Guest Network - Disable Intranet Access is not working

[htismaqe]

So do I have to reset to factory defaults to get the /jffs/ directory reconstructed correctly?

The actual error message when I try to mkdir scripts is "filesystem is read only".

 

[htismaqe]

So if I re-flash the firmware and reset to factory defaults, should that be good enough to get me back to a good starting point?

 

[Builder71]

So do I have to reset to factory defaults to get the /jffs/ directory reconstructed correctly?

The actual error message when I try to mkdir scripts is "filesystem is read only".

So if I re-flash the firmware and reset to factory defaults, should that be good enough to get me back to a good starting point?

No need for any reset.
Go to "Administration -> System" and click "Enable JFFS partition" "Yes", click "Format JFFS partition at next boot" "Yes".
Click "Apply" at the bottom of the page.

If that is done you can click "Reboot" on top of the page or power cycle the router.

That's all.

 

[htismaqe]

I've done that multiple times.

/jffs/ is empty. No /scripts directory.

 

[RMerlin]

I've done that multiple times.

/jffs/ is empty. No /scripts directory.

http://forums.smallnetbuilder.com/showthread.php?p=115859#post115859

 

[htismaqe]

No luck.

I ran

nvram unset jffs2_size
nvram commit

Re-checked the format option and rebooted. /jffs/ comes back with no /scripts directory.

Will re-flashing and resetting to factory defaults fix it? If it will, I'll go ahead and do it. It's not a big deal, I just want to get it fixed.

 

[RMerlin]

No luck.

I ran

nvram unset jffs2_size
nvram commit

Re-checked the format option and rebooted. /jffs/ comes back with no /scripts directory.

Will re-flashing and resetting to factory defaults fix it? If it will, I'll go ahead and do it. It's not a big deal, I just want to get it fixed.

Flashing the firmware will have no impact at all on the JFFS2 partition.

Try rebooting a second time - some users noticed that was needed after setting the format option on. Also, wait a few minutes before checking - it can take a while for the whole 32 MB to be formatted.

Also check the System Log for any error message related to JFFS.

 

[Builder71]

I would like to test this rule, should we use firewall-start or nat-start?
My router uses the 10.0.0.0/24 range so I will change the rule to:

ebtables -t broute -A BROUTING -p IPv4 -i wl0.1 --ip-dst 10.0.0.0/24 --ip-proto tcp -j DROP

I'm running this some time as a firewall-start script and it seems to do the job.

However I do see some logging which I normally never see.
Could this be related to the script?

May 29 22:17:05 kernel: wl0.1: received packet with  own address as source address
May 30 10:55:23 kernel: wl0.1: received packet with  own address as source address
May 30 11:41:05 kernel: wl0.1: received packet with  own address as source address
May 30 17:26:47 kernel: wl0.1: received packet with  own address as source address
May 30 18:10:53 kernel: wl0.1: received packet with  own address as source address
May 31 15:53:03 kernel: wl0.1: received packet with  own address as source address
May 31 20:13:35 kernel: wl0.1: received packet with  own address as source address

 

[Elrond]

I don't see this guest network issue as being fixed as of yet. I just installed the latest firmware (RT-AC66U_3.0.0.4_374.43_0). Perhaps I'm not configuring it properly.

My setup has a primary router that does most of the work, including serving DHCP to the main network. The RT-AC66U connects to this via a long ethernet cable and is set up in Access Point mode with a main WiFi network, and a guest network that I do not wish to have any access to the LAN. As it stands now, there's no difference that I can tell between being connected to either WiFi.

How am I supposed to be able to set a new IP range for the guest network and not allow it access to the LAN?

 

[Elrond]

Nevermind, after perusing some more on the forums I see that this is not a feature that is enabled in Access Point mode.

Does anyone have any suggestions as to how to set up a guest wifi that has no access to the LAN while the router is in AP mode?

 

[jmedaglia]

Hi Merlin!

I was taking a look to the changes in latest Asus build for AC-66U (3.0.0.4.376.1123) which was released a couple of days ago and noticed that this issue doesn't seem to be included, any idea why they didn't fix it?

Thanks!

 

[RMerlin]

Hi Merlin!

I was taking a look to the changes in latest Asus build for AC-66U (3.0.0.4.376.1123) which was released a couple of days ago and noticed that this issue doesn't seem to be included, any idea why they didn't fix it?

Thanks!

They probably just forgot to mention it, since I sent them a patch a few weeks ago. I think I did see it appear in the 1071/1088 code.

 

[Italiano]

I know this is Merlin's firmware topic but Bing sent me here and I didn't want to open another topic.

I'm using stock firmware 3.0.0.4.376_1071. No matter if I set the "access intranet" on guest network to enable or disable I can always access all computers on the guest network and browse their publicly shared folders, etc. BUT I cannot access router user interface on 192.168.1.1 while on the guest network. This is a security flaw IMO. Is anybody else experiencing this?

How can I set access so that people that are on the guest network cannot access each other's computers?

 

[Boost4age]

I have noticed this also, the guest network is not really a guest network because its not segmented at all. We need to be able to create and manage vlans via the GUI

 

[jmedaglia]

Those using stock firmware should just need to upgrade to a latest version, at that moment Asus fixed this regression on stock fw too.

 

[Boost4age]

I was on the latest version, i gave up and decided to switch to ddwrt. I worked it on a few mins then i was able to setup everything how i wanted it.

 

[jmedaglia]

Hi Merlin!

I've recently upgraded to 376.47 from 374.43 and just curious decided to test this feature again.

On 376.47 I am able to ping the router while on guest network, and I'm almost 100% sure that this was not even possible back then when this problem was fixed.

I do see the rule that was missing at that moment and caused this issue so it is not the same cause.

Do you have any ideas of why this is happening?

Thanks in advance

 

[RMerlin]

Hi Merlin!

I've recently upgraded to 376.47 from 374.43 and just curious decided to test this feature again.

On 376.47 I am able to ping the router while on guest network, and I'm almost 100% sure that this was not even possible back then when this problem was fixed.

I do see the rule that was missing at that moment and caused this issue so it is not the same cause.

Do you have any ideas of why this is happening?

Thanks in advance

The router is your default gateway for Internet access, so it's normal for it to be accessible by the clients. Otherwise, clients wouldn't have Internet access either.

 

[Boost4age]

But whats not normal is the guest network being able to contact the internal resources on the main network.

 

[RMerlin]

But whats not normal is the guest network being able to contact the internal resources on the main network.

That's what the Access Intranet option is for.