What's new

AsusWRT and guest network with no intranet access on AP mode

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

This is my /jffs/scripts/firewall-start:

#!/bin/sh
logger firewall-start
ebtables -t filter -A FORWARD -p IPv4 -i wl0.1 --ip-dst 192.168.0.1 -j ACCEPT
ebtables -t filter -A FORWARD -p IPv4 -o wl0.1 --ip-src 192.168.0.1 -j ACCEPT
ebtables -t filter -A FORWARD -p IPv4 -i wl0.1 --ip-dst 192.168.0.16/29 -j ACCEPT
ebtables -t filter -A FORWARD -p IPv4 -o wl0.1 --ip-src 192.168.0.16/29 -j ACCEPT
ebtables -t filter -A FORWARD -p IPv4 -i wl0.1 --ip-dst 192.168.0.0/24 -j DROP
ebtables -t filter -A FORWARD -p IPv4 -o wl0.1 --ip-src 192.168.0.0/24 -j DROP
ebtables -t filter -A FORWARD -p IPv4 -i wl1.1 --ip-dst 192.168.0.1 -j ACCEPT
ebtables -t filter -A FORWARD -p IPv4 -o wl1.1 --ip-src 192.168.0.1 -j ACCEPT
ebtables -t filter -A FORWARD -p IPv4 -i wl1.1 --ip-dst 192.168.0.16/29 -j ACCEPT
ebtables -t filter -A FORWARD -p IPv4 -o wl1.1 --ip-src 192.168.0.16/29 -j ACCEPT
ebtables -t filter -A FORWARD -p IPv4 -i wl1.1 --ip-dst 192.168.0.0/24 -j DROP
ebtables -t filter -A FORWARD -p IPv4 -o wl1.1 --ip-src 192.168.0.0/24 -j DROP
ebtables -I FORWARD -d Broadcast -j ACCEPT

what this does is allow traffic between the guests and 192.168.0.1 (main router) and 8 addresses starting at 192.168.0.16 while dropping all the other LAN traffic from guests. Broadcasts are allowed for DHCP etc.

Note that in the Asus config page LAN, under the 'Route' tab, I have a static route to netmask&IP 0.0.0.0 with gateway set to 192.168.0.1. This is needed so all the traffic to the internet goes via the main router. Under DHCP server, I hardcoded the DNS to 192.168.0.1 and disabled DHCP. Under WAN, I also set the DNS 1 to 192.168.0.1. The WAN IP is pretty random 192.168.2.252 with gateway 192.168.0.1. WAN is on but NAT and UPnP are off on the Asus. Certain things don't work if you disable WAN. The firewall on the Asus is off, as my main router serves that function.
 
Last edited:
Hi,

I am interested in these scripts as well.
Just new to this forum, do not mind some scripting.
Basically I want to create VLans for my home

VLAN 2: computers/laptops/phones (mostly wifi)
VLAN3: QNap server ( with open vpn server or zerotier ) + VMs ( pure wire )
VLAN4: webcams without access to internet (wired and wifi)

VLAN2 can access to VLAN3 which can access to VLAN4.
The access point from outside home is VLAN3

but I want everything to access internet through a VPN client because I do not like big brother.

So ideally, I have a router with the ability to run a VPN client and to be able to create VLans and static route.
The idea is to secure webcams and isolate the different lans.

I just bought an Asus-Router RT- 86U thinking it could do the job with merlin, but it seems VLAN seem not to be the best point of the router.

The other ways are :
- another router with easy VLANs and wifi setup ?
- cascading routers (2 or 3) with different subnets but it takes space... ( wife approving factor )
- Unify USG + Unify router + 2 WAPs but seems expensive ( as shown in https://www.vueville.com/blog/how-we-built-our-diy-home-security-camera-system/#full-equipment-list ) and there is no vpn client in this setup
- I could use the Qnap server as a router add a usb wifi and use the RT-86U as an AP... but I think there are cheaper options in that case and I prefer the Qnap to be used for other things.

What are your views on that ? I am a little bit lost.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top