What's new

Disable Intranet access for a LAN port (not the WiFi Guest network)?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Rici

Regular Contributor
Hi,

Since I have an OpenWRT router ready to be configured for handling all my IoT devices, so that I can keep them separated e.g. via VLANs as well:

How to restrict Intranet access to the other LAN & WiFi clients on my Asus RT-AX86U Pro router running Merlin 3004.388.8_2, when I connect the OpenWRT router to one of the Asus' LAN Ports (such as Port 2 or 3)?

Do static routes help, such as: Everything coming from LAN port 2 always only goes to the WAN port (and therefore to the Internet), but cannot be spread across the LAN & WiFi clients of my Asus router?

Of course, VLAN would also be an option. Unfortunately, Merlin still does not have implemented that yet for the AX-86U Pro, despite Asus supporting it (including Guest Mode Pro for IoT devices). Or have I missed something here from Merlin and VLAN support?
 
Last edited:
If you have a separate OpenWRT (or even DD-WRT, FreshTomato, or Merlin) router, you don't need to do anything on the primary router AT ALL! Just connect the WAN of the secondary router to a LAN port on the primary router. By definition, the LAN behind that secondary router *is* another VLAN! All you have to do is make sure it's using a different IP network from the primary router, and add firewall rules to limit access from that secondary IP network to the internet and NOT the immediate upstream network.
 
Thank you!

Regarding "add firewall rules to limit access from that secondary IP network to the internet and NOT the immediate upstream network": What exactly do I have to do to ensure that?
 
Unfortunately, my experience is primarily w/ Merlin, FT, and DD-WRT.

With Merlin (or ASUS OEM), all you really need is to use the NSF (Network Services Filter).

The following DD-WRT example is typical.


It specifically blocks access to the immediate upstream network, and ANY other private networks. It also limits access of the secondary router itself to only essential service (typically DHCP and DNS, although if you configure public DNS servers for your devices, you don't even need that). Finally, I provide an example of an exception, such as access to an upstream printer.

FT would be very similar (perhaps identical) to DD-WRT.

I believe OpenWRT requires a more text-based means to configure the same rules.
 
@eibgrad thank you for sharing those details. After doing a shell configuration of the FW, would any of it show in the GUI in the appropriate places?
 
@Justinh, you can do this on your RT-AX86U Pro in GUI. It's part of the new Guest Network Pro function, you can assign a port to VLAN.
 
The method above is a workaround with two devices when this functionality is not available on the main router. It is available on your router, at the moment in stock Asuswrt only. As per your signature you are running stock Asuswrt. Look at the link @bennor provided above.
 
Is that also the case when you are running Merlin?
If running Asus-Merlin 3006.102.2_x firmware, yes it should be the case. The Guest Network Pro feature isn't part of the 3004.388.x firmware (stock Asus or Asus-Merlin).

Currently the Asus-Merlin 3006.102.2_2 firmware only supports a few routers (RT-BE96U, GT-BE98_PRO, RT-BE86U, RT-BE88U, GNuton fork GT-BE98).
 
Last edited:

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top