Menu
What's new
By:
Filters Better Search

Block access to wan subnet

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

E

elektroinside

New Around Here
Hi guys and Merry Christmas to all!

I just bought the RC-AC5300 and installed Asuswrt-merlin. Then I enabled one guest network on 2.4Ghz (from the ifconfig output, i'm guessing wl0.1 is the guest).
My problem is that i don't want to give access to the wan's subnet (since the wan ip is also from a local subnet), but still allow internet access. With dd-wrt, this worked:

iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP

, where br1 was a bridge created. I'm guessing the guest network is wl0.1 (from the output of ifconfig). But it's not working with merlinwrt (if i replace br1 with wl0.1). The error i receive is this:

iptables v1.4.14: invalid mask `' specified

I know i have to create a jffs script for merlinwrt but since my rule is not working...

Can somebody help me with the correct rule?

Many thanks!
 
Last edited:
use "wan0_netmask"
 
octopus said:
use "wan0_netmask"
Click to expand...

Yep, no more syntax error, thank you.
But... it looks like it's not working though, i still have access to the wan's subnet.
wl0.1 is definitely the guest's network interface, it's gone if i disable the guest:

Code: 
[I][SIZE=2]br0        Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
           inet addr:xxx.xxx.xxx.xxx  Bcast:xxx.xxx.xxx.xxx  Mask:xxx.xxx.xxx.xxx
           UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
           RX packets:1356 errors:0 dropped:0 overruns:0 frame:0
           TX packets:1350 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:200329 (195.6 KiB)  TX bytes:333079 (325.2 KiB)

eth0       Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
           inet addr:xxx.xxx.xxx.xxx  Bcast:xxx.xxx.xxx.xxx  Mask:xxx.xxx.xxx.xxx
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:3307 errors:0 dropped:0 overruns:0 frame:0
           TX packets:3063 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:899169 (878.0 KiB)  TX bytes:824937 (805.6 KiB)
           Interrupt:181 Base address:0x6000

eth1       Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
           UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
           TX packets:1394 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:0 (0.0 B)  TX bytes:146543 (143.1 KiB)

eth2       Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
           UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
           TX packets:1669 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:0 (0.0 B)  TX bytes:456943 (446.2 KiB)

eth3       Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
           UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
           TX packets:1530 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:0 (0.0 B)  TX bytes:241035 (235.3 KiB)

fwd0       Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
           UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
           RX packets:1690 errors:0 dropped:0 overruns:0 frame:0
           TX packets:1678 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:0 (0.0 B)  TX bytes:307446 (300.2 KiB)
           Interrupt:179 Base address:0x4000

fwd1       Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
           UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
           RX packets:1528 errors:0 dropped:0 overruns:0 frame:0
           TX packets:211 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:0 (0.0 B)  TX bytes:37467 (36.5 KiB)
           Interrupt:180 Base address:0x5000

lo         Link encap:Local Loopback
           inet addr:127.0.0.1  Mask:255.0.0.0
           inet6 addr: ::1/128 Scope:Host
           UP LOOPBACK RUNNING MULTICAST  MTU:16436  Metric:1
           RX packets:1004 errors:0 dropped:0 overruns:0 frame:0
           TX packets:1004 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:162606 (158.7 KiB)  TX bytes:162606 (158.7 KiB)

vlan1      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
           UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
           RX packets:1887 errors:0 dropped:0 overruns:0 frame:0
           TX packets:1470 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:336306 (328.4 KiB)  TX bytes:345371 (337.2 KiB)

vlan2      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:0
           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wl0.1      Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
           UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
           RX packets:0 errors:0 dropped:0 overruns:0 frame:0
           TX packets:752 errors:0 dropped:0 overruns:0 carrier:0
           collisions:0 txqueuelen:1000
           RX bytes:0 (0.0 B)  TX bytes:56493 (55.1 KiB)[/SIZE][/I]

brctl shows no other bridge, just br0:

Code: 
[I][SIZE=2]bridge name     bridge id               STP enabled     interfaces
br0             8000.2c56dc5e52c0       yes             vlan1
                                                        wl0.1
[/SIZE][/I]
So, probably this doesn't work with merlinwrt. Is there anything else i could try?
 
Last edited:
There are many users i know who have their own firewall/router and use a secondary wifi router for wireless access. Including businesses. I am really amazed nobody requested this before (not with merlinwrt anyways).

I think this is a very important security feature, and i agree it is not that popular, but maybe a script can do the job and merlinwrt has the necessary backend for this to work... I really tried reading everything related to this everywhere. The thing is the interfaces and bridges are different from dd-wrt, and i really can't find something that works for this with merlinwrt (but does with dd-wrt, which i used a lot in the past, hence the references).
 
OK, i finally figured it out. It's not iptables, but ebtables the one to use. Steps if anyone is interested (for blocking access to WAN subnet from "Guest network" wl0.1):

1. Create a file named "firewall-start" without an extension, with Notepad++, and convert it to UNIX format (Edit-> EOL Conversion -> UNIX/OSX Format)
2. Add these two lines and save the file:

Code: 
#!/bin/sh
ebtables -t broute -A BROUTING -p IPv4 -i wl0.1 --ip-dst `nvram get wan_ipaddr`/`nvram get wan0_netmask` -j DROP

3. Copy the file to your router with WINSCP to /jffs/scripts/
4. Set the script as executable running this from putty: chmod a+rx /jffs/scripts/*
5. Enable support for scripts from the WebUI from Administration -> System -> Enable JFFS custom scripts and configs
6. Reboot! Done!

Note: double check for the file to have UNIX encoding (in Notepad++, View -> Show symbols -> Show all characters) and make sure your lines end with "LF", and not "CR LF".
 
Last edited:
elektroinside said:
OK, i finally figured it out.
Click to expand...
Just to be sure, you can also check the packet & byte counts to see if the rule is being matched.
Code: 
ebtables -t broute -L --Lmac2 --Lc --Ln

And you can also make a fake rule that doesn't do anything except log the rule matches. However this sometimes does not log every hit.
Code: 
ebtables -t broute -I BROUTING -p IPv4 -i eth2 --ip-dst $(nvram get wan_ipaddr)/$(nvram get wan0_netmask) -j CONTINUE --log --log-level 7
 
Last edited:
Thank you, I will. What I tried so far, is ping everything in my WAN network (I get a reply from my non-guest network, i get nothing from the guest). Tried to access services on TCP & UDP as well, such as ftp, smb, web, media server, internal chat, nothing works (as expected). Can't access the router's web interface (but that is the rule(s) of the router which blocks the LAN of the router). I also tried to scan all open ports (TCP & UDP) from the guest, i got nothing (i got plenty from the non-guest). The only thing that works is the internet connection, exactly what i wanted. So guest connected clients are completely isolated, everybody is secure, which is awesome! Such a fine custom firmware :)

So far so good :)
 
You must log in or register to reply here.

Similar threads

Siff
Printing from Guest Network (ASUSWRT-Merlin 3004.388.8_2)
Replies
5
Views
624
Jherb
J
ToasterPC
OPNSense VLAN tagging with Merlin routers as AiMesh APs
Replies
0
Views
1K
ToasterPC
ToasterPC
jetonr
DSL-AC68U with 3 SSID and 3 VLAN as AP slow and unstable!
Replies
5
Views
2K
drinkingbird
drinkingbird
P
Subnetting LAN isolation
Replies
2
Views
1K
Pixwert
P
SeeJayEmm
AC68 intermittently VLAN tagging
Replies
8
Views
1K
drinkingbird
drinkingbird
Similar threads
Thread starter Title Forum Replies Date
K Solved "Block internet access" does nothing Asuswrt-Merlin 7
R Addition of Block Internet Access Asuswrt-Merlin 5
K How to block LAN access for a wired device on ASUS Merlin (Firmware 3004.388.8_2)? Asuswrt-Merlin 12
L "Block internet access" toggle in Client Status GUI doesn't stick Asuswrt-Merlin 3
M URL block List Asuswrt-Merlin 5
N IPv6 6RD tunnel block/allow by mac/IP Asuswrt-Merlin 3
elrengo RT-AX88U Pro - Block YouTube on Smart TV Asuswrt-Merlin 12
C Is there any easy solution in Merlin for a VPN server that is hard to block/detect? Asuswrt-Merlin 13
C isp block dns over tls and poison any unencrypted dns resolution Asuswrt-Merlin 14
S Asus merlin: How to block communication between two device on the network? Asuswrt-Merlin 14

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 661 (members: 16, guests: 645)
Top