Disabling Intranet access for guest network in AP mode

[derek87]

sorry if this is a dumb question, but my limited understanding is leading me here for some clarification and advice:

i have an 1900P router and AC68U AP running in my home. i have a guest network on the AP which i use exclusively to connect Internet of Things (IoT) devices. what i noticed recently is that there is no "disable intranet/limit bandwidth" option for the guest network when operating in AP mode. i know a VLAN is the best solution (see below), but i was hoping for at least a somewhat helpful measure to prevent access to the main network from the IoT devices.

so...

1. does that mean that my IoT devices have full access to my local network?
2. is there anything i can do on the main router to limit access on the IoT devices?
3. is there an easy way to set up a VLAN (for a neophyte like myself)? (seems like there is a script out there that is not easy to get)
4. should i instead just have the guest network running on my main router (i have to test if it has enough range to reach the front door of our house (doorbell)) where i can actually limit the bandwidth/interanet access?

other "easy" solutions for someone with only moderate networking knowledge/experience?

thanks!

 

[ColinTaylor]

1. Yes
2. No
3. No. It would require scripts or a different firmware (on both devices)
4. That would be the easy solution if the WiFi has enough reach.

 

[derek87]

1. Yes
2. No
3. No. It would require scripts or a different firmware (on both devices)
4. That would be the easy solution if the WiFi has enough reach.

thanks again for your speediness, Colin.

#4 is probably the easy solution although one motivation i had for keeping the guest network on the AP was to cut down on the number of devices being served by the wifi radios on the main router (in a perfect world, i wouldn't be running the wifi radios at all on the main router), but that's probably more me worrying too much about working the router too hard. i'm guessing it should be fine managing everything because my older 68u (1ghz) acted fine as a solo router for me for several years before i moved to a router + AP set up.

follow-up option:
- would it be possible for me to restrict intranet access manually on a device by device basis (using MAC addresses) on the main router? (i'm sure there must be a setting/pane to do that somewhere...)

 

[ColinTaylor]

follow-up option:
- would it be possible for me to restrict intranet access manually on a device by device basis (using MAC addresses) on the main router? (i'm sure there must be a setting/pane to do that somewhere...)

No, there's no option to do that in the firmware. Although theoretically it could be done with user scripts.

 

[eibgrad]

If you have a spare, third-party firmware capable router (and most ppl do these days, doesn't have to be fancy), you could configure that router for IOT devices and daisy-chain it behind the primary router, making sure to deny access by the IOT devices to upstream devices on the primary network using some simple firewall rules.

 

[derek87]

If you have a spare, third-party firmware capable router (and most ppl do these days, doesn't have to be fancy), you could configure that router for IOT devices and daisy-chain it behind the primary router, making sure to deny access by the IOT devices to upstream devices on the primary network using some simple firewall rules.

thanks for this thought. as i turns out, i have an extra RT-AC68U i could use for this purpose (much fancier than i need, but i have one). can you outline the steps i would use to create this separate network. i am assuming i would set it up as a router behind the router and use a different SSID? (ie, i would not want to set it up as an access point, correct?)

thanks in advance.

 

[eibgrad]

Very simple to do. You're just going to daisy-chain the IOT router via its WAN to a LAN port on the primary router, making sure it has its own unique, non-overlapping network (so if the primary network is 192.168.1.x, perhaps make it 192.,168.2.x). Then add firewall rules to deny access to any local networks over its WAN, leaving only access to the internet.

iptables -I FORWARD -d 192.168.0.0/16 -j REJECT
iptables -I FORWARD -d 172.16.0.0/12 -j REJECT
iptables -I FORWARD -d 10.0.0.0/8 -j REJECT

Of course, each third-party firmware has its own way of applying such rules. In the case of Asuswrt-Merlin, you'd need to enable JFFS and JFFS scripts in Administration->System, then install a firewall-start script containing these rules.

#!/bin/sh

SCRIPTS_DIR='/jffs/scripts'
SCRIPT="$SCRIPTS_DIR/firewall-start"

mkdir -p $SCRIPTS_DIR

function create_script() {
cat << "EOF" > $SCRIPT
#!/bin/sh
# deny access to all other local networks (internet only)
iptables -I FORWARD -d 192.168.0.0/16 -j REJECT
iptables -I FORWARD -d 172.16.0.0/12 -j REJECT
iptables -I FORWARD -d 10.0.0.0/8 -j REJECT
EOF
chmod +x $SCRIPT
}

if [ -f $SCRIPT ]; then
    echo "error: $SCRIPT already exists; requires manual installation"
else
    create_script
    echo 'Done.'
fi

You can simply paste the above into an SSH window and it will install and configure everything automatically.

 

[derek87]

Very simple to do. You're just going to daisy-chain the IOT router via its WAN to a LAN port on the primary router, making sure it has its own unique, non-overlapping network (so if the primary network is 192.168.1.x, perhaps make it 192.,168.2.x). Then add firewall rules to deny access to any local networks over its WAN, leaving only access to the internet.

iptables -I FORWARD -d 192.168.0.0/16 -j REJECT
iptables -I FORWARD -d 172.16.0.0/1 -j REJECT
iptables -I FORWARD -d 10.0.0.0/8 -j REJECT

Of course, each third-party firmware has its own way of applying such rules. In the case of Asuswrt-Merlin, you'd need to enable JFFS and JFFS scripts in Administration->System, then install a firewall-start script containing these rules.

#!/bin/sh

SCRIPTS_DIR='/jffs/scripts'
SCRIPT="$SCRIPTS_DIR/firewall-start"

mkdir -p $SCRIPTS_DIR

function create_script() {
cat << "EOF" > $SCRIPT
#!/bin/sh
# deny access to all other local networks (internet only)
iptables -I FORWARD -d 192.168.0.0/16 -j REJECT
iptables -I FORWARD -d 172.16.0.0/1 -j REJECT
iptables -I FORWARD -d 10.0.0.0/8 -j REJECT
EOF
chmod +x $SCRIPT
}

if [ -f $SCRIPT ]; then
    echo "error: $SCRIPT already exists; requires manual installation"
else
    create_script
    echo 'Done.'
fi

You can simply paste the above into an SSH window and it will install and configure everything automatically.

i'm running AsusMerlin so this is extremely helpful.

some more dumb questions to make sure i get this correct:

1. i am assuming i should let the main router assign an IP address to the IoT router... this address (eg, 192.168.1.XXX) would become the WAN address for the IoT router...which i could then have it's LAN address as 192.168.2.1 and have it serve addresses from 192.168.2.3 and higher?

2. then to view what is going on on this router, i would login to the LAN address of 192.168.2.1 which i've manually set, correct?

this looks great. i may try it this weekend if i can find a spare moment.

 

[eibgrad]

^^ Correct. It would also make sense to also enable remote access over the WAN of the IOT router for administrative purposes. If the WAN was exposed directly to the internet like the primary router is, you would NOT do this. But since it's *internal* to your network, it's safe. And it might therefore make sense to create a static lease for the WAN ip of the IOT router in the primary router so that WAN ip didn't change.

 

[derek87]

^^ Correct. It would also make sense to also enable remote access over the WAN of the IOT router for administrative purposes. If the WAN was exposed directly to the internet like the primary router is, you would NOT do this. But since it's *internal* to your network, it's safe. And it might therefore make sense to create a static lease for the WAN ip of the IOT router in the primary router so that WAN ip didn't change.

ah, yes. i agree that a static WAN ip address ideal for the IoT router. thanks for your idea/thoughts. it seems pretty straightforward to me (even with my limited know how). i'll try to give it a shot sometime soon.

 

[ColinTaylor]

You don't need to write a script to block access to the upstream network. You can do that in the GUI using the Network Services Filter.

 

[derek87]

You don't need to write a script to block access to the upstream network. You can do that in the GUI using the Network Services Filter.

good catch although it may be easier for me to just use eibgrab's script.

interestingly enough, it seems that the latest 386 (non-merlin alpha) software from Asus supposedly creates a subnet for guest networks on AIMesh nodes and presumably access points. i'm still reading other comments in the other forum but that may be the route i ultimately pursue since it's one less device to use and set up.