AsusWRT and guest network with no intranet access on AP mode

[guho]

This is my /jffs/scripts/firewall-start:

#!/bin/sh
logger firewall-start
ebtables -t filter -A FORWARD -p IPv4 -i wl0.1 --ip-dst 192.168.0.1 -j ACCEPT
ebtables -t filter -A FORWARD -p IPv4 -o wl0.1 --ip-src 192.168.0.1 -j ACCEPT
ebtables -t filter -A FORWARD -p IPv4 -i wl0.1 --ip-dst 192.168.0.16/29 -j ACCEPT
ebtables -t filter -A FORWARD -p IPv4 -o wl0.1 --ip-src 192.168.0.16/29 -j ACCEPT
ebtables -t filter -A FORWARD -p IPv4 -i wl0.1 --ip-dst 192.168.0.0/24 -j DROP
ebtables -t filter -A FORWARD -p IPv4 -o wl0.1 --ip-src 192.168.0.0/24 -j DROP
ebtables -t filter -A FORWARD -p IPv4 -i wl1.1 --ip-dst 192.168.0.1 -j ACCEPT
ebtables -t filter -A FORWARD -p IPv4 -o wl1.1 --ip-src 192.168.0.1 -j ACCEPT
ebtables -t filter -A FORWARD -p IPv4 -i wl1.1 --ip-dst 192.168.0.16/29 -j ACCEPT
ebtables -t filter -A FORWARD -p IPv4 -o wl1.1 --ip-src 192.168.0.16/29 -j ACCEPT
ebtables -t filter -A FORWARD -p IPv4 -i wl1.1 --ip-dst 192.168.0.0/24 -j DROP
ebtables -t filter -A FORWARD -p IPv4 -o wl1.1 --ip-src 192.168.0.0/24 -j DROP
ebtables -I FORWARD -d Broadcast -j ACCEPT

what this does is allow traffic between the guests and 192.168.0.1 (main router) and 8 addresses starting at 192.168.0.16 while dropping all the other LAN traffic from guests. Broadcasts are allowed for DHCP etc.

Note that in the Asus config page LAN, under the 'Route' tab, I have a static route to netmask&IP 0.0.0.0 with gateway set to 192.168.0.1. This is needed so all the traffic to the internet goes via the main router. Under DHCP server, I hardcoded the DNS to 192.168.0.1 and disabled DHCP. Under WAN, I also set the DNS 1 to 192.168.0.1. The WAN IP is pretty random 192.168.2.252 with gateway 192.168.0.1. WAN is on but NAT and UPnP are off on the Asus. Certain things don't work if you disable WAN. The firewall on the Asus is off, as my main router serves that function.

 

[SafeNetwork]

Hi,

I am interested in these scripts as well.
Just new to this forum, do not mind some scripting.
Basically I want to create VLans for my home

VLAN 2: computers/laptops/phones (mostly wifi)
VLAN3: QNap server ( with open vpn server or zerotier ) + VMs ( pure wire )
VLAN4: webcams without access to internet (wired and wifi)

VLAN2 can access to VLAN3 which can access to VLAN4.
The access point from outside home is VLAN3

but I want everything to access internet through a VPN client because I do not like big brother.

So ideally, I have a router with the ability to run a VPN client and to be able to create VLans and static route.
The idea is to secure webcams and isolate the different lans.

I just bought an Asus-Router RT- 86U thinking it could do the job with merlin, but it seems VLAN seem not to be the best point of the router.

The other ways are :
- another router with easy VLANs and wifi setup ?
- cascading routers (2 or 3) with different subnets but it takes space... ( wife approving factor )
- Unify USG + Unify router + 2 WAPs but seems expensive ( as shown in https://www.vueville.com/blog/how-we-built-our-diy-home-security-camera-system/#full-equipment-list ) and there is no vpn client in this setup
- I could use the Qnap server as a router add a usb wifi and use the RT-86U as an AP... but I think there are cheaper options in that case and I prefer the Qnap to be used for other things.

What are your views on that ? I am a little bit lost.

 

[robca]

Adding a link to a thread that explains how to do this https://www.snbforums.com/threads/expand-the-guest-network-to-two-merlin-routers.61231/