Asus RT-N66U Guest network - access speakers + other devices on main WiFi

[beamen]

Hi there,

I have been thinking a while about getting pfSense to manage some VLANs, but it looks like Merlin might be exactly what I need.

I have guest over (AirBnb) and they have their own network that they connect to. The problem is that I have several devices that I want to share with my guests, including 2 Sonos speakers, a WiFi printer and a Chromecast.

Are there any good scripts to allow guest users access to these devices while keeping the rest of my network, my desktop, media PC, NAS and router from being accessed?

Thanks a lot for any guidance!

 

[beamen]

I'm guessing the most secure/best way to do this would be to set up a new SSID for Sonos, printer and chromecast, and other shared devices, and allow access to this VLAN from the Guest WLAN and also allow access to this VLAN for my private network (LAN and WLAN).

Is this a good solution/is this possible?

 

[xiaodoudou]

Hi,

A simple solution should be to:

• Bind the SSID to a specific DHCP range
• Bind the DHCP range to iptables rules to limit access to the GW, Sonos, Printer and Chrome Cast

You can look into this guide I have done: https://github.com/RMerl/asuswrt-me...dicated-DHCP-options-bind-to-a-specific-SSID?
Follow it and a specific range to your configuration.
Example:

dhcp-range=wl0.2,172.30.20.2,172.30.20.254,255.255.0.0,86400s

the part that is missing are the iptables rules, if you give more information I could help on that.

Cheers,

 

[beamen]

Thanks so much xiacodoudou!

Gonna install Merlin when I get home (no guest today). I have the rest of the day to get it running before the new guests arrive tomorrow.

Wouldn't it work just as well to have set rules in iptables (if this is how you do it, like you said), to say any connection from guest-subnet to 192.168.1.58 (if that's the printer IP), 192.168.1.59 (if that's the chromecast), etc etc is OK, everything else is not allowed.

 

[beamen]

If i turn Intranet off in Guest network GUI and add this to firewall:

iptables -I FORWARD -s 192.168.1.59 -o wl1.1 (if this is guest 2ghz wifi interface) -j ACCEPT
iptables -I FORWARD -i wl1.1 (if this is guest 2ghz wifi interface) -s 192.168.1.59 -j ACCEPT

and do this for printer/sonos/chrome cast?

Would this be enough?

 

[beamen]

Ok, so I got Merlin installed now. I put my guest wlan to Intranet ON and it finds the printer (obviously), then I turned it off, ssh'ed into the router and added the iptables above.. didn't work. I'm kinda stuck here. ebtables, iptables, I'm not really sure where to start.

I'd be happy to "donate a beer" via PayPal if anyone wants to help me, I just really want this working for the security of myself and my guests

Thanks guys!

 

[beamen]

Alright guys, for anyone else wondering about the same, I'm a bit closer now!

I disabled local access in gui (for my 5Ghz guest), and this showd up in:ebtables -L:
--@RT-N66U:/tmp/home/root# ebtables -L
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 2, policy: ACCEPT
-i wl1.1 -j DROP
-o wl1.1 -j DROP

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

So it's in ebtables (not iptables).

Now I added 1 device:
ebtables -I FORWARD -s MAC_HERE -i wl1.1 -j ACCEPT
ebtables -I FORWARD -s MAC_HERE -o wl1.1 -j ACCEPT

Hopefully this will work now.

 

[beamen]

That didn't work.
--@RT-N66U:/tmp/home/root# ebtables -L
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 4, policy: ACCEPT
-s MACRINTER -i wl1.1 -j ACCEPT
-d MACRINTER -o wl1.1 -j ACCEPT
-i wl1.1 -j DROP
-o wl1.1 -j DROP

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
--@RT-N66U:/tmp/home/root#

--@RT-N66U:/tmp/home/root# ebtables -t broute -L
Bridge table: broute

Bridge chain: BROUTING, entries: 2, policy: ACCEPT
-p IPv4 -i wl1.1 --ip-dst IP.OF.PRINTER --ip-proto tcp -j ACCEPT
-p IPv4 -i wl1.1 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP

Anyone?

 

[beamen]

It seems that only "ebtables" has any effect on routing.
ebtables -t filter -I FORWARD -i wl0.2 -j DROP
ebtables -t filter -I FORWARD -o wl0.2 -j DROP

With these rules enabled the guest network has no connection to the other computers on the main Network (just Internet). When I delete the rules, they have full access, even though the BROUTING rule (that Asus sets when you set Intranet to "off" is still active.

Can someone please help me? I don't understand why only one person has responded or given me some hints. I'll pay someone for their time if that's what it takes.

Thanks.