Guest Network: Not restricting local network access.

[CaptainSTX]

Will it work if left in router mode but still not acting as a router?
IE. DHCP server turned off, and not acting as the default gateway?

Edit:
So I tried it but it seems to break more than it fixes.
Guest networks are unable to talk to the router now.
This prevents them from getting an IP address from the DHCP server. This I can probably fix by letting the Asus give out DHCP responses on the subnet but eh . . .

Might just be better to cave in and get a different access point.
Something that works properly with guest networks or assigns VLANs to an SSID.

You are on the right track to set the AP up as a router. Just double NAT it behind your primary router in its own subnet. With this configuration both the primary and guest networks will be blocked from accessing any resources on the primary network. If you want to be able to access any primary network resources from the double NATed router you will need to set up custom routing using iptables.

 

[Cloud200]

I have 4-6 vlans running on my network at any one time.
Home data, home voice, office data, office voice, and sometimes a test network or two.
This includes my NAS, my wife's NAS, the backup NAS, my Hyper-V 2012 core server, VMware ESXi host, a security DVR, and a bunch of devices that may be mine (Wii U) or a clients (anything from a laptop to a 120 core server with 1TB of RAM).

Plainly and simply I just don't want people touching everything on my network be it my mother, brother, best man at my wedding, or my best friend's 5 year old daughter who may or may not have a virus on her netbook she watches Netflix on.

There are some devices though that I don't mind that they use while over. Printers, apple TV, chromecast, a usb drive connected to the RT-AC56u to access via ftp or smb to share some photos or videos with me or vice-a-versa.

In the end I picked up a ubiquiti UAP, set it up with another VLAN on a tagged port and restricted it to what I want it to hit and allowed what I deem acceptable to share. Took me all of 10 minutes to get working as I wanted it to.

 

[jegesq]

I have 4-6 vlans running on my network at any one time.
Home data, home voice, office data, office voice, and sometimes a test network or two.
This includes my NAS, my wife's NAS, the backup NAS, my Hyper-V 2012 core server, VMware ESXi host, a security DVR, and a bunch of devices that may be mine (Wii U) or a clients (anything from a laptop to a 120 core server with 1TB of RAM).

Plainly and simply I just don't want people touching everything on my network be it my mother, brother, best man at my wedding, or my best friend's 5 year old daughter who may or may not have a virus on her netbook she watches Netflix on.

There are some devices though that I don't mind that they use while over. Printers, apple TV, chromecast, a usb drive connected to the RT-AC56u to access via ftp or smb to share some photos or videos with me or vice-a-versa.

In the end I picked up a ubiquiti UAP, set it up with another VLAN on a tagged port and restricted it to what I want it to hit and allowed what I deem acceptable to share. Took me all of 10 minutes to get working as I wanted it to.

Nice. Just a couple of questions:

1. Would you consider doing a step-by-step instruction guide on how to set this up (for the benefit of the OP)?

2. What was the cost of the Ubiquiti UAP and where did you purchase it?

Thanks in advance.

 

[coldwizard]

I'm using an RT-N66 as an A/P and I need to restrict as much as I can access to the LAN. The following seems to do all but the AP and the Router. Called by start-services script. YMMV.

#!/bin/sh
# lanrestrict.sh
# Add LAN Restrictions to ASUS WRT when running as AP
# VER 1.1 20150123 PHI
#
logger $0 begins
router=`arp -a $(nvram get "lan_gateway")` # Get Router Info
lladdr="${router%%" at "*}" # Find beginning of at in arp line
macbegin=`expr "${#lladdr}" + 5` # Get beginning of mac addr
rtmac=`expr substr "$router" "$macbegin" 17` # Get router mac addr
logger Router mac address is $rtmac
# Insert chain in ebtables
ebtables -F FORWARD # Flush the chain first in case of re-running...
ebtables -I FORWARD 1 -o wl1.3 -j DROP
ebtables -I FORWARD 1 -i wl1.3 -j DROP
ebtables -I FORWARD 1 -o wl1.2 -j DROP
ebtables -I FORWARD 1 -i wl1.2 -j DROP
ebtables -I FORWARD 1 -o wl1.1 -j DROP
ebtables -I FORWARD 1 -i wl1.1 -j DROP
ebtables -I FORWARD 1 -o wl0.3 -j DROP
ebtables -I FORWARD 1 -i wl0.3 -j DROP
ebtables -I FORWARD 1 -o wl0.2 -j DROP
ebtables -I FORWARD 1 -i wl0.2 -j DROP
ebtables -I FORWARD 1 -o wl0.1 -j DROP
ebtables -I FORWARD 1 -i wl0.1 -j DROP
ebtables -I FORWARD 1 -d Broadcast -j ACCEPT
ebtables -I FORWARD 1 -s $rtmac -j ACCEPT
ebtables -I FORWARD 1 -d $rtmac -j ACCEPT
logger $0 ends
#

Note this idea came from Starfall's post at http://forums.smallnetbuilder.com/showthread.php?t=7021

Thanks.
Works great to restrict access to wired LAN from AP wifi.
Only change I made was at router= line to ensure MAC address in arp table.

rtIPaddr=`nvram get lan_gateway`
nslookup www.google.com $rtIPaddr # force a lookup to ensure arp table has router mac
router=`arp -an $rtIPaddr` # Get Router Info

Note if you change the AP's configuration without a reboot, the script needs to be rerun manually since start-services script only run on reboot.

# to check this fix is active look at output of following
ebtables -L --Ln --Lc  #debug check

 

[dopefish]

Thanks.
Works great to restrict access to wired LAN from AP wifi.
Only change I made was at router= line to ensure MAC address in arp table.

rtIPaddr=`nvram get lan_gateway`
nslookup www.google.com $rtIPaddr # force a lookup to ensure arp table has router mac
router=`arp -an $rtIPaddr` # Get Router Info

Note if you change the AP's configuration without a reboot, the script needs to be rerun manually since start-services script only run on reboot.

# to check this fix is active look at output of following
ebtables -L --Ln --Lc  #debug check

Works great with one RT N 66u as router and one 66u as access point with guest network enabled. It is still possible to ping and scan other hosts but it is not possible to open a connection.

Any chance to block access to from guest network to router and ap web page? http://192.168.1.1/ and http://192.168.1.10/