Expand the Guest Network to two merlin routers

[Yota]

Today, I will show you how to set up the same guest network on the primary router and the secondary router, and prevent the guest network from accessing resources on the LAN.

What do I need?
I have two RT-AC68U routers, they both flashed Merlin 384.14_2, One is running router mode, the other one is running in AP mode. I need to set a guest network on the AP, and make sure that the guest network cannot access the devices on my LAN.

If you want to do that, you need to set VLANs. but, asus doesn't support setting the VLAN in the GUI of the firmware, which is very troublesome. however, thanks to this great forum, I used two weeks reading each relevant threads and testing scripts, and now I have achieved some results, I think no one has discussed similar topics, so I will share my results and code.


First, enable the guest network on your Primary router and enable JFFS custom scripts and config. Then create the following, you may need to edit it according to your use case.

Primary router (Router mode)
/jffs/scripts/services-start

#!/bin/sh
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"


robocfg show | grep -i vlan101 > /dev/null 2>&1 || \
(

# Assign a physical port to the VLAN. Note that 5T is a
# RT-AC68U CPU, and different models have different numbers.
robocfg vlan 101 ports "4t 5t"

# I don t understood why to do this,
# looks like setting a VLAN for the WAN.
vconfig add eth0 101
ifconfig vlan101 up

# wl1.1 is Guest WiFi 5GHz 1, I don t enable more SSID,
# so if you want to use it yourself, you may need to edit it.
brctl addbr br1
brctl stp br1 on
brctl delif br0 wl1.1
brctl addif br1 vlan101
brctl addif br1 wl1.1

# Most models use 192.168.50.1 as the default LAN,
# so I use this subnetwork as the guest network.
ifconfig br1 192.168.1.1 netmask 255.255.255.0
ifconfig br1 up

nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="vlan101 wl1.1"
nvram set lan1_ifname="br1"
nvram commit
)

Primary router (Router mode)
/jffs/scripts/firewall-start

#!/bin/sh
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

# I don t know anything about the rules of iptables and ebtables,
# so I can t guarantee that this setting is safe enough.

# Allow BR1 to access WAN
iptables -D FORWARD -i br1 -m state --state NEW -j ACCEPT >/dev/null 2>&1
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT

# Prevent BR1 from accessing BR0 and vice versa
iptables -D FORWARD -i br1 -o br0 -m state --state NEW -j DROP >/dev/null 2>&1
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP

iptables -D FORWARD -i br0 -o br1 -m state --state NEW -j DROP >/dev/null 2>&1
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP

# I don t know what it does.
iptables -D INPUT -i br1 -m state --state NEW -j DROP >/dev/null 2>&1
iptables -I INPUT -i br1 -m state --state NEW -j DROP

# Allow DNSMASQ to distribute IP addresses for br1.
iptables -D INPUT -i br1 -p tcp --dport 53 -j ACCEPT >/dev/null 2>&1
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT

# Allow DNSMASQ to distribute IP addresses for br1.
iptables -D INPUT -i br1 -p udp -m multiport --dport 53,67 -j ACCEPT >/dev/null 2>&1
iptables -I INPUT -i br1 -p udp -m multiport --dport 53,67 -j ACCEPT

sleep 1
killall eapd
eapd

Primary router (Router mode)
/jffs/configs/dnsmasq.conf.add

interface=br1
dhcp-range=br1,192.168.1.2,192.168.1.254,255.255.255.0,86400s
dhcp-option=br1,3,192.168.1.1
dhcp-option=br1,6,192.168.1.1

Then, set up the same guest network on the secondary router (AP mode), and connect the WAN of the secondary router to the LAN 4 of the primary router. Create the following script for the secondary router

Secondary router (AP Mode)
/jffs/scripts/services-start

#!/bin/sh
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

robocfg show | grep -i vlan101 > /dev/null 2>&1 || \
(
robocfg vlan 101 ports "0t 5t"
vconfig add eth0 101
ifconfig vlan101 up

brctl addbr br1
brctl delif br0 wl1.1
brctl addif br1 vlan101
brctl addif br1 wl1.1
ifconfig br1 up

nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="vlan101 wl1.1"
nvram set lan1_ifname="br1"
nvram commit

killall eapd
eapd
)

Finally restart both routers and you should get a perfect extended guest network. However, it is not a hundred percent perfect. For example, you cannot to PING secondary router from the guest network of the primary router, and vice versa. I don't know how to solve it.

What does the scripts do?
Created a VLAN, added Guest WIFI 5GHz 1 to the VLAN, and passed the VLAN to another one router, and the other router also added Guest WIFI to the VLAN.
Allow DHCP to assign different subnets to the VLAN.
Set up some iptables rules to prevent VLANs from accessing the LAN.

         ╲           ╱            ╲            ╱
  Guest WiFi      LAN WiFi    Guest WiFi   LAN WiFi
           ╲       ╱                ╲        ╱
          │─────────│              │─────────│
          │  Router │──────────────│    AP   │
          │─────────│   LAN&VLAN   │─────────│

This scripts should work under AiMesh node after modification, but I'm not sure, I haven't tested it.

This scripts may only apply to ARMv7 models, because new models such as RT-AC86U, RT-AX88U do not use these commands to create VLANs, I do not have these models, so I don’t know how to improve it, maybe you can share your improved script.

Thanks for your reply, hope you can provide any comments for this scripts.


References:
VLAN settings in router mode:
https://www.snbforums.com/threads/using-vlans-for-a-2nd-access-point-with-home-guest-wifi.32125/
https://www.snbforums.com/threads/vlans-on-merlin-mini-howto.20529/
https://www.snbforums.com/threads/use-lan-port-4-as-private-network.14983/
https://www.snbforums.com/threads/f...guest-network-for-asus-merlin-rt-ac68u.18969/
https://www.snbforums.com/threads/trying-to-implement-vlans-on-rt-ac3100-in-ap-mode.55822/
https://www.snbforums.com/threads/ssid-to-vlan-only-works-with-open-authentication.55013/
https://www.snbforums.com/threads/merlin-384-5-vlan-dhcp-problem.47780/
https://www.snbforums.com/threads/vlan-problem.36269/
https://www.snbforums.com/threads/v...s-for-1-wireless-client-and-1-lan-port.32808/
https://www.snbforums.com/threads/traffic-across-vlans-for-ip-cams-and-iot-devices.46634/
https://www.snbforums.com/threads/vlan-routing-across-networks.47502/
https://www.snbforums.com/threads/help-on-dhcp-for-custom-bridge.28004/

VLAN settings in ap mode:
https://www.snbforums.com/threads/ssid-to-vlan.24791/
https://www.snbforums.com/threads/wap-guest-ssid-port-based-vlan.12750/
https://www.snbforums.com/threads/help-setting-up-vlan-on-asus-rt-ac68u.49312/

If you use RT-AC86U or AX88U, maybe you are interested to see this link:
https://gist.github.com/Jimmy-Z/6120988090b9696c420385e7e42c64c4

 

[Yota]

Reserved

 

[oso2276]

Nice summary. Thanks

Enviado desde mi moto g(8) plus mediante Tapatalk

 

[FaUst]

Nice - i used your tutorial to make VLAN with only one Asus in router mode, but i cannot forward port to guest (DMZ) network with another address (port forwarding in gui doesnt work).

 

[Yota]

Nice - i used your tutorial to make VLAN with only one Asus in router mode, but i cannot forward port to guest (DMZ) network with another address (port forwarding in gui doesnt work).

Sorry, I don't know much about that. but, I think that requires more scripts because it involves firewalls, routing tables, etc.

 

[Ronald Schwerer]

Subscribed. Very interesting. I currently solve this problem (extending guest network) by configuring repeaters of my Guest SSID. This is for my dozens of IoT devices scattered over my property (especially the garage and backyard areas). Using your method, I'd also extend my primary SSID coverage. I'd need to get a wired connection to the remote AP(s) but I could use powerline adapters.

 

[Vispen74]

I´m about to do this on my rt-ac86u. Have anyone tried if the scripts are working with this router, or know what has to be changed?

 

[Stephen Harrington]

I´m about to do this on my rt-ac86u. Have anyone tried if the scripts are working with this router, or know what has to be changed?

Well there is no "robocfg" command for starters ...

 

[Yota]

I´m about to do this on my rt-ac86u. Have anyone tried if the scripts are working with this router, or know what has to be changed?

Well there is no "robocfg" command for starters ...

Yes, there are many places that need to be changed. for ac86u the last link might help you.

 

[Vispen74]

Yes, there are many places that need to be changed. for ac86u the last link might help you.

If I just had the skills to do something useful out of it... I need more or less a ready-to-use script.

Skickat från min HD1913 via Tapatalk

 

[robca]

Hello @Yota, thanks for putting this together, I was trying something similar (also have two RT-AC68U and I gave up.

Question on a part of your script:

# Most models use 192.168.50.1 as the default LAN,
# so I use this subnetwork as the guest network.
ifconfig br1 192.168.1.1 netmask 255.255.255.0
ifconfig br1 up​

Are you saying that your LAN DHCP range is 192.168.50.1-255 and that you are reserving 192.168.1.1-255 for the guest LAN? The reason i'm asking is that my home network uses 192.168.1.1-255, so I would have to choose something else

Just trying to make sure I understand your script before starting to make changes on my routers

 

[Yota]

Hello @Yota, thanks for putting this together, I was trying something similar (also have two RT-AC68U and I gave up.

Question on a part of your script:

# Most models use 192.168.50.1 as the default LAN,
# so I use this subnetwork as the guest network.
ifconfig br1 192.168.1.1 netmask 255.255.255.0
ifconfig br1 up​

Are you saying that your LAN DHCP range is 192.168.50.1-255 and that you are reserving 192.168.1.1-255 for the guest LAN? The reason i'm asking is that my home network uses 192.168.1.1-255, so I would have to choose something else

Just trying to make sure I understand your script before starting to make changes on my routers

Hello, the subnet of your guest network should not be the same as your main network (LAN), so you need to change these lines:

ifconfig br1 192.168.1.1 netmask 255.255.255.0
dhcp-range=br1,192.168.1.2,192.168.1.254,255.255.255.0,86400s
dhcp-option=br1,3,192.168.1.1
dhcp-option=br1,6,192.168.1.1

 

[robca]

That's what I thought, thanks for confirming (incidentally: thanks for having shared this)

I changed everything to 192.168.20.x, and I can see that I can finally get a DHCP address on the guest lan. Good

I'm still having problems, though. Even if the device on the guest lan gets an IP address (so the iptables for the DHCP traffic works), I can't connect to anything from the AP router (can connect to the internet and nothing else from the main router using guest networks)

It looks as if the vlan101 traffic from the AP router is not being redirected properly, even if at least some portions of the configuration (e.g. DHCP) work

Would it be asking too much to have you post the output of "brctl show" and "robocfg show" for both the main router and the AP? And possibly "iptables -L -v"? Given we have the same router, everything should work just fine.

EDIT: I did notice that my main router had a CPU value of 8t not 5t

1: vlan1: 1 2 3 4 8t
2: vlan2: 0 8

And in another post I found that if the NAT acceleration is enabled (Auto), CTF is on and it shows the CPU as 8t instead of 5t. Disabling that setting it goes back to 5t and now the basic redirection works. CFT optimization messes up quite a few things, so disabling it makes sense

Problem is, it's incredibly unreliable. The connection stops working every few seconds, and even trying to run a speedtest.net test, it usually hangs halfway or shows very unreliable speeds (I usually have around 80 mbps, with the vlan101 enabled it jumps from a few mbps to ~30mbps maximum). I checked the CPU load on the main router (and it's really low), so I'm not sure what I did wrong

Do you have acceptable performance when using a guest network connection?

 

[Yota]

Problem is, it's incredibly unreliable. The connection stops working every few seconds, and even trying to run a speedtest.net test, it usually hangs halfway or shows very unreliable speeds (I usually have around 80 mbps, with the vlan101 enabled it jumps from a few mbps to ~30mbps maximum). I checked the CPU load on the main router (and it's really low), so I'm not sure what I did wrong

Do you have acceptable performance when using a guest network connection?

I apologize for not conducting detailed tests. In fact, I don't use the guest network often, so I don't know this issue.
I would love to help you solve this problem, but these scripts are beyond my ability, and I may not be able to help, sorry.

 

[robca]

I apologize for not conducting detailed tests. In fact, I don't use the guest network often, so I don't know this issue.
I would love to help you solve this problem, but these scripts are beyond my ability, and I may not be able to help, sorry.

No need to apologize. You have been very kind in sharing this, and in trying to help.

I actually did solve my issue thanks to another suggestion (https://www.snbforums.com/threads/rt-ac68u-guest-networks-in-ap-mode-using-vlan-and-iptables.64172/): the problem is that CTF was enabled on both AC68U, and that creates problems. I did disable CTF on the main router via the UI, but was still enabled in the AP (where there is no UI to turn it off, and I didn't realize i was still active). In order to disable CTF and ensure everything works, you need to issue just once the following (no need to add this to any custom script)

nvram set ctf_disable=1
nvram set ctf_disable_force=1
nvram commit

And then everything works just fine. Thanks again for getting me started

EDIT: just noticed that you have /jffs/script in your explanation, but the actual directory is /jffs/scripts with an s at the end. Just leaving his here for other users that might want to use your scripts as well

 

[Yota]

No need to apologize. You have been very kind in sharing this, and in trying to help.

I actually did solve my issue thanks to another suggestion (https://www.snbforums.com/threads/rt-ac68u-guest-networks-in-ap-mode-using-vlan-and-iptables.64172/): the problem is that CTF was enabled on both AC68U, and that creates problems. I did disable CTF on the main router via the UI, but was still enabled in the AP (where there is no UI to turn it off, and I didn't realize i was still active). In order to disable CTF and ensure everything works, you need to issue just once the following (no need to add this to any custom script)

nvram set ctf_disable=1
nvram set ctf_disable_force=1
nvram commit

And then everything works just fine. Thanks again for getting me started

Thank you for providing the solution, I am glad to see it useful for you. Actually, I think you can test to turn on the CTF of the primary router. I think it will work, because in my use, I have not turned off the CTF of the primary router. and my guests did not complain.


And you can always use this link

https://SECONDARY_ROUTER_IP:PORT/Advanced_SwitchCtrl_Content.asp

to turn off the CTF of your secondary router, because the page is just hidden and does not disappear.

EDIT: just noticed that you have /jffs/script in your explanation, but the actual directory is /jffs/scripts with an s at the end. Just leaving his here for other users that might want to use your scripts as well

The error has been fixed, thank you for telling me that!

 

[robca]

Adding one more note for any future visitor. Every time the wireless service restarts (for example due to changes to the wireless configuration or even if the system decides to restart the service for any other reasons), the guest networks would go back to the original configuration on br0. I'm not sure how common that is, but if it happens, only a reboot would make the guest networks work again as expected.

It was suggested to add a service-event-end script to handle any wireless service restart and automatically restoring the correct configuration. I provide a simple script to handle this case on this thread https://www.snbforums.com/threads/r...-and-iptables-solved.64172/page-2#post-586080

 

[robca]

And one more note again for the users of Diversion (https://diversion.ch/), the amazing ad-blocker extension for AsusWRT Merlin.

When using Diversion with pixelserv-tls, clients on the vlan (br1) cannot access pixelserv-tls (usually on the router IP address+1), since all non DNS traffic from br1 to br0 is blocked by the IPTABLES rules. That prevents web pages from loading correctly, while everything else works normally. So two more IPTABLES rules are needed to allow certain pages to load properly

iptables -I INPUT -i br1 -d 192.168.1.2/32 -p tcp -m multiport --dport 80,443 -j ACCEPT

to unblock the web page. But this alone won't make pixelserv-tls reachable, only allows web pages to load with the ugly grey "can't load the element' box

adding also

iptables -I FORWARD -i br1 -d 192.168.1.2/32 -p tcp -m multiport --dport 80,443 -j ACCEPT

allows clients on the vlan (hence br1) to reach pixelserv-tls, assuming that it is on 192.168.1.2 (change it to the proper pixelserv-tls address for your installation)

So the updates firewall-start script is

/jffs/scripts/firewall-start

# Allow BR1 to access WAN
iptables -D FORWARD -i br1 -m state --state NEW -j ACCEPT >/dev/null 2>&1
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT

# Prevent BR1 from accessing BR0 and vice versa
iptables -D FORWARD -i br1 -o br0 -m state --state NEW -j DROP >/dev/null 2>&1
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP

iptables -D FORWARD -i br0 -o br1 -m state --state NEW -j DROP >/dev/null 2>&1
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP

# DROP NEW packets, will let thru only ESTABLISHED packets
iptables -D INPUT -i br1 -m state --state NEW -j DROP >/dev/null 2>&1
iptables -I INPUT -i br1 -m state --state NEW -j DROP

# Allow DNSMASQ to distribute IP addresses for br1.
iptables -D INPUT -i br1 -p tcp --dport 53 -j ACCEPT >/dev/null 2>&1
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT

# Allow DNSMASQ to distribute IP addresses for br1.
iptables -D INPUT -i br1 -p udp -m multiport --dport 53,67 -j ACCEPT >/dev/null 2>&1
iptables -I INPUT -i br1 -p udp -m multiport --dport 53,67 -j ACCEPT

# Allow guest network devices to access pixelsrv-tls on 192.168.1.2
iptables -D INPUT -i br1 -d 192.168.1.2/32 -p tcp -m multiport --dport 80,443 -j ACCEPT >/dev/null 2>&1
iptables -I INPUT -i br1 -d 192.168.1.2/32 -p tcp -m multiport --dport 80,443 -j ACCEPT

iptables -D FORWARD -i br1 -d 192.168.1.2/32 -p tcp -m multiport --dport 80,443 -j ACCEPT >/dev/null 2>&1
iptables -I FORWARD -i br1 -d 192.168.1.2/32 -p tcp -m multiport --dport 80,443 -j ACCEPT

sleep 1
killall eapd
eapd

 

[WillyTP]

Hello everybody.
I've tried this setup on a 2x RT-AC68U setup, the first as Main Router, the second as AiMesh node.

Guest network configuration on the Main Router seems to work properly, I get the IP in the correct / dedicated range.
However, from the AiMesh node the Guest network isn't transmitted at all.

I believe I'm missing something...
From other guides I've found here, I've enabled SSH on node, disabled CTF, enabled JFFS scripts.

However, post #1 says
Set up the same guest network on the secondary router (AP mode), and connect the WAN of the secondary router to the LAN 4 of the primary router

I have no idea about how doing this in AiMesh node mode.
Any hint?

Thank you all!

 

[paboski]

Hello everybody.
I've tried this setup on a 2x RT-AC68U setup, the first as Main Router, the second as AiMesh node.

Guest network configuration on the Main Router seems to work properly, I get the IP in the correct / dedicated range.
However, from the AiMesh node the Guest network isn't transmitted at all.

I believe I'm missing something...
From other guides I've found here, I've enabled SSH on node, disabled CTF, enabled JFFS scripts.

However, post #1 says
Set up the same guest network on the secondary router (AP mode), and connect the WAN of the secondary router to the LAN 4 of the primary router

I have no idea about how doing this in AiMesh node mode.
Any hint?

Thank you all!

Did you managed to get it working ?
I also have an Aimesh setup and need to have guest network propagate to the node