What's new

Guest Network in Access Point Mode

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

WJKramer

Occasional Visitor
n00b! Hi all...love the site. Learning so much!

Questions for the experts...I am not a forum n00b though....I did search first!

I just purchased the ASUS RT-N66U "Dark Knight" but let me tell you about my set up first. I have 35/35Mbs Verizon FiOS fiber to the door. It runs Coaxial through my home to the crap Verizon Actiontech M1424WR Modem/WiFi Router. I have disabled the the wireless G function. I then bridge, up a floor in my home, via Belkin Powerline AV500s to my new ASUS Dark Knight (stupid name) router. I run a 2.4 and 5.0GHz network simultaneously. I need the FiOS modem on the bottom floor so I can hardwire my desktop computer but I wanted the WiFi access point on the middle floor for best penetration (that's what she said) after much testing.

Question 1: When I run a 2.4GHz Guest network with no INTRANET access I can connect to it but get no INTERNET access. Does this have something to do with me running it as an access point and not in router mode?

Question 2: Under advanced wireless settings and the professional tab is the Tx Power adjustment. The help says between 0-100mW but the note below says 500mW max. Also I can't seem to get the 5.0GHz up past 250mW. What are some recommended settings?

I am running firmware version 3.0.0.3.108. Thanks in advance!
 
In AP mode you lose all the bells and whistles that router mode provides, all you get is a single SSID per radio that functions correctly.
 
So....is there any way to change my setup to allow this to work? Problem is it comes into my home via coax and the Verizon modem has to do the conversion work. Any ideas appreciated.
 
Why is it so critical to have a guest SSID?

1. You can use another old router as an AP to make another SSID available.

2. You could move the Verizon router upstairs, bridge it(will lose FiOS TV media guide and other features if you have it) or deal with double NAT when using the ASUS as a router and plug in the desktop downstairs over the powerline network. That's if all devices need to be on the same subnet.

3. You can use the ASUS as a router upstairs, it will be double NAT though. This will also put everything using the ASUS on a separate subnet, however.

4. I don't normally recommend it, but since the router features you're wanting get disabled by simply turning off DHCP and you can feasibly run two DHCP servers on one network, I guess it can be an option. You will need to have each router serve a different pool of IP addresses within the subnet. For example:

Verizon:
LAN IP: 192.168.1.1
DHCP pool: 192.168.1.155-192.168.1.254

ASUS:
LAN IP: 192.168.1.2
DHCP pool: 192.168.1.55-192.168.1.154

This setup would make use of the current wiring configuration(the connection to the ASUS should stay on a LAN port), all that should need changing is probably just settings on the ASUS, mainly turning DHCP back on and changing the DHCP pool to not overlap the Verizon DHCP pool.
 
Last edited:
Actually you can make it work with Asuswrt-Merlin (I tested this on a RT-AC68U and RT-AC56U). As the guess access separation is handled by ebtables, you need to put the following ebtables config into your secondary AP -

ebtables -I FORWARD 1 -d Broadcast -j ACCEPT
ebtables -I FORWARD 1 -s xx:xx:xx:xx:xx:xx -j ACCEPT
ebtables -I FORWARD 1 -d xx:xx:xx:xx:xx:xx -j ACCEPT

Where xx:xx:xx:xx:xx:xx is the MAC address of the primary router's LAN interface (br0).

In short, this will allow the secondary AP guest networks to send broadcast traffic to your LAN for ARP and DHCP, and it will allow your router's LAN interface to communicate with guest users on your AP. By inserting the rules at the front of the FORWARD chain, the traffic will be allowed before it hits the DROP rules that does the guest separation -

-i wl0.1 -j DROP
-o wl0.1 -j DROP
-i wl1.1 -j DROP
-o wl1.1 -j DROP
 
Last edited:
Actually you can make it work with Asuswrt-Merlin (I tested this on a RT-AC68U and RT-AC56U). As the guess access separation is handled by ebtables, you need to put the following ebtables config into your secondary AP -

ebtables -I FORWARD 1 -d Broadcast -j ACCEPT
ebtables -I FORWARD 1 -s xx:xx:xx:xx:xx:xx -j ACCEPT
ebtables -I FORWARD 1 -d xx:xx:xx:xx:xx:xx -j ACCEPT

Where xx:xx:xx:xx:xx:xx is the MAC address of the primary router's LAN interface (br0).

In short, this will allow the secondary AP guest networks to send broadcast traffic to your LAN for ARP and DHCP, and it will allow your router's LAN interface to communicate with guest users on your AP. By inserting the rules at the front of the FORWARD chain, the traffic will be allowed before it hits the DROP rules that does the guest separation -

-i wl0.1 -j DROP
-o wl0.1 -j DROP
-i wl1.1 -j DROP
-o wl1.1 -j DROP

--------------------
I am trying to do the same thing. I have Verizon FiOS modem and 2 RT-N66U devices. I would like the FiOS Modem to handle DHCP yet have guest access on both RT-N66U devices. This is because I have am in a large building and need to extend wireless to the lower level and still have access to the resources on the top level.

Would I enter the commands by SSH? I am not a networking guy so any help is great!!!
 
Hi,

Was the secondary AP running in Router mode or AP mode out of interest? Reason I ask is that in AP mode, you seem to loose the separation functionality.

P.

Actually you can make it work with Asuswrt-Merlin (I tested this on a RT-AC68U and RT-AC56U). As the guess access separation is handled by ebtables, you need to put the following ebtables config into your secondary AP -

ebtables -I FORWARD 1 -d Broadcast -j ACCEPT
ebtables -I FORWARD 1 -s xx:xx:xx:xx:xx:xx -j ACCEPT
ebtables -I FORWARD 1 -d xx:xx:xx:xx:xx:xx -j ACCEPT

Where xx:xx:xx:xx:xx:xx is the MAC address of the primary router's LAN interface (br0).

In short, this will allow the secondary AP guest networks to send broadcast traffic to your LAN for ARP and DHCP, and it will allow your router's LAN interface to communicate with guest users on your AP. By inserting the rules at the front of the FORWARD chain, the traffic will be allowed before it hits the DROP rules that does the guest separation -

-i wl0.1 -j DROP
-o wl0.1 -j DROP
-i wl1.1 -j DROP
-o wl1.1 -j DROP
 
Can anyone explain how to do this? Thanks in advance

Actually you can make it work with Asuswrt-Merlin (I tested this on a RT-AC68U and RT-AC56U). As the guess access separation is handled by ebtables, you need to put the following ebtables config into your secondary AP -

ebtables -I FORWARD 1 -d Broadcast -j ACCEPT
ebtables -I FORWARD 1 -s xx:xx:xx:xx:xx:xx -j ACCEPT
ebtables -I FORWARD 1 -d xx:xx:xx:xx:xx:xx -j ACCEPT

Where xx:xx:xx:xx:xx:xx is the MAC address of the primary router's LAN interface (br0).

In short, this will allow the secondary AP guest networks to send broadcast traffic to your LAN for ARP and DHCP, and it will allow your router's LAN interface to communicate with guest users on your AP. By inserting the rules at the front of the FORWARD chain, the traffic will be allowed before it hits the DROP rules that does the guest separation -

-i wl0.1 -j DROP
-o wl0.1 -j DROP
-i wl1.1 -j DROP
-o wl1.1 -j DROP
 
A bit late to this party but I too am having difficulty isolating the guest network hosts (wl0.1) from each other when used as an access point. From the instructions in post #5 and a few other threads I came up with the following:

*Note* guest lan is on vlan4, not vlan1. Bridge br1 couples wl0.1 and vlan4.

Code:
ebtables -I FORWARD 1 -d Broadcast -j ACCEPT
ebtables -I FORWARD 1 -s xx:xx:xx:xx:xx:xx -j ACCEPT
ebtables -I FORWARD 1 -d xx:xx:xx:xx:xx:xx -j ACCEPT
ebtables -I FORWARD 4 -i wl0.1 -j DROP
ebtables -I FORWARD 5 -o wl0.1 -j DROP

The xxx is replaced with the lan mac of the upstream firewall/router. It seems no blocking is taking place. Able to ping and view networks shares of wireless guests on the wl0.1 network.

When used by themselves, the last 2 lines above do block all traffic on wl0.1, including traffic destined to the upstream firewall/router.

I'm open to suggestions?
 
I think I made some progress.

Using the entries below, I now have guest isolation between wifi guests as well as lan clients who are on the guest vlan. Why would a wired client be on the guest vlan? So that they too could be isolated from the rest of the network.

Code:
#enable wifi guest isolation (for wifi clients only, not lan)
wl -i wl0.1 ap_isolate 1

#block lan access too
ebtables -I FORWARD 1 -d Broadcast -j ACCEPT
ebtables -I FORWARD 1 -s xx:xx:xx:xx:xx:xx -j ACCEPT
ebtables -I FORWARD 1 -d xx:xx:xx:xx:xx:xx -j ACCEPT
ebtables -I FORWARD 4 -i wl0.1 -j DROP
ebtables -I FORWARD 4 -o wl0.1 -j DROP

The key is the wl command. Found it in this post - https://www.snbforums.com/threads/guest-network-working.10913/#post-68570 . It seems setting nvram variables to do the same didn't work. This does. The 2nd set of entries blocks the lan access.

I've tested this with several different wired and wireless clients as well as a combination. It would be great if someone else could confirm my results. Again keep in mind, the RT is only acting as an AP for an upstream firewall (utm). AND, the guest network is on vlan4. Something else I discovered, if there's multiple AP's (I have 2), this has to be run on each one otherwise isolation is broken.

My goal in setting this was for several reasons - guest wifi access without any access to the local lan, IoT devices that should just have limited internet access (specific ports and/or destinations, nothing more, controlled by the firewall).
 
This is great. I want to do something very similar on my 2 AC68Us. A few questions if you have a moment:

  • If I don't care about isolating the wireless clients from each other, just keep them from my intranet on the unit in AP mode, I just remove that wl line and use the rest?
  • How do I specify the guest wifi should use vlan4? My robocfg show indicates no vlan4 so I guess I need to define it but I'm unsure how and which ports to include and which if any are tagged
  • Do I just put this on the AP mode unit or do I use it on the router mode unit as well? I'm guessing doing it on both wouldn't hurt anything, but unsure.
Thanks much!


I think I made some progress.

Using the entries below, I now have guest isolation between wifi guests as well as lan clients who are on the guest vlan. Why would a wired client be on the guest vlan? So that they too could be isolated from the rest of the network.

Code:
#enable wifi guest isolation (for wifi clients only, not lan)
wl -i wl0.1 ap_isolate 1

#block lan access too
ebtables -I FORWARD 1 -d Broadcast -j ACCEPT
ebtables -I FORWARD 1 -s xx:xx:xx:xx:xx:xx -j ACCEPT
ebtables -I FORWARD 1 -d xx:xx:xx:xx:xx:xx -j ACCEPT
ebtables -I FORWARD 4 -i wl0.1 -j DROP
ebtables -I FORWARD 4 -o wl0.1 -j DROP

The key is the wl command. Found it in this post - https://www.snbforums.com/threads/guest-network-working.10913/#post-68570 . It seems setting nvram variables to do the same didn't work. This does. The 2nd set of entries blocks the lan access.

I've tested this with several different wired and wireless clients as well as a combination. It would be great if someone else could confirm my results. Again keep in mind, the RT is only acting as an AP for an upstream firewall (utm). AND, the guest network is on vlan4. Something else I discovered, if there's multiple AP's (I have 2), this has to be run on each one otherwise isolation is broken.

My goal in setting this was for several reasons - guest wifi access without any access to the local lan, IoT devices that should just have limited internet access (specific ports and/or destinations, nothing more, controlled by the firewall).
 
This is great. I want to do something very similar on my 2 AC68Us. A few questions if you have a moment:

  • If I don't care about isolating the wireless clients from each other, just keep them from my intranet on the unit in AP mode, I just remove that wl line and use the rest?
  • How do I specify the guest wifi should use vlan4? My robocfg show indicates no vlan4 so I guess I need to define it but I'm unsure how and which ports to include and which if any are tagged
  • Do I just put this on the AP mode unit or do I use it on the router mode unit as well? I'm guessing doing it on both wouldn't hurt anything, but unsure.
Thanks much!

1) That is correct

2) I posted this script in one of the vlan threads, but here's my services-start script again. Vlan definition occurs in the lines prior to nvram definitions. I have parts of vlan 5 defined but haven't started using it yet. Tagged or untagged is a topic for another thread. It really depends on what your goals are. It took lots of time to get my head wrapped around proper format of the robocfg lines. Of the 3 routers, 2 are in AP mode while the third has it's wifi turned off entirely. All 3 are used to carry various vlan traffic. My network is not a star configuration, but rather serial/daisy chained APs used as smart switches.

Eventually I'll refine the robocfg lines to consolidate vlan traffic to fewer ports.

3) Probably both if you want the isolations to remain regardless of which router the guest is connected to. Or you could just define the guest network on one AP only. In my case all are in AP mode because another piece of hardware handles the routing/firewall/dhcp/dns/etc functions.

Code:
admin@Router2:/jffs/scripts# cat services-start
#!/bin/sh

#create vlan 1,3,4

/usr/sbin/robocfg vlan 3 ports "0t 1t 2t 3t 4t 5t"
/usr/sbin/robocfg vlan 1 ports "0 1 2 3 4 5t"
/usr/sbin/robocfg vlan 4 ports "0t 1t 2t 3t 4t 5t"
/usr/sbin/robocfg vlan 5 ports "0t 1t 2t 3t 4t 5t"

#add vlan 3, 4,5 to eth0
/sbin/vconfig add eth0 3
/sbin/vconfig add eth0 4
/sbin/vconfig add eth0 5

#bring vlan 3 and 4 up
/sbin/ifconfig vlan3 up
/sbin/ifconfig vlan4 up
/sbin/ifconfig vlan5 up

brctl addbr br1
brctl delif br0 wl0.1
brctl addif br1 wl0.1
#brctl delif br0 wl1.1
#brctl addif br1 wl1.1
brctl addif br1 vlan4
ifconfig br1 up


nvram set lan_ifnames="vlan1 eth1 eth2 wl0.2 wl1.2"
nvram set lan_ifname="br0"

nvram set lan1_ifnames="vlan4 wl0.1"
nvram set lan1_ifname="br1"
nvram set wl0.1_closed=1


#nvram commit
killall eapd
eapd


#enable wifi guest isolation (for wifi clients only, not lan)
wl -i wl0.1 ap_isolate 1

#block lan access to/from wifi guests
ebtables -I FORWARD 1 -d Broadcast -j ACCEPT
ebtables -I FORWARD 1 -s 00:50:56:2e:33:02 -j ACCEPT
ebtables -I FORWARD 1 -d 00:50:56:2e:33:02 -j ACCEPT
ebtables -I FORWARD 4 -i wl0.1 -j DROP
ebtables -I FORWARD 4 -o wl0.1 -j DROP


#start of entware loading
RC='/opt/etc/init.d/rc.unslung'

i=30
until [ -x "$RC" ] ; do
  i=$(($i-1))
  if [ "$i" -lt 1 ] ; then
    logger "Could not start Entware"
    exit
  fi
  sleep 1
done
$RC start
 
1) That is correct

2) I posted this script in one of the vlan threads, but here's my services-start script again. Vlan definition occurs in the lines prior to nvram definitions. I have parts of vlan 5 defined but haven't started using it yet. Tagged or untagged is a topic for another thread. It really depends on what your goals are. It took lots of time to get my head wrapped around proper format of the robocfg lines. Of the 3 routers, 2 are in AP mode while the third has it's wifi turned off entirely. All 3 are used to carry various vlan traffic. My network is not a star configuration, but rather serial/daisy chained APs used as smart switches.

Eventually I'll refine the robocfg lines to consolidate vlan traffic to fewer ports.

3) Probably both if you want the isolations to remain regardless of which router the guest is connected to. Or you could just define the guest network on one AP only. In my case all are in AP mode because another piece of hardware handles the routing/firewall/dhcp/dns/etc functions.

Code:
admin@Router2:/jffs/scripts# cat services-start
#!/bin/sh

#create vlan 1,3,4

/usr/sbin/robocfg vlan 3 ports "0t 1t 2t 3t 4t 5t"
/usr/sbin/robocfg vlan 1 ports "0 1 2 3 4 5t"
/usr/sbin/robocfg vlan 4 ports "0t 1t 2t 3t 4t 5t"
/usr/sbin/robocfg vlan 5 ports "0t 1t 2t 3t 4t 5t"

#add vlan 3, 4,5 to eth0
/sbin/vconfig add eth0 3
/sbin/vconfig add eth0 4
/sbin/vconfig add eth0 5

#bring vlan 3 and 4 up
/sbin/ifconfig vlan3 up
/sbin/ifconfig vlan4 up
/sbin/ifconfig vlan5 up

brctl addbr br1
brctl delif br0 wl0.1
brctl addif br1 wl0.1
#brctl delif br0 wl1.1
#brctl addif br1 wl1.1
brctl addif br1 vlan4
ifconfig br1 up


nvram set lan_ifnames="vlan1 eth1 eth2 wl0.2 wl1.2"
nvram set lan_ifname="br0"

nvram set lan1_ifnames="vlan4 wl0.1"
nvram set lan1_ifname="br1"
nvram set wl0.1_closed=1


#nvram commit
killall eapd
eapd


#enable wifi guest isolation (for wifi clients only, not lan)
wl -i wl0.1 ap_isolate 1

#block lan access to/from wifi guests
ebtables -I FORWARD 1 -d Broadcast -j ACCEPT
ebtables -I FORWARD 1 -s 00:50:56:2e:33:02 -j ACCEPT
ebtables -I FORWARD 1 -d 00:50:56:2e:33:02 -j ACCEPT
ebtables -I FORWARD 4 -i wl0.1 -j DROP
ebtables -I FORWARD 4 -o wl0.1 -j DROP


#start of entware loading
RC='/opt/etc/init.d/rc.unslung'

i=30
until [ -x "$RC" ] ; do
  i=$(($i-1))
  if [ "$i" -lt 1 ] ; then
    logger "Could not start Entware"
    exit
  fi
  sleep 1
done
$RC start

Thank you very much!
 
1) That is correct

2) I posted this script in one of the vlan threads, but here's my services-start script again. Vlan definition occurs in the lines prior to nvram definitions. I have parts of vlan 5 defined but haven't started using it yet. Tagged or untagged is a topic for another thread. It really depends on what your goals are. It took lots of time to get my head wrapped around proper format of the robocfg lines. Of the 3 routers, 2 are in AP mode while the third has it's wifi turned off entirely. All 3 are used to carry various vlan traffic. My network is not a star configuration, but rather serial/daisy chained APs used as smart switches.

Eventually I'll refine the robocfg lines to consolidate vlan traffic to fewer ports.

3) Probably both if you want the isolations to remain regardless of which router the guest is connected to. Or you could just define the guest network on one AP only. In my case all are in AP mode because another piece of hardware handles the routing/firewall/dhcp/dns/etc functions.

Code:
admin@Router2:/jffs/scripts# cat services-start
#!/bin/sh

#create vlan 1,3,4

/usr/sbin/robocfg vlan 3 ports "0t 1t 2t 3t 4t 5t"
/usr/sbin/robocfg vlan 1 ports "0 1 2 3 4 5t"
/usr/sbin/robocfg vlan 4 ports "0t 1t 2t 3t 4t 5t"
/usr/sbin/robocfg vlan 5 ports "0t 1t 2t 3t 4t 5t"

#add vlan 3, 4,5 to eth0
/sbin/vconfig add eth0 3
/sbin/vconfig add eth0 4
/sbin/vconfig add eth0 5

#bring vlan 3 and 4 up
/sbin/ifconfig vlan3 up
/sbin/ifconfig vlan4 up
/sbin/ifconfig vlan5 up

brctl addbr br1
brctl delif br0 wl0.1
brctl addif br1 wl0.1
#brctl delif br0 wl1.1
#brctl addif br1 wl1.1
brctl addif br1 vlan4
ifconfig br1 up


nvram set lan_ifnames="vlan1 eth1 eth2 wl0.2 wl1.2"
nvram set lan_ifname="br0"

nvram set lan1_ifnames="vlan4 wl0.1"
nvram set lan1_ifname="br1"
nvram set wl0.1_closed=1


#nvram commit
killall eapd
eapd


#enable wifi guest isolation (for wifi clients only, not lan)
wl -i wl0.1 ap_isolate 1

#block lan access to/from wifi guests
ebtables -I FORWARD 1 -d Broadcast -j ACCEPT
ebtables -I FORWARD 1 -s 00:50:56:2e:33:02 -j ACCEPT
ebtables -I FORWARD 1 -d 00:50:56:2e:33:02 -j ACCEPT
ebtables -I FORWARD 4 -i wl0.1 -j DROP
ebtables -I FORWARD 4 -o wl0.1 -j DROP


#start of entware loading
RC='/opt/etc/init.d/rc.unslung'

i=30
until [ -x "$RC" ] ; do
  i=$(($i-1))
  if [ "$i" -lt 1 ] ; then
    logger "Could not start Entware"
    exit
  fi
  sleep 1
done
$RC start

GPZ and others, thanks for the code! If I only had 2 routers in total (one router set up as an AP connected through it's WAN port to the main router) and I wanted to just use guest isolation would my services-start look like this?

Code:
#enable wifi guest isolation (for wifi clients only, not lan)
wl -i wl0.1 ap_isolate 1

#block lan access to/from wifi guests
ebtables -I FORWARD 1 -d Broadcast -j ACCEPT
ebtables -I FORWARD 1 -s 00:50:56:2e:33:02 -j ACCEPT
ebtables -I FORWARD 1 -d 00:50:56:2e:33:02 -j ACCEPT
ebtables -I FORWARD 4 -i wl0.1 -j DROP
ebtables -I FORWARD 4 -o wl0.1 -j DROP

I know your services-start file does more but I'm just looking to utilize the guest network isolation on the AP and I wanted to make sure I understood it correctly.

Thanks!
 
^^You would need to update the mac addresses to reflect the lan mac of the upstream router. Aside from that I think that's all you'd need.

I think you may need to restart the wifi security too. I can't remember if that was necessary because I moved wl0.1 from br0 to br1 (different vlan).

Code:
killall eapd
eapd

Keep in mind, with the code you posted, wl0.1 clients will be isolated from each other and from accessing the lan, but lan (wired) clients will still be able to see/access the guest clients. So it's not a total isolation from the wired perspective. That's why I think putting the guest network on a separate vlan results in complete isolation from wired clients [on default vlan (vlan1)].
 
^^You would need to update the mac addresses to reflect the lan mac of the upstream router. Aside from that I think that's all you'd need.

I think you may need to restart the wifi security too. I can't remember if that was necessary because I moved wl0.1 from br0 to br1 (different vlan).

Code:
killall eapd
eapd

Keep in mind, with the code you posted, wl0.1 clients will be isolated from each other and from accessing the lan, but lan (wired) clients will still be able to see/access the guest clients. So it's not a total isolation from the wired perspective. That's why I think putting the guest network on a separate vlan results in complete isolation from wired clients [on default vlan (vlan1)].
Thanks for the quick response GPZ! All the IoT devices I'm trying to isolate are wireless so I can't think of a case where I'd need to protect wired lan clients from seeing/accessing wireless guest network clients but if I did how would the code change?

I'm trying to learn this as I haven't done much cli with routers. Should I create the guest network (GUI) on the AP before submitting the code?
 
It might be possible to block access to wireless guests from wired using ebtables or iptables. Neither of which I'm versed in. Setting up vlans was the next best alternative. This was already a necessity for several wired IOT devices anyway. Sophos utm allow for really granular firewall control over much of the network. Implementing this on a vlan bases is much easier than specifying client specific rules. For example, the 2 obi devices are on their own vlan (vlan 3). That vlan only has internet access to ports needed for voip/google voice access, nothing else. Adding a future ata will just require placing it in the proper vlan.

The guest wifi vlan only has access to http/https, nothing else.

Post exactly what you're trying to accomplish. We can try to make suggestions. I chose using a separate firewall/router device because it allows much greater control over the network, better reporting, increased vpn speed, etc.

Yes, guest network(s) are created within the GUI.
 
Thanks for the quick response GPZ! All the IoT devices I'm trying to isolate are wireless so I can't think of a case where I'd need to protect wired lan clients from seeing/accessing wireless guest network clients but if I did how would the code change?

I'm trying to learn this as I haven't done much cli with routers. Should I create the guest network (GUI) on the AP before submitting the code?

Hello, All. I have been doing research and following this thread. Thanks for getting me most of the way to where I am trying to go:

Block wireless guest access on my access point (I have two Asus routers - one in router mode and one in AP mode. I have guest access on each but the AP was allowing access to the LAN. I fixed that by implementing the following in my "services-start" script.

However, I can still access the IP addresses of the router and the AP from the guest, but everything else on the LAN is blocked. Here is the code I am using in the script. Please tell me what I should add to block access to the router and access point:

--------------
#!/bin/sh
#nvram commit
killall eapd
eapd
#enable wifi guest isolation (for wifi clients only, not lan)
wl -i wl0.1 ap_isolate 1
#block lan access to/from wifi guests
ebtables -I FORWARD 1 -d Broadcast -j ACCEPT
ebtables -I FORWARD 1 -s XX:XX:XX:XX:XX:XX -j ACCEPT
ebtables -I FORWARD 1 -d XX:XX:XX:XX:XX:XX -j ACCEPT
ebtables -I FORWARD 4 -i wl0.1 -j DROP
ebtables -I FORWARD 4 -o wl0.1 -j DROP
#start of entware loading
RC='/opt/etc/init.d/rc.unslung'
i=30
until [ -x "$RC" ] ; do
i=$(($i-1))
if [ "$i" -lt 1 ] ; then
logger "Could not start Entware"
exit
fi
sleep 1
done
$RC start
---------------

Where XX:XX:XX:XX:XX:XX is the MAC of the main router's LAN bro.

Please assist and thanks in advance.
 
Hello, All. I have been doing research and following this thread. Thanks for getting me most of the way to where I am trying to go:

Block wireless guest access on my access point (I have two Asus routers - one in router mode and one in AP mode. I have guest access on each but the AP was allowing access to the LAN. I fixed that by implementing the following in my "services-start" script.

However, I can still access the IP addresses of the router and the AP from the guest, but everything else on the LAN is blocked. Here is the code I am using in the script. Please tell me what I should add to block access to the router and access point:

--------------
#!/bin/sh
#nvram commit
killall eapd
eapd
#enable wifi guest isolation (for wifi clients only, not lan)
wl -i wl0.1 ap_isolate 1
#block lan access to/from wifi guests
ebtables -I FORWARD 1 -d Broadcast -j ACCEPT
ebtables -I FORWARD 1 -s XX:XX:XX:XX:XX:XX -j ACCEPT
ebtables -I FORWARD 1 -d XX:XX:XX:XX:XX:XX -j ACCEPT
ebtables -I FORWARD 4 -i wl0.1 -j DROP
ebtables -I FORWARD 4 -o wl0.1 -j DROP
#start of entware loading
RC='/opt/etc/init.d/rc.unslung'
i=30
until [ -x "$RC" ] ; do
i=$(($i-1))
if [ "$i" -lt 1 ] ; then
logger "Could not start Entware"
exit
fi
sleep 1
done
$RC start
---------------

Where XX:XX:XX:XX:XX:XX is the MAC of the main router's LAN bro.

Please assist and thanks in advance.


BUMP!

Great script!!
Question; is the guest network created by the above script running on the AP bridged to the main router guest network? The reason I ask is for IOT devices such as the Nest Protect where all devices need to be on same subnet and be able to talk to each other..
 
Hello, All. I have been doing research and following this thread. Thanks for getting me most of the way to where I am trying to go:

Block wireless guest access on my access point (I have two Asus routers - one in router mode and one in AP mode. I have guest access on each but the AP was allowing access to the LAN. I fixed that by implementing the following in my "services-start" script.

However, I can still access the IP addresses of the router and the AP from the guest, but everything else on the LAN is blocked. Here is the code I am using in the script. Please tell me what I should add to block access to the router and access point:

--------------
#!/bin/sh
#nvram commit
killall eapd
eapd
#enable wifi guest isolation (for wifi clients only, not lan)
wl -i wl0.1 ap_isolate 1
#block lan access to/from wifi guests
ebtables -I FORWARD 1 -d Broadcast -j ACCEPT
ebtables -I FORWARD 1 -s XX:XX:XX:XX:XX:XX -j ACCEPT
ebtables -I FORWARD 1 -d XX:XX:XX:XX:XX:XX -j ACCEPT
ebtables -I FORWARD 4 -i wl0.1 -j DROP
ebtables -I FORWARD 4 -o wl0.1 -j DROP
#start of entware loading
RC='/opt/etc/init.d/rc.unslung'
i=30
until [ -x "$RC" ] ; do
i=$(($i-1))
if [ "$i" -lt 1 ] ; then
logger "Could not start Entware"
exit
fi
sleep 1
done
$RC start
---------------

Where XX:XX:XX:XX:XX:XX is the MAC of the main router's LAN bro.

Please assist and thanks in advance.

Just trying the script on my rt-ac66u b1 in AP-mode connected to a rt-ac86u router. The script does not seem to work. I have commented out the line for wifi guest isolation since I want clients on the Guest network should be able to communicate.

using: nvram show | grep lanaccess

admin@RT-AC66U_B1-9D38:/tmp/home/root# nvram show | grep lanaccess
wl0.3_lanaccess=off
wl1.3_lanaccess=off
wl_lanaccess=off
wl1_lanaccess=off
size: 53801 bytes (11735 left)
wl0.1_lanaccess=off
wl1.1_lanaccess=off
wl0.2_lanaccess=off
wl1.2_lanaccess=off
wl0_lanaccess=off

This showing that script is working? But still I can browse every unit on my lan from the guest network.

Any ideas?
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top