Allow guest network access to single IP for printer

[bobley]

Not sure what you mean by 'seems to' ...either the script allows access/printing from the isolated (Internet only) Guest Wifi or it doesn't?

It works with sleep nn. Without it, it somehow breaks the Guest WiFi and devices can't connect. I can fix that by running the script again in telnet. I have no idea why running the script again fixes things.

I could try switching to nat-start to see if that removes the need for sleep nn.

Will this override prior versions of wan-start?

mv wan-start.sh wan-start

Or do I need to go and delete the old version first?

Are you sure this doesn't work in AP mode and my issue wasn't just the missing sleep nn or some other problem? It seems many are using these in AP mode so if it could work, that would be better.

 

[Martineau]

It works with sleep nn. Without it, it somehow breaks the Guest WiFi and devices can't connect.
I can fix that by running the script again in telnet. I have no idea why running the script again fixes things.
I could try switching to nat-start to see if that removes the need for sleep nn.

Clearly the script is being executed too soon during the boot process, so you will need to try calling it from nat-start.

Will this override prior versions of wan-start?

mv wan-start.sh wan-start

Or do I need to go and delete the old version first?

The 'mv' command used in this context attempts to rename the existing 'wan-start.sh' to 'wan-start', but if 'wan-start' already exists then it will be overwritten by 'wan-start.sh'

Are you sure this doesn't work in AP mode and my issue wasn't just the missing sleep nn or some other problem?

I'm 2000% certain that the script will not work in AP mode.
Basically it creates a separate subnet (pseudo VLAN) for each Guest WiFi interface using dnsmasq and usually only one DNS service is allowed per LAN, hence in AP mode, dnsmasq is disabled.

It seems many are using these in AP mode so if it could work, that would be better.

OK, I have created a new Beta script for AP mode which I have PM'd to you.
To use the new Beta AP_LANBlock.sh you need to specify the MAC address of the LAN printer to be shared

./AP_LANBlock.sh   all   12:34:56:78:9a:bc

(AP_LANBlock.sh): 22384 Requested.....

(AP_LANBlock.sh): 22384 Main Gateway Router MAC address is xx:xx:xx:xx:xx:xx

 ALL AP Guest WiFi SSIDs LAN access is BLOCKED!

(AP_LANBlock.sh): 22384 AP Guest 2.4GHz/5GHz WiFi SSIDs: (*) (wl0.x/wl1.x) Access to LAN printer 12:34:56:78:9a:bc (192.168.xxx.xxx) now allowed

(AP_LANBlock.sh): 22384 AP Guest WiFi () Completed.

Hopefully ALL active Guest SSIDs defined on the AP mode router will now provide access ONLY to the Internet but any connecting AP Guest client should be able to print.

However, you may now wish to allow anyone connecting to say the AP's 2.4Ghz Guest #2 full access to the LAN
e.g.

./AP_LANBlock.sh   wl0.2   del

(AP_LANBlock.sh): 22764 Requested.....

(AP_LANBlock.sh): 22764 Main Gateway Router MAC address is xx:xx:xx:xx:xx:xx

 AP 2.4GHz Guest 2 SSID: APG242 (wl0.2) LAN access is now allowed

(AP_LANBlock.sh): 22764 AP Guest WiFi APG242 (wl0.2) Completed.

See how this new script goes on an AP.

 

[bobley]

Does AP_LANBlock.sh isolate my guest SSID even though the traffic mixes upstream at my Edgerouter? Some on here seem to feel that isn't possible as the Edgerouter has no way to separate the WiFi traffic coming from the Asus AP.

When trying to block all but one printer, I initially got

(AP_LANBlock.sh): 866 Requested.....
(AP_LANBlock.sh): 866 DEBUG: Paused for 1 secs waiting for valid 'arp -a' for 192.168.xxx.xxx
....repeats 10 times....
(AP_LANBlock.sh): 866 **ERROR** Unable to verify main gateway router's MAC address. Please try again.

However, I ran the script a second time and it took. Based upon pings, this appears to work. I have two guest WiFi SSIDs on this AP, but the script outputs that only one (wl0.1) is setup. What about wl0.2?

(AP_LANBlock.sh): 1112 AP Guest WiFi (wl0.1) Completed.

Then I rebooted again. nan-start ran and produced the initial errors and then seemed to work. However, now the guest WiFi will not connect at all. Adding sleep nn before the script in nan-start seems to avoid needing to run the script again later.

Having the script run is also causing glitches where I can't access the webUI for the AP and sometimes not telnet. I managed to get back in and disabled the script for now.

 

[Martineau]

Does AP_LANBlock.sh isolate my guest SSID even though the traffic mixes upstream at my Edgerouter? Some on here seem to feel that isn't possible as the Edgerouter has no way to separate the WiFi traffic coming from the Asus AP.

When trying to block all but one printer, I initially got

(AP_LANBlock.sh): 866 Requested.....
(AP_LANBlock.sh): 866 DEBUG: Paused for 1 secs waiting for valid 'arp -a' for 192.168.xxx.xxx
....repeats 10 times....
(AP_LANBlock.sh): 866 **ERROR** Unable to verify main gateway router's MAC address. Please try again.

However, I ran the script a second time and it took. Based upon pings, this appears to work. I have two guest WiFi SSIDs on this AP, but the script outputs that only one (wl0.1) is setup. What about wl0.2?

(AP_LANBlock.sh): 1112 AP Guest WiFi (wl0.1) Completed.

Then I rebooted again. nan-start ran and produced the initial errors and then seemed to work. However, now the guest WiFi will not connect at all. Adding sleep nn before the script in nan-start seems to avoid needing to run the script again later.

Having the script run is also causing glitches where I can't access the webUI for the AP.

As shown in the 'help', the script is designed to BLOCK access to the LAN from ALL (or nominated SSIDs) AP's Guest SSIDs but ALLOW access to specific LAN printers.

So if you have two Guest SSIDs enabled on the AP
e.g.

wl0.1     SSID=APG241    P/W=Alpha
wl1.1     SSID=APG51     P/W=Bravo

then if the script has not run, then both wl0.1 and wl1.1 have FULL access to ALL LAN resources.
To reset to this (default) AP behaviour (because you have been testing the script) then you may issue

./AP_LANBlock.sh   all   del

So if you have only issued

./AP_LANBlock.sh   wl0.1

then SSID APG241 clients will ONLY have access to the internet, but SSID APG51 clients will have FULL access to the LAN.

If you need to also block SSID APG51 clients then you can either explicitly run

./AP_LANBlock.sh   wl1.1

or you may issue

./AP_LANBlock.sh   all

which applies the LAN BLOCK to all six AP Guest SSIDs even if they are not physically enabled and is indicated in the messages.

NOTE: If you attempt to explicitly block an individual AP Guest WiFI that isn't enabled then the script will report this as an error.

(AP_LANBlock.sh): 866 **ERROR** Unable to verify main gateway router's MAC address. Please try again.

The 'error' is because I use 'arp -a' to attempt to reverse map the MACs to IP addresses and the arp results returned can be out of date by up to 60secs.
(I decided to use the MAC rather than allow you to specify the IP address for security i.e. chances are the printer's MAC will not change but an IP address could accidentally be (re)assigned to a different device say a NAS, and this unexpected exposure could go unnoticed.)

However, I have uploaded Beta v1.0bx which has a modified routine and it is no longer treated as a hard '**ERROR** but is now an advisory '*Warning*', so please try the new Beta version.

Having the script run is also causing glitches where I can't access the webUI for the AP.

If you are connected to one of the AP Guest SSIDs (wl0.x/wl1.x) and it is BLOCKED then that is expected i.e. that is what the script does.

If however, you are connected to the AP's standard 2.4Ghz/5GHz SSIDs (eth1/eth2) then you should not be blocked.

NOTE: Printers are shared globally
e.g.

./AP_LANBlock.sh   wl0.1   12:34:00:00:00:00
./AP_LANBlock.sh   wl1.1   98:76:00:00:00:FF

will allow both AP Guest wl0.1 and wl1.1 clients access to either printer.

 

[ColinTaylor]

Does AP_LANBlock.sh isolate my guest SSID even though the traffic mixes upstream at my Edgerouter? Some on here seem to feel that isn't possible as the Edgerouter has no way to separate the WiFi traffic coming from the Asus AP.

As shown in the 'help', the script is designed to BLOCK access to the LAN from ALL (or nominated SSIDs) AP's Guest SSIDs but ALLOW access to specific LAN printers.

I think bobley's question relates to the "LAN" ports on his Edgerouter not the Asus. Presumably the WAN port of the Asus is connected to a LAN port on the Edgerouter, where other devices are also connected to the Edgerouter's LAN ports..

 

[bobley]

I think bobley's question relates to the "LAN" ports on his Edgerouter not the Asus. Presumably the WAN port of the Asus is connected to a LAN port on the Edgerouter, where other devices are also connected to the Edgerouter's LAN ports..

The Edgerouter does all routing on one LAN port. The ASUS and other potential routers are in AP mode.

This script blocks LAN access at the AP, but then that mixes on the Edgerouter LAN even though all the traffic originates at the AP via WiFi and wire?

 

[bobley]

If you are connected to one of the AP Guest SSIDs (wl0.x/wl1.x) and it is BLOCKED then that is expected i.e. that is what the script does.

If however, you are connected to the AP's standard 2.4Ghz/5GHz SSIDs (eth1/eth2) then you should not be blocked.

The problems access the AP webUI are from wired access. It seems the script is interfering with something.

Where is the Beta v1.02x version?

 

[Martineau]

Where is the Beta v1.02b version?

In the original link I provided unless it's expired

The problems access the AP webUI are from wired access. It seems the script is interfering with something

As you can't run esoteric Asus scripts on the Edgerouter, my intention was to 'sandbox' the AP Guest Wifi SSIDs to allow them full Internet access yet only restricted pinhole access to LAN printers. The script is probably overzealous in that it is isolating the AP too much.

If the Asus AP was connected to a main Asus router or even behind a VLAN aware switch (GS108E/TL-SG2008) then the scripting solution would be easier, but clearly if you were to buy additional hardware then you would be better off acquiring a matching UniFi AP AC.
(I don't have an Edgerouter but currently use 1x Netgear GS108PE, 2 x GS108E and 3 x tp-link TL-SG2008 VLAN capable switches to isolate IoT devices and VPN access around the house, but lazily purchased the UniFi AP AC Lite for Guest SSID tagging with the UniFi Controller running on a Rpi)

NOTE:Worst case scenario is that you run the Asus in router mode (rather than AP) using the working GuestSubnet.sh printer sharing script, although you may have double-NAT issues to contend with.

Anyway apologies, but many thanks for testing my user-friendly scripts - much appreciated.

"I'll do some more investigating."

 

[jc259]

@Martineau you still maintaining the guest network printer routing script? Is the latest posted anywhere?

 

[E3000]

I w

@Martineau you still maintaining the guest network printer routing script? Is the latest posted anywhere?

I will also like to know this