Guest Network - Disable Intranet Access is not working

[jmedaglia]

Hi!

I'm running latest Merlin build (3.0.0.4.374.42_0) on my AC-66U and just noticed that my guest network is able to access router web interface, even though it is configured as disable Intranet Access.

Is this broken?

Thanks in advance

 

[RMerlin]

Hi!

I'm running latest Merlin build (3.0.0.4.374.42_0) on my AC-66U and just noticed that my guest network is able to access router web interface, even though it is configured as disable Intranet Access.

Is this broken?

Thanks in advance

The router is probably not considered as intranet since it's also the gateway used to access the Internet. So, guest clients need to be able to access the router to get on the Internet.

 

[jlake]

Hi!

I'm running latest Merlin build (3.0.0.4.374.42_0) on my AC-66U and just noticed that my guest network is able to access router web interface, even though it is configured as disable Intranet Access.

Is this broken?

Thanks in advance

Yes, I would consider it a bug or an undesirable behavior.

On asus routers, without guest network, you can cascade another router in a double NAT (LAN to WAN) and still access the primary asus router. I consider that to be a bug too. You shouldn't be able to access the asus router at 192.168.1.1, when you're on a 192.168.2.x, but you can.

If you have a strong router password, it's no biggie. But you should have a strong router password no matter what.

Minor bug (or minor undesirable behavior)

 

[White_Knight]

I think need to create additional virtual bridge ( for example br1 ) with different IP subnet ( 192.168.2.0\24 ), connect to wl0.1 ( guest network ) and with iptables block communication between bridges ( br0 <-\-> br1 ) but grant access to WAN port.

 

[bmi]

I have the same problem, on 374.39 it was ok, since .40 this problem appeared. I olso think this is a bug(Intranet Access: Disable/Enable doesn't work), because everybody who is conected to your guest network can access everything on your "main" network without any restriction, even if Intranet Access is set to disable.

 

[sinshiva]

/jffs/scripts/firewall-start

#!/bin/sh

ifconfig wl0.1 192.168.87.1 netmask 255.255.255.0

ebtables -F FORWARD
ebtables -t broute -I BROUTING -p ipv4 -i wl0.1 -j DROP
ebtables -t broute -I BROUTING -p ipv6 -i wl0.1 -j DROP
ebtables -t broute -I BROUTING -p arp -i wl0.1 -j DROP

iptables -I FORWARD -i wl0.1 -o `nvram get wan0_ifname` -j ACCEPT
iptables -I FORWARD -i br0 -o wl0.1 -m state --state NEW -j DROP
iptables -I FORWARD -i wl0.1 -o br0 -m state --state NEW -j DROP

iptables -I INPUT -i wl0.1 -j DROP
iptables -I INPUT -i wl0.1 -p tcp --dport 53 -m state --state NEW -j ACCEPT
iptables -I INPUT -i wl0.1 -p udp --dport 53 -m state --state NEW -j ACCEPT
iptables -I INPUT -i wl0.1 -p udp --dport 67 -m state --state NEW -j ACCEPT

service restart_dnsmasq

/jffs/configs/dnsmasq.conf.add

interface=wl0.1
dhcp-range=wl0.1,192.168.87.100,192.168.87.199,255.255.255.0,86400s
dhcp-option=wl0.1,3,192.168.87.1
dhcp-option=wl0.1,6,192.168.87.1,192.168.87.1

to give guests access to a service on a host on the primary lan, add to the script;

iptables -I FORWARD -i wl0.1 -d 192.168.1.101/32 -p tcp --dport 80 -j ACCEPT

vice-versa;

iptables -I FORWARD -i br0 -d 192.168.87.123/32 -p tcp --dport 80 -j ACCEPT

[edit/] forgot to mention, openvpn inserts rules after this script that open them up from the guest side. dunno what to about that. besides that, the guests get nothing but 'net

 

[jmedaglia]

I have the same problem, on 374.39 it was ok, since .40 this problem appeared. I olso think this is a bug(Intranet Access: Disable/Enable doesn't work), because everybody who is conected to your guest network can access everything on your "main" network without any restriction, even if Intranet Access is set to disable.

Forgot to mention but as bmi says, this worked as expected on a previous build (can't confirm which one though).

Couple of thing's I've changed but I don't think are related at all:

1) Changed to HTTPS to access router Web interface (reverted back to HTTP but makes no difference)
2) Installed Entware (and some modules with a web interface that now I can access from guest network too, which is why I noticed and why IMO this is not a minor problem).

Thank you all!

 

[Builder71]

For me this works as expected.
If I'm on the guest WiFi, I'm NOT able to connect to anything on the intranet.
(Only internet access.)

It is possible to connect to the routers web page, but this seems logical because it's the default gateway.

Nothing wrong as I can tell.

 

[jmedaglia]

For me this works as expected.
If I'm on the guest WiFi, I'm NOT able to connect to anything on the intranet.
(Only internet access.)

It is possible to connect to the routers web page, but this seems logical because it's the default gateway.

Nothing wrong as I can tell.

Sorry to disagree but from the Guest Network I am even able to browse the share drive I have connected to the router. It's so much more than just the web page that it is accessible from Guest Network.

I am sure this used to be working on a previous build, do someone know if it is safe to downgrade to try to confirm on which one this is broken?

 

[L&LD]

This is something that is definitely broken in 374.42 with regards to the Guest Wireless and restricting LAN access.

I tested on my RT-N66U with the Guest Network ssid and not only could I access and connect to the router's Administration interface (using the proper password, of course), but I could also browse all my networked devices (computers, NAS, switches and printers).

With the Access Intranet setting to 'off' - I could see all the devices on my network but could not connect to any of them except for the Router itself (but I have no USB disk connected) and the Administration gui.

With the Access Intranet setting to 'on' - I could see and connect to everything just as I can with my main ssid (this is the expected behavior, of course).


***
(I rebooted the router and the computer between my testing. I changed ssid's to be sure. I also made sure to clear my DNS cache, 'just in case').



This is a very, very serious issue and needs to be addressed immediately.

I don't know if the official Asus firmware(s) have this issue and I can't test it right now either. But the RMerlin firmware should not be used with Guest Accounts enabled if you want to provide only internet access to those guests.


My solution right now is to disable Guest Accounts entirely (frustrating - time is too precious right now to find a firmware version that works properly).

I hope Asus or RMerlin fix this soon with a 374.43 update.

This was definitely working on previous versions as that was one of my criteria for a router in the first place. I guess I'll have to be testing for this aspect too with any new firmware versions going forward.


Thank you jmedaglia for bringing this to our attention.



RMerlin; being able to access the router's administration page was NOT possible in previous versions at all. I don't think I could even see the router in the network even.

 

[RMerlin]

This is something that is definitely broken in 374.42 with regards to the Guest Wireless and restricting LAN access.

I tested on my RT-N66U with the Guest Network ssid and not only could I access and connect to the router's Administration interface (using the proper password, of course), but I could also browse all my networked devices (computers, NAS, switches and printers).

With the Access Intranet setting to 'off' - I could see all the devices on my network but could not connect to any of them except for the Router itself (but I have no USB disk connected) and the Administration gui.

With the Access Intranet setting to 'on' - I could see and connect to everything just as I can with my main ssid (this is the expected behavior, of course).


***
(I rebooted the router and the computer between my testing. I changed ssid's to be sure. I also made sure to clear my DNS cache, 'just in case').



This is a very, very serious issue and needs to be addressed immediately.

Works fine on my RT-AC68U. My guest client gets a "host unreachable" when trying to ping my desktop.

 

[RMerlin]

Also tested with the RT-AC66U (MIPS), working fine here - netbook gets a host unreachable when trying to ping a laptop connected to the same LAN.

 

[jmedaglia]

Works fine on my RT-AC68U. My guest client gets a "host unreachable" when trying to ping my desktop.

Just to clarify RMerlin, problem is not reaching the intranet but reaching the router.
On a previous version of the firmware it was not possible from Guest Network to access any service in the router (admin page, shared disk, shared printer, any running entware service, etc).

But at least on build 374.42, guest client has complete access to the router which IMO is an important security problem and, kind of makes guest network useless. It is supposed to only give internet access.

It is not clear if this is an Asus bug or not, but like I said, used to behave differently.

Thank you RMerlin.

 

[sinshiva]

Also tested with the RT-AC66U (MIPS), working fine here - netbook gets a host unreachable when trying to ping a laptop connected to the same LAN.

like L&LD, i've also seen guests have access to the lan on previous firmwares, but in my most recent test, on .42, it did not.

 

[RMerlin]

Just to clarify RMerlin, problem is not reaching the intranet but reaching the router.
On a previous version of the firmware it was not possible from Guest Network to access any service in the router (admin page, shared disk, shared printer, any running entware service, etc).

Someone will have to point at a specific firmware version to prove it, because technically, it doesn't make any sense. A guest needs to reach the router to be able to reach the Internet as it's its gateway, so I don't see how the router could prevent access to guest clients while still providing them with Internet access.

I also remember someone complaining about this over a year ago, so I highly doubt it ever behaved differently.

 

[jmedaglia]

Do I have to take any special consideration for downgrading the firmware in order to test this?

 

[White_Knight]

Someone will have to point at a specific firmware version to prove it, because technically, it doesn't make any sense. A guest needs to reach the router to be able to reach the Internet as it's its gateway, so I don't see how the router could prevent access to guest clients while still providing them with Internet access.

I also remember someone complaining about this over a year ago, so I highly doubt it ever behaved differently.

If close ports on router host from guests WiFi ?

iptables -I INPUT -i wl0.1 -p tcp --dport https -j REJECT

It's works or not ?

 

[jmedaglia]

Someone will have to point at a specific firmware version to prove it, because technically, it doesn't make any sense. A guest needs to reach the router to be able to reach the Internet as it's its gateway, so I don't see how the router could prevent access to guest clients while still providing them with Internet access.

I also remember someone complaining about this over a year ago, so I highly doubt it ever behaved differently.

RMerlin, I've just downgraded and confirmed that in 374.40 it WAS working as expected, this behavior changed in 374.41.

Hope this helps and thanks in advance.

 

[jmedaglia]

RMerlin, I've just downgraded and confirmed that in 374.40 it WAS working as expected, this behavior changed in 374.41.

Hope this helps and thanks in advance.

RMerlin, I've compared iptables, ebtables and brctl configuration between 374.40 and 374.42 (skipped .41 on this test).

I'm not an expert on any of this but I've found this ebtables rule missing:

Bridge chain: BROUTING, entries: 1, policy: ACCEPT
-p IPv4 -i wl0.1 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP

Does it makes any sense?

 

[Ford Prefect]

Just to clarify RMerlin, problem is not reaching the intranet but reaching the router.
On a previous version of the firmware it was not possible from Guest Network to access any service in the router (admin page, shared disk, shared printer, any running entware service, etc).

I tent to agree with the OP.
A guest network should be considered as WAN side, security-wise.
If I disable services accessibility from WAN, I'd expect them disabled on guest side as well.