Configure LAN Port as Guest Network?

[Mike S]

I am running Asuswrt-Merlin v 384.14 on an Asus RT-AC68U router. I would like to be able to configure one of the LAN ports to be a Guest Network, so that all of the devices connected via that hardwired port will have internet only access and be blocked from accessing any other LAN or WiFi connected devices. This should function just like devices connected to the router via Guest Network SSIDs.

Is there any easy ways to do this? If not, how can we get this functionality added to future Asuswrt-Merlin releases?

 

[martinr]

This has been asked before eg

https://www.snbforums.com/threads/f...network-for-asus-merlin-rt-ac68u.18969/page-4

see if there’s anything in there that’d help you, to start with.

 

[Mike S]

This has been asked before eg

https://www.snbforums.com/threads/f...network-for-asus-merlin-rt-ac68u.18969/page-4

see if there’s anything in there that’d help you, to start with.

I'm not a hacker. This doesn't look like an "easy" way to do this. What we need is a simple configuration option in the GUI that lets you configure LAN ports as Guest Networks.

 

[Klueless]

Don't have a clue as to why you want "guest" LAN ports and, I'm with you, wouldn't have a clue on scripting, etc.

But here's a stupid (I specialize in those) idea; use a range extender.

For example take a Netgear 6150 AC1200 and locate it at an optimal distance from your router. Set it to use 5 GHz as a dedicated back haul to your router using the router's Guest SSID. The Netgear should now inherit the limitations of the router's Guest SSID. You should get about 250 Mbps between the two devices? Not Gigabit but not bad. (You'd have no use for the 2.4 band so just disable it.) Now that leaves you with one Ethernet port that should behave as "Guest". Connect it to a dumb switch and you should have all the Guest LAN ports you need?

 

[Mike S]

Don't have a clue as to why you want "guest" LAN ports and, I'm with you, wouldn't have a clue on scripting, etc.

But here's a stupid (I specialize in those) idea; use a range extender.

For example take a Netgear 6150 AC1200 and locate it at an optimal distance from your router. Set it to use 5 GHz as a dedicated back haul to your router using the router's Guest SSID. The Netgear should now inherit the limitations of the router's Guest SSID. You should get about 250 Mbps between the two devices? Not Gigabit but not bad. (You'd have no use for the 2.4 band so just disable it.) Now that leaves you with one Ethernet port that should behave as "Guest". Connect it to a dumb switch and you should have all the Guest LAN ports you need?

I have a rental unit in a Carriage House that shares my internet. It is too far from the main house for a WiFi connection, so I have a hardwire connection from my Asus router in the main house to a WiFi router in the carriage house. I want all of the traffic from the Carriage House router to have internet access, but no access to any of the computers on my main house LAN or WiFi connections.

 

[Klueless]

I have a rental unit in a Carriage House that shares my internet. It is too far from the main house for a WiFi connection, so I have a hardwire connection from my Asus router in the main house to a WiFi router in the carriage house. I want all of the traffic from the Carriage House router to have internet access, but no access to any of the computers on my main house LAN or WiFi connections.

Ah. So my bad idea could work? The Netgear in the main house connected to the wire that runs to the guest house and its wireless service.

But, now that I know, better idea. Some hard wired APs will support "guest". Ruckus for example. Ruckus WiFi would go in the guest house and use the hard wire connection to main house. The Ruckus has rules such that you can specify that its wireless clients have guest access only.

Now you got my head spinning. You already have "two routers". Two subnets. Two sets of IP addresses. Usually it takes work to get one set of IPs to talk with a 2nd set of IP's. Lock down the 2nd router (UserID/password) so clients can't log into 2nd router and turn on any port forwards. It just might be easier than you and I might think?

 

[CaptainSTX]

Buy a TP-Link smart switch for US$30 and you can set up VLANs in the GUI. With the eight port switch you could have seven VLANs.

 

[martinr]

Buy a TP-Link smart switch for US$30 and you can set up VLANs in the GUI. With the eight port switch you could have seven VLANs.

What if. assuming he uses Skynet, and instead of setting up VLANS, he uses Skynet’s IOT Blocking feature to ban the IP addresses of those guest devices on the switch?

 

[ColinTaylor]

Buy a TP-Link smart switch for US$30 and you can set up VLANs in the GUI. With the eight port switch you could have seven VLANs.

That wouldn't prevent access to any of the devices connected to the main router's WiFi.

What if. assuming he uses Skynet, and instead of setting up VLANS, he uses Skynet’s IOT Blocking feature to ban the IP addresses of those guest devices on the switch?

AFAIK Skynet only blocks on the WAN interface, not the LAN ports.

 

[martinr]

That wouldn't prevent access to any of the devices connected to the main router's WiFi.


AFAIK Skynet only blocks on the WAN interface, not the LAN ports.

Ah, you’re right, Colin.

“Skynet can also be used to secure IOT deviceand prevent them from phoninghome.”

 

[ColinTaylor]

But, now that I know, better idea. Some hard wired APs will support "guest". Ruckus for example. Ruckus WiFi would go in the guest house and use the hard wire connection to main house. The Ruckus has rules such that you can specify that its wireless clients have guest access only.

Now you got my head spinning. You already have "two routers". Two subnets. Two sets of IP addresses. Usually it takes work to get one set of IPs to talk with a 2nd set of IP's. Lock down the 2nd router (UserID/password) so clients can't log into 2nd router and turn on any port forwards. It just might be easier than you and I might think?

This is potentially a more elegant solution with the Carriage House having it's own router and subnet. It would then be this second router that was blocking access to your main network. (As well as Ruckus an Asus router can do the same thing with its Network Services Filter)

The issue becomes one of trust though. As the guests will have physical access to the second router there is nothing stopping them from factory resetting it (and setting it up without restrictions) or simply unplugging its Ethernet cable and plugging it directly into their own device.

 

[Klueless]

The issue becomes one of trust though. As the guests will have physical access to the second router there is nothing stopping them from factory resetting it (and setting it up without restrictions) or simply unplugging its Ethernet cable and plugging it directly into their own device.

Nice catch!

Sadly, that could bring us back to that silly ol' Netgear idea?

 

[CaptainSTX]

That wouldn't prevent access to any of the devices connected to the main router's WiFi.

Thanks. Learn something new everyday.

Never noticed this as I don't connect to this router's WiFi and instead connect to an AP which is on my most secure VLAN. Turned the WiFi on to experiment and sure enough while wired devices isolated on VLANs can't communicate between VLANs if a device connects to the router's WiFi they can ping any device regardless of what VLAN the wired or wireless device is connected to.

As expected however if the WiFi connection on the router is to a guest network with intranet blocked then no connection to other wired or wireless device is possible.

 

[Val D.]

I have a rental unit in a Carriage House that shares my internet. It is too far from the main house for a WiFi connection, so I have a hardwire connection from my Asus router in the main house to a WiFi router in the carriage house.

Your case is actually easier than this one, both very similar:
https://www.snbforums.com/threads/l...or-guest-house-w-guest-network-feature.62467/
You solved your case already, second router in Router Mode + Guest Network.

I'm assuming you know you're responsible for all the activities on you Internet account, including shared Internet to other people. Make sure you know very well the people who rent this unit and they know you're responsible for their Internet activity.

 

[Klueless]

Your case is actually easier than this one, both very similar:
https://www.snbforums.com/threads/l...or-guest-house-w-guest-network-feature.62467/
You solved your case already, second router in Router Mode + Guest Network.

I followed the link to your work on the other thread. Props! Heroic effort there.

 

[Val D.]

Heroic effort there.

The OP mentioned he's not very familiar with networking.

 

[dosborne]

Not sure what other equipment the OP already has, but,...

In my case, my ISP supplied a hitron GB cable router.

I plugged my main router (ax88u) into the hitron and run all my secure devices wired and wireless off it.

I plugges my secondary router (ac86u) into the hitron as well. All my IoT, guest and otherwise less secure devices connect to this router either wired or wireless.

Simple setup with existing (in my case) equipment. No separate switches, no vlans, etc.

Separate and distinct subnets for each router and a rule to block the guest network from accessing the secure network.

Done

My setup is actually a lot more involved with double-homed and triple-homed devices and a secondary ISP router, but the basic setup described could be an option for the OP.

 

[Val D.]

No separate switches, no clans, etc.

Since your Hitron has 4 x LAN ports, you can make 2 more separate networks using 5 routers... Done!

 

[Andorul]

I am running Asuswrt-Merlin v 384.14 on an Asus RT-AC68U router. I would like to be able to configure one of the LAN ports to be a Guest Network, so that all of the devices connected via that hardwired port will have internet only access and be blocked from accessing any other LAN or WiFi connected devices. This should function just like devices connected to the router via Guest Network SSIDs.

Is there any easy ways to do this? If not, how can we get this functionality added to future Asuswrt-Merlin releases?

I could do it by following this https://wu.renjie.im/blog/network/ax88u-vlan/ but it stops working in latest version of AsusMerlin.
In my case i put Lan Port 1 in a sepearete subnet xxx.xxx.100.xx while my lan is xxx.xxx.50.xx Files Needed:

$cat /jffs/scripts/services-start
touch /tmp/000-services-start

# Physical port to interface map:
# eth0 WAN
# eth1 LAN 4
# eth2 LAN 3
# eth3 LAN 2
# eth4 LAN 1
# eth5 Bridge of LAN 5, LAN 6, LAN 7, LAN 8
# eth6 2.4 GHz Radio
# eth7 5 GHz Radio

# Delete those interfaces that we want to isolate from br0
logger -t "isolate_port" "services-start: deleting LAN 1 (eth4) from br0"
brctl delif br0 eth4

# Create a new bridge br1 for isolated interfaces
logger -t "isolate_port" "services-start: creating br1 with LAN 1 (eth4)"
brctl addbr br1
brctl stp br1 on # STP to prevent bridge loops
brctl addif br1 eth4

# Set up the IPv4 address for br1
# Here we set the subnet to be 192.168.100.0/24
# IPv6 link local address will be assigned automatically
logger -t "isolate_port" "services-start: setting up IPv4 address for br1"
ifconfig br1 192.168.100.1 netmask 255.255.255.0
ifconfig br1 allmulti up

logger -t "isolate_port" "services-start: all done"
date >> /tmp/000-services-start

$cat /jffs/scripts/nat-start
#!/bin/sh

# Make sure the script is indeed invoked
touch /tmp/000-nat-start
logger -t "isolate_port" "nat-start: applying POSTROUTING rules for br1"

# NAT inside 192.168.100.0/24 on br1
iptables -t nat -A POSTROUTING -s 192.168.100.100/24 -d 192.168.100.101/24 \
-o br1 -j MASQUERADE

logger -t "isolate_port" "nat-start: all done"
date >> /tmp/000-nat-start

$cat /jffs/scripts/firewall-start​

#!/bin/sh

# Make sure the script is indeed invoked
touch /tmp/000-firewall-start
logger -t "isolate_port" "firewall-start: applying INPUT rules for br1"

# Allow new incoming connections from br1
iptables -I INPUT -i br1 -m state --state NEW -j ACCEPT
ip6tables -I INPUT -i br1 -j ACCEPT # Same rule as br0 by default
ip6tables -I INPUT -i br1 -m state --state NEW -j ACCEPT

# Only forbid br1 access the web UI and SSH of the main router
iptables -I INPUT -i br1 -p tcp --dport 80 -j DROP
iptables -I INPUT -i br1 -p tcp --dport 22 -j DROP
ip6tables -I INPUT -i br1 -p tcp --dport 80 -j DROP
ip6tables -I INPUT -i br1 -p tcp --dport 22 -j DROP

logger -t "isolate_port" "firewall-start: applying FORWARD rules for br1"

# Forbid packets from br1 to be forwarded to other interfaces
iptables -I FORWARD -i br1 -j DROP
ip6tables -I FORWARD -i br1 -j DROP

# But allow packet forwarding inside br1
iptables -I FORWARD -i br1 -o br1 -j ACCEPT
ip6tables -I FORWARD -i br1 -o br1 -j ACCEPT

# Allow packet forwarding between br1 and eth0 (WAN)
iptables -I FORWARD -i br1 -o eth0 -j ACCEPT
ip6tables -I FORWARD -i br1 -o eth0 -j ACCEPT

# Allow one-way traffic from br0 to br1
iptables -I FORWARD -i br0 -o br1 -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -m state \
--state RELATED,ESTABLISHED -j ACCEPT
ip6tables -I FORWARD -i br0 -o br1 -j ACCEPT
ip6tables -I FORWARD -i br1 -o br0 -m state \
--state RELATED,ESTABLISHED -j ACCEPT

logger -t "isolate_port" "firewall-start: all done"
date >> /tmp/000-firewall-start

$cat /jffs/configs/dnsmasq.conf.add​

interface=br1
# DHCPv4 range: 192.168.100.100 - 192.168.100.101, netmask: 255.255.255.0, lease time:86400s (1day)
dhcp-range=br1,192.168.100.100,192.168.100.101,255.255.255.0,86400s
dhcp-option=br1,3,192.168.100.1

 

[ColinTaylor]

@Andorul You're replying to a post that's over two years old. Your script won't work for the OP because he has an RT-AC68U which has a completely different architecture to your router.