Force LAN port 4 to use the Guest network for Asus/merlin RT-AC68U

[hardtotell]

I have found that it's necessary to check for the existence of my custom VLAN before creating it because the firmware sometimes does not clear out the Ethernet bridge tables before calling firewall-start.

EXAMPLE:

/jffs/scripts/firewall-start

# RT-AC68U: create vlan14 only if it does not exist
robocfg show | grep -i vlan14 > /dev/null 2>&1 || \
(
  # force LAN port 4 to use the Internet-only Guest Network
  # AND allow wired Ethernet Smart TVs on the Guest Network to access the media server
  robocfg vlan 1 ports "1 2 3 5t"
  robocfg vlan 14 ports "4 5t"
  vconfig add eth0 14
  ifconfig vlan14 up
  brctl addif br0 vlan14
  ebtables -t broute -I BROUTING -p IPv4 -i vlan14 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
  ebtables -t broute -I BROUTING -p IPv4 -i vlan14 --src aa:bb:cc:dd:ee:ff --ip-dst 192.168.1.1 --ip-proto tcp --ip-dport 8200 -j ACCEPT
  ebtables -t broute -I BROUTING -p IPv4 -i vlan14 --src aa:bb:cc:dd:ee:fe --ip-dst 192.168.1.1 --ip-proto tcp --ip-dport 8200 -j ACCEPT
  ebtables -t filter -I FORWARD -i vlan14 -o ! eth0 -j DROP
  ebtables -t filter -I FORWARD -i ! eth0 -o vlan14 -j DROP
)

 

[niwmik]

Thanks for this script. I'll be using this in conjunction with a wireless AP. Is there anyway to allow certain mac addresses to have access to the internal network?

 

[DeVasher]

How is DHCP handled in this scenario, are you using the ASUS router for this?
And the network? are the networks using same network, ie 192.168.1.x?

I don't have the best test rig at home, but it look like DHCP still works, I haven't had time to dig into dbtables, but just reading the line it looks like you only handle tcp in the broute when dhcp is only udp. (else there would to be another line with "ip-proto udp") Or have I misunderstood this?

 

[coxhaus]

First of all, A big thank you! This is extactly what I was looking for.

I have a network of UniFi wireless APs (from Ubiquti) that can handle guest networks
So I intend to create a guest network on a vlan, my switch (Cisco SG-300 handles this vlan and can then connect this vlan to my router). The reason of this is simple: Concrete walls and the router is located in the basement...

Now I have bought a AC87U installed merlin version, after running "robocfg show", I get this list:

Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 2 jumbo: on mac: 54:75:d0:a6:3f:00
Port 1: 1000FD enabled stp: none vlan: 3 jumbo: on mac: 10:bd:18:82:63:53
Port 2:  DOWN enabled stp: none vlan: 1 jumbo: on mac: 00:00:00:00:00:00
Port 3: 1000FD enabled stp: none vlan: 1 jumbo: on mac: 50:1a:c5:e5:4d:ed
Port 4:  DOWN enabled stp: none vlan: 1 jumbo: on mac: 00:00:00:00:00:00
Port 8:  DOWN enabled stp: none vlan: 1 jumbo: on mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
  1: vlan1: 2 3 5 7t
  2: vlan2: 0 7t
  3: vlan3: 1 7t
1045: vlan1045: 1 5t 7t 8t
1046: vlan1046: 2t 3t
1047: vlan1047: 0 1t 4t 5 7t
1099: vlan1099: 1t 2t 3
1100: vlan1100: 0t 1t 4
1101: vlan1101: 0t 3t 7t 8u
1102: vlan1102: 4t
1103: vlan1103: 0 1t 4t

And according to previous posts I guess that I need to change these lines in the script
robocfg vlan 1 ports "1 2 3 8t"
robocfg vlan 10 ports "4 8t"

to something like this
robocfg vlan 1 ports "2 3 7t"
robocfg vlan 10 ports "4 7t"

Am I on the right track?


EDIT: vlan 3 is my second WAN.. so port 1 should not be there either.

I am going to be out of town for awhile but if you have a Cisco SG300 switch let it handle the VLANs. The router does not even need to know about the VLANs. Create a VLAN on the SG300 switch and call it guest. Set 2 SSIDs up and connect the wireless APs to your SG300 switch with a trunk port. The SSID will assign the VLAN. Add an access port for the router and connect it. You don't need the router to know anything about VLANs as the layer 3 switch will handle it.

I run this in my house right now using a SG300-28 switch. It is the way I have my network setup. I don't have an ASUS router but the router does not matter. DHCP is handled by the SG300 switch and each VLAN is assigned a different network.

PS
The default gateway for the SG300 switch will be the router. The default gateway for the devices on your network will be the SG300 switch VLAN IP address for which ever VLAN the device is in. Setup DHCP so it gives out the right default gateway IP address for each VLAN.
For example say VLAN2 is network 192.168.2.0
VLAN2 IP address 192.168.2.254 default gateway for devices on VLAN2 network
device IP addresses start for VLAN2 DHCP 192.168.2.2 - 192.168.2.250

VLAN3 is network 192.168.3.0
VLAN3 IP address 192.168.3.254 default gateway for devices on VLAN3 network
devices IP addresses start for VLAN3 DHCP 192.168.3.2 - 192.168.3.250

 

[TeraBit]

Hi! This is great, although I can't get it to work completely. I run the script once manually and I get the vlan and none of the machines at port 4 can see others. Nice. Then I rebooted the router and had the script in the jffs-dir. The router was stuck. So I tried again, ran the script manually, it worked as before. I rebooted and again the router was stuck.

#!/bin/sh​

# force LAN port 4 to use the Guest network
robocfg vlan 1 ports "1 2 3 5t"
robocfg vlan 10 ports "4 5t"
vconfig add eth0 10
ifconfig vlan10 up
brctl addif br0 vlan10
ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
ebtables -t filter -I FORWARD -i vlan10 -o ! vlan2 -j DROP
ebtables -t filter -I FORWARD -i ! vlan2 -o vlan10 -j DROP​

How do I quote? I took the above script, being aware of that grep -i command that it lacks. Still, after the reboot vlan10 was gone so I dont get why it didn't work.

Doing a robocfg show before I run the script I get:

Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 2 jumbo: off mac: 00:00:5e:00:01:32
Port 1: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:21:6a:34:0f:40
Port 2: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:1f:16:19:33:c4
Port 3: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 54:04:a6:2a:6e:36
Port 4: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:1d:ec:02:7c:e1
Port 8: 1000FD enabled stp: none vlan: 2 jumbo: off mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
1: vlan1: 1 2 3 4 5t
2: vlan2: 0 5
56: vlan56: 0 4 8t
57: vlan57: 1 4 7
58: vlan58: 2t 3 4 5t 8t
59: vlan59: 0 2t 3t 4t 8u
60: vlan60: 1t 7 8t
61: vlan61: 1t 5t 7 8t
62: vlan62: 0t 4t 5 7 8u
admin@RT-AC68U-BD48:/jffs#​

And after I've used the script I get:

admin@RT-AC68U-BD48:/jffs# ./services-start
admin@RT-AC68U-BD48:/jffs# robocfg show
Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 2 jumbo: off mac: 00:00:5e:00:01:32
Port 1: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 00:21:6a:34:0f:40
Port 2: 10FD enabled stp: none vlan: 1 jumbo: off mac: 00:1f:16:19:33:c4
Port 3: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 54:04:a6:2a:6e:36
Port 4: 1000FD enabled stp: none vlan: 10 jumbo: off mac: 00:1d:ec:02:7c:e1
Port 8: 1000FD enabled stp: none vlan: 2 jumbo: off mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
1: vlan1: 1 2 3 5t
2: vlan2: 0 5
10: vlan10: 4 5t
56: vlan56: 0 4 8t
57: vlan57: 1 4 7
58: vlan58: 2t 3 4 5t 8t
59: vlan59: 0 2t 3t 4t 8u
60: vlan60: 1t 7 8t
61: vlan61: 1t 5t 7 8t
62: vlan62: 0t 4t 5 7 8u
admin@RT-AC68U-BD48:/jffs#​

And again, the first time I run this manually, it works fine. Reboot and run the script again and the router gets stuck. Having this script in the jffs-folder of course will make the router unusable and a candidate for a reset. I very much would like to have this up and running and some help from u guys out there would surely be appreciated.

 

[coldwizard]

/jffs/scripts/services-start

#!/bin/sh

# force LAN port 4 to use the Guest network
robocfg vlan 1 ports "1 2 3 5t"
robocfg vlan 10 ports "4 5t"
vconfig add eth0 10
ifconfig vlan10 up
brctl addif br0 vlan10
ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
ebtables -t filter -I FORWARD  -i vlan10 -o ! vlan2 -j DROP
ebtables -t filter -I FORWARD  -i ! vlan2 -o vlan10 -j DROP

I looked at the postings in this thread and they all try a DROP on the ebtables -t -I BROUTING ....

In my notes for ebtables, I have the warning to myself:

"in BROUTING chain DROP does NOT mean drop, but rather pass to Route tables OSI layer (layer 3)"

So I am not sure that rule is doing what you think it is intended to do.

Also noted that by post#3 it was split into two scripts to get it to work, and later back into one but at firewall-start not services-start.

 

[wheelq]

Ok so is there a complete, working version of this script?

 

[ASAT]

I need to learn more about this. It seems that the Guest Wi-Fi 2.4GHz and 5.0GHz networks (wl0.1 and wl1.1) both use this same brouting technique to make a Guest Ethernet network. A Guest network means that the computers cannot see each other.

ebtables -t broute -L --Lmac2 --Lc --Ln

 

[RMerlin]

I need to learn more about this. It seems that the Guest Wi-Fi 2.4GHz and 5.0GHz networks (wl0.1 and wl1.1) both use this same brouting technique to make a Guest Ethernet network. A Guest network means that the computers cannot see each other.

ebtables -t broute -L --Lmac2 --Lc --Ln

AP host isolation can be enabled/disabled for each guest network. They will setup different ebtables entries to accomplish this.

 

[ASAT]

Now I see how ASUS uses ebtables to set up the Guest Wi-Fi networks. The ebtables filter table seems to be where the device isolation happens.
2.4 GHz Guest Wi-Fi is on interface wl0.1.
5.0 GHz Guest Wi-Fi is on interface wl1.1.

ebtables -t filter -L --Lmac2 --Lc --Ln

-i wl0.1 -j DROP
-o wl0.1 -j DROP
-i wl1.1 -j DROP
-o wl1.1 -j DROP

ebtables -t broute -L --Lmac2 --Lc --Ln

-p IPv4 -i wl0.1 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
-p IPv4 -i wl1.1 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP

 

[niwmik]

If I want the device with mac address aa:bb:cc:dd:ee:ff to access the internal network, would I add the line "ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --src aa:bb:cc:dd:ee:ff --ip-dst 192.168.1.0/24 --ip-proto tcp -j ACCEPT" to the script? Tested on the router and it didn't work.

#!/bin/sh
# force LAN port 4 to use the Guest Network for RT-AC66U
robocfg vlan 1 ports "1 2 3 8t"
robocfg vlan 10 ports "4 8t"
vconfig add eth0 10
ifconfig vlan10 up
brctl addif br0 vlan10
ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --src aa:bb:cc:dd:ee:ff --ip-dst 192.168.1.0/24 --ip-proto tcp -j ACCEPT
ebtables -t filter -I FORWARD -i vlan10 -o ! eth0 -j DROP
ebtables -t filter -I FORWARD -i ! eth0 -o vlan10 -j DROP

 

[Cake]

BIG thanks hardtotell.
Your script from this post (#7) works perfect for me.
I was working on putting another router behind my router. I plugged LAN port #4 on AC68U to WAN port of old WRT54GL. Working well also is AC68U selective routing to openvpn daemon with scramble patch.

Basically I needed openvpn (a slow WRT54GL) inside another openvpn with XOR scrammble patch (AC68U HGG). Your script now keeps my new guest network off my LAN.
I am in a area that is soon to have something similar to the GF of .cn , this is the only way I could think of to have my own private vpn and also a public vpn that can share to guests (wifi), and my own devices that I don't trust.
Big Thanks.

 

[Hello World]

I needed to restrict LAN port#4 for Internet only use, just like the Wireless Guest Network access. Then I plug an 8-port Ethernet switch into LAN port 4 of the RT-AC68U router, to expand the number of Internet-only wired connections. It is for attaching wired network devices that have no business on my local area network, but need to access the Internet.

After a couple hours of research I got it working. Here it is. It should restrict LAN port#4 to the Internet only, exactly like the Wireless Guest Network access built into the router. Anyone see a hole? Suggestions? Thank you.


/jffs/scripts/services-start

#!/bin/sh

# force LAN port 4 to use the Guest network
robocfg vlan 1 ports "1 2 3 5t"
robocfg vlan 10 ports "4 5t"
vconfig add eth0 10
ifconfig vlan10 up
brctl addif br0 vlan10
ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
ebtables -t filter -I FORWARD  -i vlan10 -o ! vlan2 -j DROP
ebtables -t filter -I FORWARD  -i ! vlan2 -o vlan10 -j DROP

How is the VLAN working for you? Have you identified any holes in the firewall? I'm interested in doing exactly what you did to run a minecraft server on Port 4. Any updates? Thanks.

 

[SeaTea]

I am using AsusWRT Merlin on a RT-AC87U and now also have some Ubiquiti Unify accesspoints on my LAN to extend the wifi coverage.
On Merlin I have a wifi guestnetwork. The Ubiquiti A/P can also configure guest access with a separate SSID and tag this with a VLAN.
I like to have this guest network separate from my home network, just like the wifi guest network in Merlin.

I have read this topic, but as far as I understand a LAN-port is used for guestaccess only, while in my case the LAN-port should have "normal" traffic from the A/P as well as "guest" traffic (with VLAN tag).

Could this be done with Merlin ? Is the guestnetwork in Merlin using a VLAN, and if so, could I just use this VLAN tag in my Unify A/P forcing that traffic via Merlin's "guestnetwork" protection ?
If not, how would a script look like where a external VLAN has guestaccess, while traffic without VLAN works like default LAN traffic ?

 

[Fitz Mutch]

how would a script look like where a external VLAN has guestaccess, while traffic without VLAN works like default LAN traffic ?

Here's how I did mine. Anyone see a hola?

/jffs/scripts/firewall-start

#!/bin/sh
local WANIF="$1"
local IPADDR=$(/usr/sbin/nvram get lan_ipaddr)
local NETWORK=${IPADDR%.*}
local NETADDR=$(/usr/sbin/ip route|/bin/grep br0|/usr/bin/cut -d' ' -f1)

#########################################################################################################
# LAN port 4 on the RT-AC68U is a trunk port for a 24-port managed gigabit Ethernet switch
# that has 12 guest Ethernet ports (vlan14), 11 full access Ethernet ports (vlan1),
# and 1 uplink Ethernet port (vlan1 + vlan14)

/usr/sbin/robocfg show | /bin/grep -F vlan14: > /dev/null 2>&1
if [ $? -ne 0 ]; then
  /usr/sbin/robocfg vlan 1 ports "1 2 3 4t 5t"
  /usr/sbin/robocfg vlan 14 ports "4t 5t"
  /sbin/vconfig add eth0 14
  /sbin/ifconfig vlan14 up
  /usr/sbin/brctl addif br0 vlan14
  /usr/sbin/ebtables -t broute -I BROUTING -p IPv4 -i vlan14 --ip-dst ${NETADDR} --ip-proto tcp -j DROP
  /usr/sbin/ebtables -t filter -I FORWARD -i vlan14 -j DROP
  /usr/sbin/ebtables -t filter -I FORWARD -o vlan14 -j DROP
fi
#########################################################################################################

 

[SeaTea]

Here's how I did mine.

Thanks !
I will check it out and see if I can use the same kind of setup here.

 

[Fitz Mutch]

When I use "Access Intranet == off", I trust that my Guest Network devices are isolated. However, the Ebtables BROUTING rule appears to only block TCP, but it seems to work just fine. The Guest Network devices cannot see each other.

/usr/sbin/ebtables -t broute -L BROUTING

Bridge table: broute
Bridge chain: BROUTING, entries: 26, policy: ACCEPT
-p IPv4 -i wl0.1 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP

Is it possible for Guest Network devices to communicate via UDP when "Access Intranet == off"? In other words, is it possible for the Guest Network devices to communicate using an IPv4 protocol other than TCP?

Here's an example of my patched Ebtables BROUTING chain to block all IPv4 protocols between devices on the 2.4GHz Guest Network. I do it for all my Guest Networks, including my wired Ethernet Guest Network. I block everything, except very specific UDP frames between the router and the Guest Nework devices that are required for proper network function. Only DHCP, DNS and NTP are allowed between the router and Guest Network devices.

/usr/sbin/ebtables -t broute -L BROUTING

Bridge table: broute
Bridge chain: BROUTING, entries: 26, policy: ACCEPT
-p IPv4 -i wl0.1 --ip-src 192.168.1.0/24 --ip-dst 192.168.1.1 --ip-proto udp --ip-dport 123 -j ACCEPT
-p IPv4 -i wl0.1 --ip-src 192.168.1.0/24 --ip-dst 192.168.1.1 --ip-proto udp --ip-dport 53 -j ACCEPT
-p IPv4 -i wl0.1 --ip-src 192.168.1.1 --ip-dst 192.168.1.0/24 --ip-proto udp --ip-sport 67 --ip-dport 68 -j ACCEPT
-p IPv4 -i wl0.1 --ip-src 192.168.1.0/24 --ip-dst 192.168.1.1 --ip-proto udp --ip-sport 68 --ip-dport 67 -j ACCEPT
-p IPv4 -i wl0.1 --ip-src 0.0.0.0 --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 68 --ip-dport 67 -j ACCEPT
-p IPv4 -i wl0.1 --ip-dst 192.168.1.0/24 -j DROP

 

[The Asgard]

Hi Guys,
I am trying to setup an isolated network with a twist on Lan Port 4 and successfully used HardToTells script, many, many thanks, works great. Is there a way to route OpenVpn Server 2 to this isolated network? Struggling to find any information on what I would need to add to the script.

#!/bin/sh

# force LAN port 4 to use the Guest network
robocfg vlan 1 ports "1 2 3 5t"
robocfg vlan 10 ports "4 5t"
vconfig add eth0 10
ifconfig vlan10 up
brctl addif br0 vlan10
ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
ebtables -t filter -I FORWARD  -i vlan10 -o ! vlan2 -j DROP
ebtables -t filter -I FORWARD  -i ! vlan2 -o vlan10 -j DROP

 

[rppower]

Hi and thanks for this script! I have an RT-AC66U and this script worked great but recently I ran another script to create routes for some devices to use my openvpn and others to use the wan. It didn't work well so I removed that modification but ever since when I run the firewall-start script it blocks a mac address on my network; it won't allow it to connect to my guest or regular wifi! the first time it did this it was my laptop's wifi card that was blocked but I didn't realized it was caused by my router and I ended up replacing it with a spare one I had. A few day later, my roku wouldn't connect anymore! That's when I figured it had to be a router problem.. After investigation, I noticed that when I remove the script, all works fine, my roku can connect to the wifi but as soon as I run the firewall-start script, it's blocked. I tried to clear the nvram and load my config from scratch but it blocks another mac address.. When I run "brctl showmacs br0" I see the mac of my Roku in the list and it show "yes" under the "is local?" and the ageing timer is at 0.00, just like 3 other mac address from the router itself. All the other addresses show "no" and have an ageing timer that goes up. Anyone can help?

 

[jimf]

This is sort of an old thread, but just wanted to share a solution to those who wanted to tie in the guest wireless with a new wired vlan. There are only a few lines added to the original script. Tests are good so far but I haven't put it in any startups and it will likely need a tweak or two to play well on bootup. There may be race conditions with the guest network starting (I just assume it's there, along with it's bridge firewall settings) among other issues.

My script is also different from the others as I allow connections to the LAN subnet on the vlan interface (just not the ones on the standard ASUS interfaces), but I restrict TCP connections to the router itself. DHCP seems to still work as served by the AC68U.

Also, as others have said, different models of routers will have slightly different interfaces so the robocfg commands may need to change a little.

I'm not at all an expert on this stuff so if someone wants to critique, I'd be appreciative.

#!/bin/sh
# Force LAN port 4 to use the Guest Network for RT-AC68U
# These ports participate in the guest wireless 2.4 Ghz network

#Get router's LAN IP Address
local IPADDR=$(/usr/sbin/nvram get lan_ipaddr)

#vlan1 is standard ASUS network
#vlan10 is guest network

#Make vlan10 and bring it up
robocfg vlan 1 ports "1 2 3 5t"
robocfg vlan 10 ports "4 5t"
vconfig add eth0 10
ifconfig vlan10 up
brctl addif br0 vlan10

#No connections to router
ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst ${IPADDR} --ip-proto tcp -j DROP

#No connections except to WAN
ebtables -t filter -I FORWARD -i vlan10 -o ! eth0 -j DROP
ebtables -t filter -I FORWARD -i ! eth0 -o vlan10 -j DROP

#Allow packets from vlan10 to/from guest wireless network
ebtables -t filter -I FORWARD -i vlan10 -o wl0.1 -j ACCEPT
ebtables -t filter -I FORWARD -i wl0.1 -o vlan10 -j ACCEPT