ASUS RT-AX88U Pro

[acmsm]

Hi All,

I have bought an ASUS RT-AX88U Pro to place it in front of my ISP Router. One of the goals I had was to better organise my home network by creating vlans to compartimentalize my devices. So i have a main subnet (the router subnet) for the main devices, a vlan for the generic IoT, a vlan for home devices, and a vlan for IoT that cannot have internet access (ip cams for example).

I know now (my bad) that the ASUS RT-AX88U Pro is unable to block internet for vlans that are not on the router subnet. Such a basic functionality not present in a €250 router, but that is on me that didn't do my read correctly.

While I wait for a firmware upgrade that actually provides this (if ever), I was wondering if merlin firmware with specific addons will accomplish my goals: provides the current asus firmware functionality, but add, among other stuff, the ability to create a vlan/subnet/guest and control internet access for all or just a few specific devices on the vlan.

Thank you,
Antonio

 

[CaptainSTX]

Hi All,

I have bought an ASUS RT-AX88U Pro to place it in front of my ISP Router. One of the goals I had was to better organise my home network by creating vlans to compartimentalize my devices. So i have a main subnet (the router subnet) for the main devices, a vlan for the generic IoT, a vlan for home devices, and a vlan for IoT that cannot have internet access (ip cams for example).

I know now (my bad) that the ASUS RT-AX88U Pro is unable to block internet for vlans that are not on the router subnet. Such a basic functionality not present in a €250 router, but that is on me that didn't do my read correctly.

While I wait for a firmware upgrade that actually provides this (if ever), I was wondering if merlin firmware with specific addons will accomplish my goals: provides the current asus firmware functionality, but add, among other stuff, the ability to create a vlan/subnet/guest and control internet access for all or just a few specific devices on the vlan.

Thank you,
Antonio

Currently Merlin's firmware does not support VLANs. No commitment from him that it will ever be supported. On Merlin's firmware custom scripts are supported so depending on how what others have done and how good you are at modifying or writing scripts you might be able to accomplish what you want.

 

[acmsm]

Currently Merlin's firmware does not support VLANs. No commitment from him that it will ever be supported. On Merlin's firmware custom scripts are supported so depending on how what others have done and how good you are at modifying or writing scripts you might be able to accomplish what you want.

Are there any addons I can look at, such as Skynet or Yazfi I can look at?

Thank you for the reply

 

[bennor]

While I wait for a firmware upgrade that actually provides this (if ever), I was wondering if merlin firmware with specific addons will accomplish my goals: provides the current asus firmware functionality, but add, among other stuff, the ability to create a vlan/subnet/guest and control internet access for all or just a few specific devices on the vlan.

Possibly, if using Asus-Merlin firmware:

Tutorial - How to use VLANs on your non-pro Asus router with 386 or 388 code (no scripting required)

With 386 and 388 code base, you can make use of two built in VLANs (plus the main LAN VLAN 1) to further segment your wired and wireless network, even on non-pro models. This definitely works in router mode on all models that support AIMESH and these code versions. From what I have seen (but...

www.snbforums.com

For Guest Network WiFi devices, when using Asus-Merlin 388.x firmware, there is YazFi add-on script which extends the capabilities of the Guest Network WiFi including using YazFi's custom firewall rule's scripting to block access to the internet.

GitHub - jackyaz/YazFi: Feature expansion of guest WiFi networks on AsusWRT-Merlin, including SSID -> VPN, separate subnets per guest network, pinhole access to LAN resources (e.g. DNS) and more!

Feature expansion of guest WiFi networks on AsusWRT-Merlin, including SSID -> VPN, separate subnets per guest network, pinhole access to LAN resources (e.g. DNS) and more! - jackyaz/YazFi

github.com

https://github.com/jackyaz/YazFi?tab=readme-ov-file#custom-firewall-rules

YazFi - YazFi v4.x

v4.4.4 Updated 2023-11-26 Feature expansion of guest WiFi networks on AsusWRT-Merlin, including, but not limited to: * Dedicated VPN WiFi networks * Separate subnets for organisation of devices * Restrict guests to only contact router for ICMP, DHCP, DNS, NTP and NetBIOS * Allow guest networks...

www.snbforums.com

 

[PunchCardBoss]

While I wait for a firmware upgrade that actually provides this (if ever),

Consider using Administration > Feedback and send a feature suggestion like this.

Firmware Version:3.0.0.6.102_33340 for 'RT-AX88U. Please add "Block Internet Access" for VLAN devices.​

• Network Services Filter DOES NOT accept VLAN IPs
• Parental Controls DOES NOT work to block internet access for VLAN devices.

Please fix this deficiency.​

 

[acmsm]

Thank you all for your suggestions, I will investigate further and/or wait for a firmware (asus or merlin) that have the functionality.

@CaptainSTX , @bennor , @PunchCardBoss to finish this subject, is there any ASUS router, equivalent or better than the above, with AiMesh if possible, that provides this functionality (and working ) that you can suggest?

Thank you once again.

 

[bennor]

@acmsm, the stock Asus 3006.102_x firmware Guest Network Pro feature is unforutnatly a bit limited on what features it has. Being unable to both block Guest Network Pro client access to main LAN and at the same time block access to the internet doesn't appear to be possible. It is an either or situation, either allow main LAN access where you can then possibly block Internet access, or not allow main LAN access and not have a possibility of blocking Internet access. If using the stock firmware, file a Feedback report to Asus using the GUI feedback form.

While one can try using IP Tables scripting on stock Asus firmware to block a Guest Network Pro client (or entire IP subnet) from accessing the Internet, the scripting to do so likely doesn't survive router reboot or firewall reset/restart. See the following link and the posts that follow it in that discussion that cover creating some IP Tables scripting examples to control Guest Network Pro clients:
https://www.snbforums.com/threads/g...nt-access-iot-vlan-devices.93634/#post-942310
One can probably work up some kind of IP Tables script entry that drops Guest Network Pro client traffic. Wild guess but maybe something like the following, with eth0 being the WAN port and br52 being the Guest Network Pro SDN, but I don't have time to test it at the moment so experiment at your own risk:
iptables -I FORWARD -i br52 -o eth0 -d -j DROP

 

[acmsm]

Thank @bennor , I am doing some tests and reading some documentation about the IP Tables, and will test the addons mentioned above. I'll keep everyone posted

In the mean time, does someone know if any ASUS Router is currently able to do this?

Thank you.

 

[bbunge]

and a vlan for IoT that cannot have internet access (ip cams for example).

You may want to rethink blocking IoT devices from Internet access. Most IoT devices do not have a hardware clock and rely on Internet access to set there software clock and reset it periodically. Cams, for example, should be able to accurately record the time of an event. This is important if you need to call in the police. Other devices will need accurate time to schedule operation. Sure, you can run your own internal time clock but do you have the time to be continually checking time on all those IoT devices?
The better way is to use IoT devices from trusted providers and those that upgrade the firmware to keep the devices safe. Sure, a lot of devices "phone home" and you can control a lot of this by using DNS filtering. I use a Pi-Hole for this or if you use the Merlin firmware, Diversion can use the same block lists as Pi-Hole.
My IP cams are all on my main LAN with static IP addresses. I am not concerned that they pose a threat to my system...

 

[routerq]

Thank you all for your suggestions, I will investigate further and/or wait for a firmware (asus or merlin) that have the functionality.

@CaptainSTX , @bennor , @PunchCardBoss to finish this subject, is there any ASUS router, equivalent or better than the above, with AiMesh if possible, that provides this functionality (and working ) that you can suggest?

Thank you once again.

I am in the same boat as you unfortunately my return window is closed ... so now waiting for a fix form Asus or hoping they release the blobs to RMerlin to get Merlin FW on AX86U.

You can check out ASUS ExpertWiFi EBG15 Gigabit VPN Wired Router which has the newer FW and seems that the features run on it fine, but you will need a compatible Access Point (ASUS ExpertWiFi EBA63 AX3000 Dual-Band WiFi 6 (802.11ax) PoE Access Point). After using Omada units for a short period, I am now a fan of separate router and access points. They are awesome as long as they are compatible with each other. But I was too comfortable with Asus FW so came back.

You can also try ASUS ExpertWiFi EBR63 AX3000 WiFi 6 Business Router which is an all in one router access point with the new ExpertWifi interface.

Its too late for me Hopefully not for you ...

 

[CaptainSTX]

You may want to rethink blocking IoT devices from Internet access. Most IoT devices do not have a hardware clock and rely on Internet access to set there software clock and reset it periodically. Cams, for example, should be able to accurately record the time of an event. This is important if you need to call in the police. Other devices will need accurate time to schedule operation. Sure, you can run your own internal time clock but do you have the time to be continually checking time on all those IoT devices?
The better way is to use IoT devices from trusted providers and those that upgrade the firmware to keep the devices safe. Sure, a lot of devices "phone home" and you can control a lot of this by using DNS filtering. I use a Pi-Hole for this or if you use the Merlin firmware, Diversion can use the same block lists as Pi-Hole.
My IP cams are all on my main LAN with static IP addresses. I am not concerned that they pose a threat to my system...

Adding to what bbunge said when my Tivo could no longer access the time server hardwired into its firmware it could no longer access and download program/guide information. Since it looks two weeks out when the stored program data expired the Tivo would no longer automatically record events. Where possible put the IoT devices on a guest network or their own VLAN and let them do their thing. If they abuse their network access or you feel they are spying on you get rid of them.

 

[acmsm]

Hi,

Thank for you insight, I do understand all the arguments

Main reason I want avoid some IoT to connect to the internet is to avoid 1) phone home, 2) avoid unauthorized traffic and 3) unauthorized access, particularly on the IP Cams.

I really do not trust those IP Cams that uses software where you can see them from the internet and there are thousands of sites where you can see private house images through the hacked cams.

I'll probably setup some Pi cams to avoid it, where I know for sure that they will not go through any weird website, or phone home, alongside PiHole.

Thank you all once again.

 

[degrub]

If the cams are WIFI based, they are easily jammed if someone wants to get in if the purpose is to record that episode.

 

[CreationWiiU]

Hi, I want to share my workaround to disallow devices in VLAN from accessing Internet, when Parental Control is buggy and Asus has not fixed that yet.

The real problem of Parental Control failure is the router does not create correct iptables rule. It only drops packets from br0 (the main network), but any packet from vlan will be from br{your_vlan_id}, which won't match this rule. However, the iptables work correctly for VPN. So I created a dummy WireGuard server in the vlan and disabled its ipv4 forwarding. Then in the Guest Network Pro section, enable VPN and point the vlan to the dummy WireGuard. It acts as a black hole to drop all IoT traffic from phoning home.

One thing I'm not sure about is do we really need that dummy server. Theoretically we can just create a dummy WG profile but I haven't tested it yet. Hope this workaround can help you.

 

[routerq]

Hi, I want to share my workaround to disallow devices in VLAN from accessing Internet, when Parental Control is buggy and Asus has not fixed that yet.

The real problem of Parental Control failure is the router does not create correct iptables rule. It only drops packets from br0 (the main network), but any packet from vlan will be from br{your_vlan_id}, which won't match this rule. However, the iptables work correctly for VPN. So I created a dummy WireGuard server in the vlan and disabled its ipv4 forwarding. Then in the Guest Network Pro section, enable VPN and point the vlan to the dummy WireGuard. It acts as a black hole to drop all IoT traffic from phoning home.

One thing I'm not sure about is do we really need that dummy server. Theoretically we can just create a dummy WG profile but I haven't tested it yet. Hope this workaround can help you.

nice ... ingenious ...

is there a way to only assign only 1 or 2 client IPs to the VPN , so this way I can deny internet access to only selected devices on the SDN.

 

[CreationWiiU]

nice ... ingenious ...

is there a way to only assign only 1 or 2 client IPs to the VPN , so this way I can deny internet access to only selected devices on the SDN.

You can assign individual device to VPN in the VPN tab, while I'm not sure if br0 bug happens there again.

 

[bennor]

The real problem of Parental Control failure is the router does not create correct iptables rule. It only drops packets from br0 (the main network), but any packet from vlan will be from br{your_vlan_id}, which won't match this rule. However, the iptables work correctly for VPN. So I created a dummy WireGuard server in the vlan and disabled its ipv4 forwarding. Then in the Guest Network Pro section, enable VPN and point the vlan to the dummy WireGuard. It acts as a black hole to drop all IoT traffic from phoning home.

Nice workaround. A suggestion if you have a chance, post a basic step by step guide with screen captures to help others who would like to try your workaround.