Solved Guest network isolation when in AP mode.

[ianyp]

I want to separate my IOT devices from the rest of the devices on my network. I don't entirely trust these cheap lightbulbs. The router is in AP mode, but doesn't seem to isolate the wireless networks from one another.

My network is currently like this:

Guest WiFi─AC68 in AP mode──Ethernet──OPNsense──Internet
Main WiFi ─┘

Is there a way to isolate the networks from each other? Or is it possible to set a VLAN on traffic coming from one SSID? Maybe with bridging and a virtual interface? (that would be a bit beyond me)

 

[ColinTaylor]

Network isolation doesn't work in AP mode. In fact IIRC the Access Intranet option is actually removed from the GUI in AP mode.

Is there a way to isolate the networks from each other? Or is it possible to set a VLAN on traffic coming from one SSID? Maybe with bridging and a virtual interface? (that would be a bit beyond me)

There are some user created scripts that attempt to create VLANs for guest SSIDs. They may be what you want so search the forum for those threads.

 

[bennor]

Is there a way to isolate the networks from each other? Or is it possible to set a VLAN on traffic coming from one SSID? Maybe with bridging and a virtual interface? (that would be a bit beyond me)

Not sure about using the YazFi script on an AP, but YazFi works well on a non AP/non mesh router when separating IoT devices to the Guest WiFi from the main LAN when using the Asus-Merlin firmware.

YazFi GitHub

YazFi - enhanced AsusWRT-Merlin Guest WiFi inc. SSID <-> VPN Client

 

[jeff3820]

I want to separate my IOT devices from the rest of the devices on my network. I don't entirely trust these cheap lightbulbs. The router is in AP mode, but doesn't seem to isolate the wireless networks from one another.

My network is currently like this:

Guest WiFi─AC68 in AP mode──Ethernet──OPNsense──Internet
Main WiFi ─┘

Is there a way to isolate the networks from each other? Or is it possible to set a VLAN on traffic coming from one SSID? Maybe with bridging and a virtual interface? (that would be a bit beyond me)

You can do this if you setup a VLAN (or a 2nd network) on OPNsense and get another AC68U. I use Pfsense...just a different fork so it must be possible as I have done this with Pfsense.

Main WiFi─AC68(1) in AP mode──Ethernet──OPNsense──Internet
Guest WiFi─AC68U(2) in AP mode (use VLAN) ─┘

A second way to do this is to use an access point that supports the direct use of guest networks...like the TP-Link EAP245. You don't need the TP-Link controller...there is a built in web client. In that case, setup a VLAN for the guest network.

Main WiFi─TP-Link EAP245 AP──Ethernet──OPNsense──Internet
Guest WiFi ─┘

I used the TP-Link recently for my son and it worked out perfectly. Setup 3 WiFi SSIDs with one being a guest network. The EP-245 also supports VLANs if you want to go that route as well.

 

[ianyp]

Really I don't want to buy another piece of hardware to carry this out. It ought to be a simple enough thing to accomplish in software as far as I understand things in theory.

Unfortunately I can't make head-nor-tail of this robocfg tool. It looks like it's really poorly documented. This is the first time I've worked with VLANs so I'm unfamiliar enough with how it works as it is. I misconfigured something on Saturday and it took me hours to get my internet working again.

I modified a script I found that will successfully isolate the guest APs from the main network. Modified so I'm using vlan10 as main and vlan20 as guest.

# { WAN L1 L2 L3 L4 CPU }  (Physical Ports)
#  { 0, 1, 2, 3, 4, 5 } (Robocfg ports)

Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 52:54:00:8f:e4:2a
Port 1: 1000FD enabled stp: none vlan: 10 jumbo: off mac: 9c:c9:eb:12:f4:8d
Port 2:   DOWN enabled stp: none vlan: 10 jumbo: off mac: 18:03:73:26:07:6d
Port 3: 1000FD enabled stp: none vlan: 10 jumbo: off mac: 9c:c9:eb:12:f4:8e
Port 4:   DOWN enabled stp: none vlan: 10 jumbo: off mac: 00:00:00:00:00:00
Port 5: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 84:3a:4b:20:02:82
Port 7:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00RTAC68U
Port 8:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 0 1 2 3 4 5t
   2: vlan2: 5t
  10: vlan10: 0t 1 2 3 4 5t
  20: vlan20: 0t 5t

bridge name    bridge id        STP enabled    interfaces
br0        8000.74d02b2fc5c4    no        vlan1
                            eth1
                            eth2
                            vlan10
                            wl1.2
br1        8000.74d02b2fc5c4    no        vlan20
                            wl0.1
                            wl1.1

This successfully stops wireless clients from talking to one another with a destination unreachable message, but I want to route those requests upstream to the firewall so I can make exceptions. At the moment nothing tagged VLAN20 is actually getting routed to the firewall. So I'm assuming they never make it out of the router with that tag.

edit: what I think I want to do is set the default gateway for the vlan to the firewall's VLAN ip address. I don't know how to do that.

 

[ianyp]

Okay. I got this working. It may have been firewall issues that prevented it working originally, although I'm not sure.

The process was roughly this:
Set up new vlans through robocfg. This configures which ports will contain vlan tags when data from interfaces on that vlan communicate.

robocfg vlan 20 ports "0t 5t"

I did this three times. One for IOT(VLAN20), one for public internet(VLAN30), and one for my private network (VLAN10).

This also needs to be done with vconfig. I don't know why exactly. Maybe robocfg configures something at a driver level and vconfig does something else in the kernel.

vconfig add eth0 20

ifconfig vlan20 up

Where 20 is the vlan from the robocfg step.

Then delete all the wlx.x interfaces from the default bridge that comes with the router.

brctl delif br0 wl0.1

Now we create a new bridge to put the interfaces on, along with the vlan. Doing this tags all the traffic on those interfaces.

brctl addbr br1

Add the interface to the new bridge:

brctl addif br1 vlan20

And bring up the bridge

ip link set br1 up

then all this needs to be written to nvram. Not sure what this does.
Private / VLAN1 / 10 / physical ports

nvram set br0_ifname="br0"
nvram set lan_ifname="br0"
nvram set br0_ifnames="vlan1 eth1 eth2 vlan10"
nvram set lan_ifnames="vlan1 eth1 eth2 vlan10"

And an example of setting up br1 in nvram

nvram set lan1_ifnames="vlan20 wl0.2 wl1.2"
nvram set lan1_ifname="br1"
nvram set br1_ifname="br1"
nvram set br1_ifnames="vlan20 wl0.2 wl1.2"

killall eapd

eapd

Flush bridge firewall rules.

ebtables -F

Here's the script I butchered to get it working:

gist:8e4ca1673c7e8cb22abff5fa6744ef7f

GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

If anyone can explain the significance of the nvram settings I'd appreciate it. Also not sure what eapd is. Or why there is a vlan2.