Guest Network - Disable Intranet Access is not working

[Techno Pride]

Would like to add my own tests:


On AC66U / Merlin 374.42, set a guest SSID with WPA2-AES on 5ghz.

I connected to the guest SSID and got an DHCP assigned IP of 192.168.x.15. In Win7 SP1's Network and Sharing Center, the network type was set to "Home Network".

I tried to ping my desktop which is 192.168.x.100. Console output shows 192.168.x.15, which appears to suggest the router is redirecting all attempts to access Intranet to the guest node IP itself.

Can browse network. Can delete UPNP entries on the router. (AC66U forced to be master browser)

Can't access Dlink NAS, whether it's shared folder or web interface.

Can access AC66U interface and folder shares.

 

[RMerlin]

RMerlin, I've compared iptables, ebtables and brctl configuration between 374.40 and 374.42 (skipped .41 on this test).

I'm not an expert on any of this but I've found this ebtables rule missing:

Bridge chain: BROUTING, entries: 1, policy: ACCEPT
-p IPv4 -i wl0.1 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP

Does it makes any sense?

Thanks for testing and tracking down an actual regression window. I'll try to track down the change in Asus's code.

 

[Ford Prefect]

Would like to add my own tests:


On AC66U / Merlin 374.42, set a guest SSID with WPA2-AES on 5ghz.

I connected to the guest SSID and got an DHCP assigned IP of 192.168.x.15. In Win7 SP1's Network and Sharing Center, the network type was set to "Home Network".

I also noticed the same behaviour.
The guest "network" actually is on the same subnet as the standard LAN/WLAN, which IMHO is also a weak spot.
All other routers I know of do hand out IPs to guests. that are on a different subnet

 

[octopus]

Thanks for testing and tracking down an actual regression window. I'll try to track down the change in Asus's code.

This code is in Bridge chain when setting is, Access Intranet OFF (2.4Ghz)

[FONT="Verdana"]Bridge chain: FORWARD, entries: 2, policy: ACCEPT
-i wl0.1 -j DROP
-o wl0.1 -j DROP[/FONT]

This code is in Bridge chain when setting is, Access Intranet OFF (5.4Ghz)

Bridge chain: FORWARD, entries: 2, policy: ACCEPT
-i wl1.1 -j DROP
-o wl1.1 -j DROP

user@user:/tmp/home/root# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.e03f49ee0ce0 yes vlan1
eth1
eth2
wl0.1
wl1.1

 

[htismaqe]

I also noticed the same behaviour.
The guest "network" actually is on the same subnet as the standard LAN/WLAN, which IMHO is also a weak spot.
All other routers I know of do hand out IPs to guests. that are on a different subnet

Netgear doesn't. My Linksys is the first router I've used in years that does the guest network on a separate IP subnet.

 

[xcondor]

I am using 142.0 here. I can browse my entire Windows network but am blocked from connecting to any resource except my N66. I have open access to a USB memory stick in the N66 and can log on to the NT66 using my usr and password.

I think it would be better if the N66 admin pages and network resources were not visible to the "Guest. "

 

[jmedaglia]

It's been kind of implicit on a previous post but, if you want to fix this problem you need to:

1) Configure Guest Network to Disable Intranet Access
2) Create a nat-start script that adds the missing ebtables rule to prevent this access. Below if what I am using:

#!/bin/sh
#Disables access to router from Guest Network
ebtables -t broute -A BROUTING -p IPv4 -i wl0.1 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP

It works like a charm!

 

[octopus]

I have just tested and blocking Intranet Access is WORKING, tested on 2.4Ghz.
Your config must have some trouble

//Octopus

This code is in Bridge chain when setting is, Access Intranet OFF (2.4Ghz)

[FONT="Verdana"]Bridge chain: FORWARD, entries: 2, policy: ACCEPT
-i wl0.1 -j DROP
-o wl0.1 -j DROP[/FONT]

This code is in Bridge chain when setting is, Access Intranet OFF (5.4Ghz)

 

[jmedaglia]

I have just tested and blocking Intranet Access is WORKING, tested on 2.4Ghz.
Your config must have some trouble

//Octopus

The rules you are referring to block access to the intranet, but do not block access to the router itself.

 

[octopus]

The rules you are referring to block access to the intranet, but do not block access to the router itself.

Yes it does, blocking 192.168.1.1 just fine.

 

[Ford Prefect]

Netgear doesn't. My Linksys is the first router I've used in years that does the guest network on a separate IP subnet.

Yes, Linksys does as well as AVM (Fritzbox, very popular with ISPs here in Germany).
Also my Buffalos do, but these are running DD-WRT.

 

[octopus]

Yes it does, blocking 192.168.1.1 just fine.

When you test you have to logout your wifi client every change you do.
A guest isn't logged in to intranet first and after get blocked from it.

Testing this rule, first put it in firewall-start then you hit apply.
Firewall restart and wifi client gets disconnected and connect again. logout/login therefor it also working.

ebtables -t broute -A BROUTING -p IPv4 -i wl0.1 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP

 

[sinshiva]

ebtables -t broute -A BROUTING -p IPv4 -i wl0.1 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP

i propose that potentially more locked down rules are;

ebtables -t broute -A BROUTING -p IPv4 -i wl0.1 --ip-dst 192.168.1.1/32 --ip-proto udp  --ip-dport 67 -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i wl0.1 --ip-dst 192.168.1.1/32 --ip-proto udp  --ip-dport 53 -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i wl0.1 --ip-dst 192.168.1.1/32 --ip-proto tcp  --ip-dport 53 -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i wl0.1 --ip-dst 192.168.1.0/24 -j DROP

yay brouting

 

[RMerlin]

Thanks for testing and tracking down an actual regression window. I'll try to track down the change in Asus's code.

Asus broke it in 374_4887. They changed the ebtables command getting applied, and the new one results in an error due to a missing parameter:

admin@stargate4:/tmp/home/root# ebtables -t broute -A BROUTING -i wl0.1 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
For IP filtering the protocol must be specified as IPv4.

I see similar changes to various other BROUTING entries, so I suspect this was a bad search/replace job that ended up modifying that rule when it shouldn't have been.

 

[Builder71]

Asus broke it in 374_4887. They changed the ebtables command getting applied, and the new one results in an error due to a missing parameter:

admin@stargate4:/tmp/home/root# ebtables -t broute -A BROUTING -i wl0.1 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
For IP filtering the protocol must be specified as IPv4.

I see similar changes to various other BROUTING entries, so I suspect this was a bad search/replace job that ended up modifying that rule when it shouldn't have been.

Can we fix this for now with a user script?

 

[Builder71]

...
I see similar changes to various other BROUTING entries, so I suspect this was a bad search/replace job that ended up modifying that rule when it shouldn't have been.

 

[RMerlin]

Can we fix this for now with a user script?

See earlier posts, there was already mentions on how to manually add the ebtable rule.

 

[htismaqe]

For those of us that aren't real comfortable with manually fixing, are you working on a fix?

 

[RMerlin]

For those of us that aren't real comfortable with manually fixing, are you working on a fix?

It's already fixed, but you will have to wait for the next release.

 

[htismaqe]

Excellent thanks.

My AC68W is due to arrive tomorrow. I guess I might try fixing it myself, otherwise I'll wait. The guest network is one of the features I absolutely need so I'll have to fix it before I can put the router into production.