptables -t mangle -I PREROUTING -j LOG --log-level 7
/usr/sbin/ebtables -I FORWARD -j CONTINUE --log --log-level 7
/usr/sbin/ebtables -t nat -I PREROUTING -j CONTINUE --log --log-level 7
/usr/sbin/ebtables -t broute -I BROUTING -j CONTINUE --log --log-level 7

Sorry, it is beyond my skills.

 

[martinr]

First thought: could you do it using Parental Controls?

 

[ASAT]

Parental Controls?

Apparently, with Parental Control you must specify the MAC address of the computer to block. Whereas, the OP requires an entire interface (a Wi-Fi Guest Network) block access to the Internet, while still able to see computers on the LAN.

 

[martinr]

I'm not sure: he says he wants to deny certain clients access to the Internet. I figured he might be able to use parental controls to do that - as you say by specifying the MAC address of the clients he wants to deny. (The guest network bit was his proposal as a method of denying Internet access to those clients.)

On reflection, his choice of topic title is the problem. "Disable Internet access for certain clients" would have been more accurate (ie not misleading!)

 

[ASAT]

Parental Controls should be sufficient. Or, just use iptables rules to accomplish this.

Block by IP address

/usr/sbin/iptables -I FORWARD -s 192.168.1.137 -j DROP

OR, block by MAC address

/usr/sbin/iptables -I FORWARD -m mac --mac-source 00:0F:EA:c2:5f:37 -j DROP

However, I like the idea of having a Guest Network that blocks all Internet access. It's much better safety. Then you don't have to worry.

 

[martinr]

Perhaps he has another router (eg ISP supplied) that he could sit behind his RT-AC68U and put the clients he wants to block Internet access to behind that whilst giving them intranet access? Would that be a relatively easy option?

 

[canufrank]

As you suspected ASAT, I wanted to utilize the guest network so that I don't have to manage clients individually.

I suspect that we're on the right track though. If guest SSID's can have 'Access Internet' set individually, one would assume they have individual table/chain/rules where the forwarding packet can be similarly dropped. (albeit, my knowledge regarding routing is very limited. In fact, running iptables-save before and after toggling that settings results in an identical rule set.)

 

[ASAT]

... so that I don't have to manage clients individually.

The following method apparently worked for me. However, I had to modify the Asuswrt-Merlin firmware.

/jffs/scripts/firewall-start

#!/bin/sh
# selectively disable Internet for each Guest Network interface
/usr/sbin/iptables -I FORWARD -m physdev --physdev-in wl0.1 -o eth0 -j DROP
/usr/sbin/iptables -I FORWARD -m physdev --physdev-in wl0.2 -o eth0 -j DROP
/usr/sbin/iptables -I FORWARD -m physdev --physdev-in wl0.3 -o eth0 -j DROP
/usr/sbin/iptables -I FORWARD -m physdev --physdev-in wl1.1 -o eth0 -j DROP
/usr/sbin/iptables -I FORWARD -m physdev --physdev-in wl1.2 -o eth0 -j DROP
/usr/sbin/iptables -I FORWARD -m physdev --physdev-in wl1.3 -o eth0 -j DROP

All Internet traffic is indeed blocked when connected to Wi-Fi 5GHz Guest Network#2 interface. EXAMPLE: ping yahoo.com

dmesg

IN=br0 OUT=eth0 PHYSIN=wl1.2 SRC=192.168.1.137 DST=98.138.253.109 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=6345 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=33
IN=br0 OUT=eth0 PHYSIN=wl1.2 SRC=192.168.1.137 DST=98.138.253.109 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=6355 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=34
IN=br0 OUT=eth0 PHYSIN=wl1.2 SRC=192.168.1.137 DST=98.138.253.109 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=6383 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=35
IN=br0 OUT=eth0 PHYSIN=wl1.2 SRC=192.168.1.137 DST=98.138.253.109 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=6396 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=36

HOWTO: Modify the Asuswrt-Merlin firmware (for ARM routers).

cd ~/asuswrt-merlin
patch -p2 -i ../asuswrt-merlin-380.57-arm-bridgenf.patch
cd ~/asuswrt-merlin/release/src-rt-6.x.4708
make clean
rm .config
make rt-ac68u

~/asuswrt-merlin-380.57-arm-bridgenf.patch

diff -u -r -B -X ./excludes.txt ./asuswrt-merlin-380.57-original/release/src/router/rc/wan.c ./asuswrt-merlin-380.57/release/src/router/rc/wan.c
--- ./asuswrt-merlin-380.57-original/release/src/router/rc/wan.c    2015-12-24 16:18:19.000000000 -0500
+++ ./asuswrt-merlin-380.57/release/src/router/rc/wan.c    2016-01-13 18:19:02.080739575 -0500
@@ -3094,8 +3094,16 @@
#endif
#if LINUX_KERNEL_VERSION >= KERNEL_VERSION(2,6,36)
-    f_write_string("/proc/sys/net/bridge/bridge-nf-call-iptables", "0", 0, 0);
-    f_write_string("/proc/sys/net/bridge/bridge-nf-call-ip6tables", "0", 0, 0);
+    #ifdef RTCONFIG_BCMARM
+        // for ARM platform, we have enabled BRIDGE_NETFILTER and the default behaviour
+        // is to pass bridged IPv4 & IPv6 traffic to iptables' chains
+        f_write_string("/proc/sys/net/bridge/bridge-nf-call-iptables", "1", 0, 0);
+        f_write_string("/proc/sys/net/bridge/bridge-nf-call-ip6tables", "1", 0, 0);
+    #else
+        // for MIPS platform, the BRIDGE_NETFILTER feature is not yet enabled
+        f_write_string("/proc/sys/net/bridge/bridge-nf-call-iptables", "0", 0, 0);
+        f_write_string("/proc/sys/net/bridge/bridge-nf-call-ip6tables", "0", 0, 0);
+    #endif
#endif
     /* Report stats */
diff -u -r -B -X ./excludes.txt ./asuswrt-merlin-380.57-original/release/src-rt-6.x.4708/linux/linux-2.6.36/config_base.6a ./asuswrt-merlin-380.57/release/src-rt-6.x.4708/linux/linux-2.6.36/config_base.6a
--- ./asuswrt-merlin-380.57-original/release/src-rt-6.x.4708/linux/linux-2.6.36/config_base.6a    2015-12-24 16:18:19.000000000 -0500
+++ ./asuswrt-merlin-380.57/release/src-rt-6.x.4708/linux/linux-2.6.36/config_base.6a    2016-01-13 18:16:28.112733329 -0500
@@ -476,7 +476,7 @@
CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set
CONFIG_NETFILTER_ADVANCED=y
-# CONFIG_BRIDGE_NETFILTER is not set
+CONFIG_BRIDGE_NETFILTER=y
#
# Core Netfilter Configuration

WEBSITE REFERENCES:
http://www.dd-wrt.com/phpBB2/viewtopic.php?p=753907&sid=84550b578a3a6323bbe24bde43fadcba

http://ebtables.netfilter.org/br_fw_ia/br_fw_ia.html

 

[canufrank]

Thank you very much for your continued help ASAT.

Unfortunately, I'm not in a position to rebuild the kernel right now. Are those 2 settings changes innocuous enough that Merlin would consider a pull?

 

[ASAT]

Are those 2 settings changes innocuous enough that Merlin would consider a pull?

My RT-AC68U and RT-AC56U are currently running this modified Asuswrt-Merlin 380.57 firmware now. If it stops working I'll post here again. HOwever, I think it's good.

 

[canufrank]

Can you request a pull, or is there some official procedure in place to make change requests?

 

[ASAT]

Can you request a pull, or is there some official procedure in place to make change requests?

I could do it. However, now I see this commented code and warning.

asuswrt-merlin/release/src/router/rc/sysdeps/init-broadcom.c, line 1529:

/* Requires bridge netfilter, but slows down and breaks EMF/IGS IGMP IPTV Snooping
    if (nvram_get_int("sw_mode") == SW_MODE_ROUTER && nvram_get_int("qos_enable") == 1) {
        // enable netfilter bridge only when phydev is used
        f_write_string("/proc/sys/net/bridge/bridge-nf-call-iptables", "1", 0, 0);
        f_write_string("/proc/sys/net/bridge/bridge-nf-call-ip6tables", "1", 0, 0);
        f_write_string("/proc/sys/net/bridge/bridge-nf-filter-vlan-tagged", "1", 0, 0);
    }
*/

For myself, I'm going to continue using this "bridge netfilter" feature.

 

[ASAT]

There is now a Github fork for this.
https://github.com/RMerl/asuswrt-merlin/compare/master...PhillipLauder:master

 

[kvic]

Thinking of it. A simpler approach might be to go along the thought of network pro's (which I'm not). Remove wl0.1 from br0. Apply the same iptables rules as in #2.

If that doesn't work, then create a new bridge interface named br1. Add wl0.1 to br1. Apply the same iptables rules as in #2 but replace wl0.1 with br1.

However, any such tinkering in Merlin firmware with custom config, you'll need to watch out. After LAN/WAN/Wireless related operations through the GUI, your custom tinkering might be lost/destroyed. Hence, I wouldn't advocate such tinkering unless people are very sure what you're doing.

While I admire ASAT as usual tinkering with the kernel, the above proposal might not be needed, especially after reading the notes by broadcom in #15.

 

[ASAT]

If that doesn't work, then create a new bridge interface named br1. Add wl0.1 to br1. Apply the same iptables rules as in #2 but replace wl0.1 with br1.

The following post will show you how. However, I have not tried it yet.
http://www.snbforums.com/threads/ac68u-guest-network-problem.26176/#post-217539

 

[kvic]

The following post will show you how. However, I have not tried it yet.
http://www.snbforums.com/threads/ac68u-guest-network-problem.26176/#post-217539

Without creating br1, using wl0.1 in place of br1 in dnsmasq will also work. Creating br1 seems more neat in network pro's speak (which I'm not).

The idea is to have one subnet for br0. A second subnet for wl0.1 (or br1). Both subnets become the intranet. Subnet br0 can access both intranet and internet. Subnet wl0.1 (or br1) just intranet.

 

[ASAT]

Here's another way to do it. Thanks to Merlin for cluing me in on the fact that ASUS chose ebtables for AP host isolation, instead of using iptables' bridged netfilter with the xt_physdev matching module.

/jffs/scripts/firewall-start

NETADDR=$(/usr/sbin/ip route | /bin/grep br0 | /usr/bin/cut -d' ' -f1)
/usr/sbin/ebtables -t broute -I BROUTING -p IPv4 -i wl0.1 ! --ip-dst ${NETADDR} -j DROP  # Disable Internet for 2.4GHz Wi-Fi Guest SSID#1
/usr/sbin/ebtables -t broute -I BROUTING -p IPv4 -i wl0.2 ! --ip-dst ${NETADDR} -j DROP  # Disable Internet for 2.4GHz Wi-Fi Guest SSID#2
/usr/sbin/ebtables -t broute -I BROUTING -p IPv4 -i wl0.3 ! --ip-dst ${NETADDR} -j DROP  # Disable Internet for 2.4GHz Wi-Fi Guest SSID#3
/usr/sbin/ebtables -t broute -I BROUTING -p IPv4 -i wl1.1 ! --ip-dst ${NETADDR} -j DROP  # Disable Internet for 5.0GHz Wi-Fi Guest SSID#1
/usr/sbin/ebtables -t broute -I BROUTING -p IPv4 -i wl1.2 ! --ip-dst ${NETADDR} -j DROP  # Disable Internet for 5.0GHz Wi-Fi Guest SSID#2
/usr/sbin/ebtables -t broute -I BROUTING -p IPv4 -i wl1.3 ! --ip-dst ${NETADDR} -j DROP  # Disable Internet for 5.0GHz Wi-Fi Guest SSID#3