Guest Network - Disable Intranet Access is not working

[htismaqe]

Quick question...

If the problem was introduced by Asus in 374_4887, would there be a previous version of your FW that I could use until you release the fix?

Or would that be a bad idea (due to some other known issues)?

 

[jmedaglia]

Asus broke it in 374_4887. They changed the ebtables command getting applied, and the new one results in an error due to a missing parameter:

admin@stargate4:/tmp/home/root# ebtables -t broute -A BROUTING -i wl0.1 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
For IP filtering the protocol must be specified as IPv4.

I see similar changes to various other BROUTING entries, so I suspect this was a bad search/replace job that ended up modifying that rule when it shouldn't have been.

Thank you RMerlin!

Just curious...does this error or similar ones go to any log file?
Didn't see it on the System Log at least.

 

[RMerlin]

Thank you RMerlin!

Just curious...does this error or similar ones go to any log file?
Didn't see it on the System Log at least.

Probably not. Perhaps through dmesg, put hotherwise they would probably only show up through the serial output.

 

[RMerlin]

Quick question...

If the problem was introduced by Asus in 374_4887, would there be a previous version of your FW that I could use until you release the fix?

Or would that be a bad idea (due to some other known issues)?

Just add the rule manually with a script as posted in a previous message.

 

[Builder71]

When you test you have to logout your wifi client every change you do.
A guest isn't logged in to intranet first and after get blocked from it.

Testing this rule, first put it in firewall-start then you hit apply.
Firewall restart and wifi client gets disconnected and connect again. logout/login therefor it also working.

ebtables -t broute -A BROUTING -p IPv4 -i wl0.1 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP

I would like to test this rule, should we use firewall-start or nat-start?
My router uses the 10.0.0.0/24 range so I will change the rule to:

ebtables -t broute -A BROUTING -p IPv4 -i wl0.1 --ip-dst 10.0.0.0/24 --ip-proto tcp -j DROP

 

[Builder71]

OK, I went for the firewall-start script, that seems to do the job.

I don't have IPv6 enabled, but if you do please test that as well.
You probably still can connect to your router and it's services.

 

[htismaqe]

Just add the rule manually with a script as posted in a previous message.

Is there a tutorial somewhere? I briefly had an RT-N66W a couple of months ago and I remember your firmware had a command line tab, can I enter and apply the rules from there?

 

[Builder71]

Is there a tutorial somewhere? I briefly had an RT-N66W a couple of months ago and I remember your firmware had a command line tab, can I enter and apply the rules from there?

The command line from the GUI is gone, security risk.
You have to SSH or telnet into your router.
Enable JFFS if it's not already.
Create a firewall-start script like above with the vi editor.
Make the script executable (chmod a+x firewall-start)
Reboot.

If that sounds like trouble wait for a new release.
Your choice.

Good luck!

 

[htismaqe]

that doesn't sound so bad.

I guess I'll search for a startup script tutorial later and see if I can figure it out.

 

[Builder71]

that doesn't sound so bad.

I guess I'll search for a startup script tutorial later and see if I can figure it out.

That's the spirit!

Start here.

 

[htismaqe]

Well, I tried to get it working but I couldn't figure it out. I did manage to figure out how to input my DHCP reservations via telnet.

I tested the Guest network and I can't access my NAS, printer, or anything else on the internal LAN but I can access the router.

I guess I can just live with it until the fix is released.

 

[jmedaglia]

Come on, don't give up!

If you followed the guide from here: https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts it should work just fine.

Some important details you might have missed and are causing your problems:

1) Scripts need to start with a shebang:

#!/bin/sh

2) Script is not executable. Just run following command:

chmod a+rx /jffs/scripts/*

3) Script files is not saved using UNIX Format (very probable if you are writing them in Windows).
Install Notepad++ and go to the menu Edit -> EOL Conversion -> Unix/OSX Format

Hope this helps!

 

[htismaqe]

Here is what I did:

1) Created a script file named firewall-start.sh via TextEdit in OSX (I know the format is ok because my DHCP script works). The script file contains the following:

#!/bin/sh
ebtables -t broute -A BROUTING -p IPv4 -i wl0.1 --ip-dst [my router's IP address] --ip-proto udp  --ip-dport 67 -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i wl0.1 --ip-dst [my router's IP address] --ip-proto udp  --ip-dport 53 -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i wl0.1 --ip-dst [my router's IP address] --ip-proto tcp  --ip-dport 53 -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i wl0.1 --ip-dst [my /24 subnet] -j DROP

2) I placed that file on the router in /jffs/scripts/ and made it executable.

From reading the documentation, my assumption is that the script should run anytime the firewall is started, including when I reboot the router.

However I don't have any way of verifying that it actually runs. Right now, it doesn't appear to do anything. I don't see any errors anywhere.

 

[jmedaglia]

Script should be named firewall-start, not firewall-start.sh.

And also, only rule you really need is the last one:

#!/bin/sh
ebtables -t broute -A BROUTING -p IPv4 -i wl0.1 --ip-dst [my /24 subnet] -j DROP

 

[htismaqe]

The preceding rules allow DNS lookups. If I just add the last rule, how will the Guest clients resolve hostnames since DHPC is assigning them a namserver host address of the router?

 

[jmedaglia]

So...did it worked? Executing the script I mean.

On the other question, I am not an expert but my guess is that you don't needed because DNS lookups have nothing to do with a bridge (which is what ebtables is about). Different story would be if we were using iptables to block access from guest network.

Did you tested script with only last rule? (or even not the script but executing only that rule from ssh)

 

[sinshiva]

#!/bin/sh

ebtables -t broute -F
ebtables -t broute -A BROUTING -p IPv4 -i wl0.1 --ip-dst `nvram get lan_ipaddr`/32 --ip-proto udp  --ip-dport 67 -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i wl0.1 --ip-dst `nvram get lan_ipaddr`/32 --ip-proto udp  --ip-dport 53 -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i wl0.1 --ip-dst `nvram get lan_ipaddr`/32 --ip-proto tcp  --ip-dport 53 -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i wl0.1 --ip-dst `nvram get lan_ipaddr`/24 -j DROP

save as /jffs/scripts/firewall-start

chmod a+rx /jffs/scripts/*

 

[htismaqe]

So how do you guys get the script file onto the router?

I telnet'd into the router to use VI to create the script right on the router. However, /jffs/scripts/ doesn't exist.

The /jffs/ directory is empty and read only, so I can't create a scripts folder.

EDIT: After my previous attempt, I set the "format JFFS partition on next boot" to yes. It appears that it removed /scripts/ and didn't add it back.

 

[RMerlin]

The preceding rules allow DNS lookups. If I just add the last rule, how will the Guest clients resolve hostnames since DHPC is assigning them a namserver host address of the router?

Asus's rule avoids this problem by only specifically dropping TCP. UDP is kept open, which lets your router keep providing DHCP leases and DNS services.

 

[htismaqe]

Honestly, I'm probably to the point where I'll just wait for the fix to be released.

I have like 90% of this down but the other 10% is just killing me. I don't have enough time to mess with it right now.