Allow guest network access to single IP for printer

[bobley]

I have printer with a static IP. Can I allow the guest network access to the printer on an IP basis? Does that open a vulnerability? The guest network is password protected.

Alternatively, I could put the printer on the guest network and push my own print jobs over to that.

Ideally, this would be bidirectional as there's a Macbook that likes to sometimes connect to the guest network.

Does it matter if the printer is hard wired or on WiFi?

 

[Martineau]

I have printer with a static IP. Can I allow the guest network access to the printer on an IP basis? Does that open a vulnerability? The guest network is password protected.

Alternatively, I could put the printer on the guest network and push my own print jobs over to that.

Ideally, this would be bidirectional as there's a Macbook that likes to sometimes connect to the guest network.

Does it matter if the printer is hard wired or on WiFi?

Does this help?
https://www.snbforums.com/threads/guest-network-question.36500/#post-298242

 

[bobley]

Does this help?
https://www.snbforums.com/threads/guest-network-question.36500/#post-298242

How do I test that? First I went down the path of putting Entware on a USB drive, but then got stuck. Then I used WinSCP to copy a text file I named GuestPrinter.sh which I placed that in the /jffs/scripts folder (just pasted the text into Notepad++).

After making it executable: chmod a+rx /jffs/scripts/*
And running: dos2unix /jffs/scripts/*
I managed to get the script to run in telnet to the point of outputing " **ERROR** Missing arg e.g. wl0.2 or SSID"

What do I do next? Do I edit the file for my IPs and SSID or will the script ask me?

 

[Martineau]

First I went down the path of putting Entware on a USB drive, but then got stuck.

Unless otherwise stated, scripts don't normally require Entware installed.

I managed to get the script to run in telnet to the point of outputing " **ERROR** Missing arg e.g. wl0.2 or SSID"

What do I do next? Do I edit the file for my IPs and SSID or will the script ask me?

If you issue

./GuestPrinter.sh   -h

you should see examples of the type of arguments you must supply to the script.

i.e. the first argument; the name of the SSID (or physical Guest interface) is mandatory, and if you haven't hard-coded a list of your printer IPs in the code by altering the statement:

PRINTERS="10.88.8.131 10.88.8.132"        # <<=== Set DEFAULT!!!!!!

then the second argument must be the IP of the printer you wish to share.

 

[bobley]

./GuestPrinter.sh SSID printerIP1

run in telnet gives an output

-sh: A: not found
user@RT-AC68U:/jffs/scripts# (GuestPrinter.sh): 14774 Martnueau Guest WiFi Printer configuration Starting. [L]
[: wl1.2_ssid=ASUS_guest2: unknown operand

(GuestPrinter.sh): 14774 Martnueau Guest WiFi SSID: (wl0.2) Printer 10.88.8.131 access allowed...

(GuestPrinter.sh): 14774 Martnueau Guest WiFi SSID: (wl0.2) Printer 10.88.8.131 access allowed...

(GuestPrinter.sh): 14774 Martnueau Guest WiFi printer configuration Complete.

Am I sending the arguments incorrectly? I have one guest SSID and one printer IP to share.

I also tried

./GuestPrinter.sh wl0.1 printerIP1

That seems to work saying

(GuestPrinter.sh): 14774 Martnueau Guest WiFi SSID: SSIDname (wl0.1) Printer IP1 access allowed...

Do I have to do more than just run this once in telnet to get the router to keep this setting?

I tried adding /GuestPrinter.sh wl0.1 printerIP1 to wan-start, but when executing wan-start, i get ERROR wl0.1 not found. My wan-start has only

#!/bin/sh
/jffs/scripts/GuestPrinter.sh wlo.1 printerIP

Does the SSID argument have to be in the wl0.1 form or can it be the SSID name? I tried the name like the help shows and it didn't work.

 

[Martineau]

./GuestPrinter.sh SSID printerIP1

run in telnet gives an output

-sh: A: not found
user@RT-AC68U:/jffs/scripts# (GuestPrinter.sh): 14774 Martnueau Guest WiFi Printer configuration Starting. [L]
[: wl1.2_ssid=ASUS_guest2: unknown operand

(GuestPrinter.sh): 14774 Martnueau Guest WiFi SSID: (wl0.2) Printer 10.88.8.131 access allowed...

(GuestPrinter.sh): 14774 Martnueau Guest WiFi SSID: (wl0.2) Printer 10.88.8.131 access allowed...

(GuestPrinter.sh): 14774 Martnueau Guest WiFi printer configuration Complete.

Am I sending the arguments incorrectly? I have one guest SSID and one printer IP to share.

I also tried

./GuestPrinter.sh wl0.1 printerIP1

That seems to work saying

(GuestPrinter.sh): 14774 Martnueau Guest WiFi SSID: SSIDname (wl0.1) Printer IP1 access allowed...

Do I have to do more than just run this once in telnet to get the router to keep this setting?

I tried adding /GuestPrinter.sh wl0.1 printerIP1 to wan-start, but when executing wan-start, i get ERROR wl0.1 not found. My wan-start has only

#!/bin/sh
/jffs/scripts/GuestPrinter.sh wlo.1 printerIP

Does the SSID argument have to be in the wl0.1 form or can it be the SSID name? I tried the name like the help shows and it didn't work.

As per the help...the first argument may be:

either the actual SSID (not the literal text string 'SSID')
or
may be specified as wl0.1 etc.

and the second argument must be the actual IP address of the printer in the form xxx.xxx.xxx.xxx not a printer name.

 

[bobley]

Thanks for your help.

How do I find the actual SSID?

I've got this opening the correct printer IP for the guest SSID after a router reboot. Is wan-start the place for this or should I put it somewhere else?

I still can't print or ping the printer IP from the guest WiFi. I'm not sure what might be getting in the way. Does the GuestPrinter script open the printer IP to being pinged?

 

[ColinTaylor]

How do I find the actual SSID?

It's the one you specified on the Guest Network page called "Network Name(SSID)".

 

[bobley]

It's the one you specified on the Guest Network page called "Network Name(SSID)".

Yes, I used my SSID name and not merely SSID. Using SSID name as an argument doesn't work, but wl0.1 works.

I still can't print or ping. If I ping, my own computer IP (and not the printer IP) replies back Destination host unreachable.

 

[ColinTaylor]

Yes, I used my SSID name and not merely SSID. Using SSID name as an argument doesn't work, but wl0.1 works.

Perhaps your SSID had some non-alphanumeric characters that confused the script.

I still can't print or ping. If I ping, my own computer IP (and not the printer IP) replies back Destination host unreachable.

I could be wrong but the script appears to only allow TCP traffic to the printer, so pings won't work because they are ICMP. Try accessing the printer's webUI from a browser.

 

[bobley]

Perhaps your SSID had some non-alphanumeric characters that confused the script.

That could be it.

I could be wrong but the script appears to only allow TCP traffic to the printer, so pings won't work because they are ICMP. Try accessing the printer's webUI from a browser.

Can't access webUI.

 

[ColinTaylor]

Can't access webUI.

I've just tried it here and have the same problem. The script appears to be functioning correctly, in the sense that it is creating the ebtables rules, but there is still no LAN access.

I'm guessing something has changed in the firmware since the script was written. I'll do some more investigating.

 

[Martineau]

I still can't print or ping. If I ping, my own computer IP (and not the printer IP) replies back Destination host unreachable.

If you are willing to be a beta tester, I will PM you a link to a different script.

GuestSubnet.sh v1.0x

This script uses a different method in order to provide advanced Guest WiFi VPN/VLAN/IoT isolation, but it fortunately also addresses your LAN printer access requirement.

You will need to edit line 177 to change the IP addresses to your printer device(s)

PRINTERS="10.88.8.131 10.88.8.132"                      # LAN printer(s)

Then run the script for the appropriate SSID/interface you wish to grant access to the printer(s)
e.g. for WiFi 2.4GHz Guest #1

./GuestSubnet.sh   wl0.1   autodnsmasq

or you may find it easier to specify the SSID

Hopefully you should now be able to successfully PING the printer(s) ?

NOTE: For a Win10 laptop, whilst connected to the new WiFi Guest (wl0.1) subnet I had to re-install the appropriate printer/driver by creating a separate icon, even though the original Laser printer icon existed - weird

 

[steelskinz]

Cna we do the same with wired printer ? How could i add it in the guest vlan (if it exist).. ? Thanks.

 

[Martineau]

Cna we do the same with wired printer ? How could i add it in the guest vlan (if it exist).. ? Thanks.

The access is via IP address, so as long as the printer is connected to the LAN with a reserved DHCP IP then it doesn't matter - wired or Wireless.

e.g. I have two LAN wired Laser printers and can share them with any of the 6 WiFi Guests.

 

[bobley]

Tried the beta guestsubnet.sh

/jffs/scripts/guestsubnet.sh wl0.1  autodnsmasq

and get

grep: /etc/dnsmasq.conf: No such file or directory
grep: /etc/dnsmasq.conf: No such file or directory
cat: can't open '/etc/dnsmasq.conf': No such file or directory

(guestsubnet.sh): 4000 ***ERROR*** Guest WiFi 2.4GHz Client 1 SSID='myGuestSSID' WIFI_IF='wl0.1' WIFI_IP='' WIFI_MASK='' WIFI_SUBNET_PREFIX='.0/24'

Both /jffs/config/dnsmasq.conf.add and dnsmasq.conf.add-DATE files were created.

I'll have to test this again when at another router.

Didn't realize this, but Asus doesn't support restricting intranet access when in AP mode.

 

[Martineau]

Tried the beta guestsubnet.sh

/jffs/scripts/guestsubnet.sh wl0.1  autodnsmasq

and get

grep: /etc/dnsmasq.conf: No such file or directory
grep: /etc/dnsmasq.conf: No such file or directory
cat: can't open '/etc/dnsmasq.conf': No such file or directory

(guestsubnet.sh): 4000 ***ERROR*** Guest WiFi 2.4GHz Client 1 SSID='myGuestSSID' WIFI_IF='wl0.1' WIFI_IP='' WIFI_MASK='' WIFI_SUBNET_PREFIX='.0/24'

Both /jffs/config/dnsmasq.conf.add and dnsmasq.conf.add-DATE files were created.

I am able to ping and print to the printerIP hard coded into guestsubnet.sh (at least from Android).

EDIT: Ahhh I see you have now edited your original post and declared that the router is in AP mode!!!

 

[bobley]

EDIT: Ahhh I see you have now edited your original post and declared that the router is in AP mode!!!

I'll test this further in a day or so. I thought I could test this in AP mode, but see that I can't. I'll have to wait until I have access to the router in Router mode where I need this implementation.

Thanks for all the help.

 

[bobley]

Back in Router mode. Script seems to work, but I have some glitches of my own doing.

The script open the ports and I can ping, but it sometimes makes it that devices can't connect to the SSID on which the script acts. I noticed this in AP mode, but it happens in Router mode too. It seems that wan-start is running too early as after I rerun wan-start from telnet, I can again connect to the SSID. Not sure this is the best way to resolve this, in wan-start, before the GuestSubnet script I added

 sleep 10

Sleep 10 is perhaps a tad too short, but it avoids the script messing up the SSID.

Do I need to include autodnsmasq in wan-start? It seemed to work without it after running GuestSubnet.sh once with autodnsmasq from telnet. Not sure what the best practice is?

What is the proper way to convert from wan-start.sh to wan-start? I'm just duplicate in WinSCP and removing the .sh extension.

 

[Martineau]

Back in Router mode. Script seems to work, but I have some glitches of my own doing.
The script open the ports and I can ping, but it sometimes makes it that devices can't connect to the SSID on which the script acts. I noticed this in AP mode, but it happens in Router mode too. It seems that wan-start is running too early as after I rerun wan-start from telnet, I can again connect to the SSID. Not sure this is the best way to resolve this, in wan-start, before the GuestSubnet script I added

 sleep 10

Sleep 10 is perhaps a tad too short, but it avoids the script messing up the SSID.
Do I need to include autodnsmasq in wan-start? It seemed to work without it after running GuestSubnet.sh once with autodnsmasq from telnet. Not sure what the best practice is?
What is the proper way to convert from wan-start.sh to wan-start? I'm just duplicate in WinSCP and removing the .sh extension.

Back in Router mode. Script seems to work,

Not sure what you mean by 'seems to' ...either the script allows access/printing from the isolated (Internet only) Guest Wifi or it doesn't?

i.e. not much point investigating your other issues if the basic script functionality doesn't achieve your objective.

It seems that wan-start is running too early

Again not sure what you mean by this as clearly the Guest WiFi will require the WAN to be UP and available ASAP?

In wan-start, before the GuestSubnet script I added

sleep 10

Sleep 10 is perhaps a tad too short, but it avoids the script messing up the SSID.

Script execution - wan-start/firewall-start/nat-start - are event driven, and in some environments, these scripts may run twice each during boot.

As you have found, 'sleep nn' statements are notoriously difficult to get consistently precisely right - without unnecessary overkill.

Consequently I prefer to use nat-start as it is usually the last to run, although nat-start illogically also still runs during the controlled shutdown request.

Do I need to include autodnsmasq in wan-start? It seemed to work without it after running GuestSubnet.sh once with autodnsmasq from telnet.
Not sure what the best practice is?

The help provided by the script regarding the usage of the 'autodnsmasq' directive is slightly ambiguous, but essentially the directive has no effect if the script correctly detects appropriate directives in the active 'dnsmasq.conf'.
Whilst '/jffs/configs' should persist over reboots, it doesn't hurt to always specify 'autodnsmasq' should the file be found to be AWOL during the boot.

What is the proper way to convert from wan-start.sh to wan-start? I'm just duplicate in WinSCP and removing the .sh extension.

This works for me:

mv wan-start.sh wan-start

However, thanks to this 'feedback' and prior information, I have made two tweaks to the GuestSubnet.sh Beta:

1. If the script detects that the router is in 'AP mode', it will alert the user that 'AP mode' is NOT Supported and terminate.
2. Slight rewording of the help regarding the use of the 'autodnsmasq' directive.

Spoiler: GuestSubnet script help

./GuestSubnet.sh -h
#======================================================================================================= © 2016-2017 Martineau, v1.02
#
# Configure Guest WiFi with new DHCP subnet and DNS using '/etc/dnsmasq.conf'
#
#
# Usage:    GuestSubnet  ['help' | '-h']
#                        [wifi_interface | ssid ] | ['del'] ['autodnsmasq'] [ 'ssid='name]
#
#           GuestSubnet  wl0.1
#                        Guest WiFI interface wl0.1 will have the DHCP subnet and DNS applied as pre-defined in /jffs/configs/dnsmasq.conf.add
#           GuestSubnet  del
#                        Guest WiFI interface wl0.1 will be reset to default.
#           GuestSubnet  wl0.2 autodnsmasq
#                        Guest WiFi interface wl0.2 will have new DHCP and DNS directives inserted into /jffs/configs/dnsmasq.conf.add
#                              if they don't already exist.
#                        NOTE: dnsmasq will be bounced.
#           GuestSubnet  Guest242
#                        Guest WiFI SSID 'Guest242' (possibly wl0.2?) will have the new DHCP subnet and DNS applied