Guest SSID on a VLAN tag?

[VirtualNobody]

Hello,

Trying to understand if this will work...
I have an RT-AC66 that I want to create a guest SSID tagged to VLAN 15. I have a single cable coming from a switch that has the default untagged VLAN and a tagged VLAN with ID 15.

Is this possible to do with either the stock or Merlin firmware?

From searching on here it looks to be possible, and I've seen an example script, but unfortunately the person who went to all the work creating it didn't document what each step was for so I don't have much idea how to replicate what he did to what I need.

Thanks for any help.

 

[sinshiva]

the guest ssid is in a private subnet as is, no need to mess with vlan tagging.

i assume you read skydoc's thread. with his setup, his network looks essentially like:

modem > router > switch > asus > wifi clients + guest wifi clients

his router provides the dhcp server for everything but the guest ssid. with his modified configuration, it allows the dnsmasq dhcp/dns server on the asus to serve ip addresses for the guest ssid, only, as it's separated from the rest of the LAN and wouldn't receive their IP addresses otherwise.

hopefully that clears things up for you.

 

[VirtualNobody]

Hi sinshiva,

Thanks...But that's not really what I'm looking for. I really need the VLAN tagging.

My AC66 is in AP mode, not router mode.

It's not too clear from the method you linked to exactly what's going on in the RT-AC66. Just how is the separation occurring? What's stopping someone on the guest ID from changing their IP address to something on the other LAN and accessing those systems?

I'm not sure I'd trust the security of that model.

 

[sinshiva]

there isn't any routing between the private networks. the guest clients would see a gateway and the internet beyond that

 

[VirtualNobody]

there isn't any routing between the private networks. the guest clients would see a gateway and the internet beyond that

You don't need routing. If someone on the guest network manually changes their IP to something on the private network, what's in the router to prevent that traffic from crossing over?

There has to be something preventing that traffic from crossing over, a firewall, a VLAN tag, etc.

 

[sinshiva]

if they change their IP to a subnet the gateway doesn't reside in, they go nowhere

 

[VirtualNobody]

OK great...But you're still not explaining why...What access control method is preventing that?

 

[sinshiva]

the lack of routing

 

[VirtualNobody]

But if I make my IP address on the same subnet as the private LAN, I don't need routing.

 

[sinshiva]

that would be the same as making your ip anything else, from the guest network. they would go nowhere

 

[joltman]

My interpretation of that post was that SkyDoc has a separate (ISP Provided?) gateway and had the Asus as the gateway for his wireless network. However, he disabled the DHCP server on the Asus in order to use his own internal DHCP server for the "internal" wireless clients. He solved this by only allowing the Asus DHCP server to function on the guest wireless interface "wl0.1". So in this sense, VirtualNobody is correct. A user on the guest SSID could connect to a device on the "internal LAN" because the Asus' WAN interface actually lives on the LAN. I see it like this:

ISP router---->Switch|-----Internal LAN (DHCP Server 192.168.1.x/24)
                     |-----Asus LAN Port>>LAN WiFi (192.168.1.x/24)
                     |-----Asus WAN Port>>Guest SSID (DHCP from Asus, 10.0.0.x/24)

That's the only way I can think that his internal DHCP server is serving out addresses to the LAN WiFi on the Asus.

So, if I'm on the Guest SSID (IP 10.0.0.100/24), and I happen to know the IP of an internal device (192.168.1.200/24), I could connect to its services. That's not guest network separation.

What I think VirtualNobody is getting at (and something I'd really like as well), is to use the RT-AC66U in AP only mode, and have the ability to assign a VLAN ID tag to the different SSIDs. For example, this is my setup:

Comcast--->pfSense--->HP 1800-24G|--->Asus AP (WiFi 10.0.0.x/24
                                 |--->All other network devices (10.0.0.x/24)

What I'd like is for the pfSense to use VLAN tags to separate out networks. Say VLAN 1 for internal, VLAN 2 for my soon-to-be site-to-site OpenVPN, VLAN 3 for my IPSec back to my office and VLAN 15 for Guest Access that never touches any other network. On the pfSense, I'd have the four VLANs all have virtual interfaces sharing the same NIC.

VLAN1: 10.0.0.1/24 (Internal. Can route to VLAN2)
VLAN2: 10.0.1.1/24 (OpenVPN, can route to VLAN1)
VLAN3: 10.0.2.1/24 (Office, only route out)
VLAN15: 172.31.1.1/24 (Guest, only route out)

Of course, the AP would also probably be running the LACP script that several people came up with.

Is this configuration at all possible??? There was really no mention of VLAN Tagging on the wireless interfaces. Thanks so much for the help, and what a first post!

Jim

 

[VirtualNobody]

Hi Joltman,

Thanks for the validation. It just wasn't worth arguing anymore with that other fellow.

I did go on to accomplish what I wanted with VLAN tagging. After more research it was obvious the stock or Merlin firmware wasn't going to do what I wanted.

I ended up getting some other router models that are capable of running Shibby Tomato. The VLAN tagging works great. I haven't tried it with the AC66R as I don't believe the performance of Tomato can match stock, as the stock firmwares have code the use hardware accelerators (Merlin likely can do it as his firmware is modifications to the original ASUS code...) But I could never confirm or deny any of that.

I plan to buy an AC66R to test Shibby on in a month or two, so I don't have to monkey with my main AP, but the firmware works great on the other supported models listed on his website, may just not as fast as stock.

 

[sinshiva]

oh. my. god. i just tested this. i most sincerely apologize for this, i'd never have dreamed that the guest network would be created directly on the bridge. this is completely useless in it's default state. i will personally write a tutorial to get this on a properly separated subnet with the matching routing table. this will require asuswrt-merlin.

 

[sinshiva]

Once again, i want to apologize. hopefully it's not too late for you to benefit from this... bleh

enable the guest AP, use ifconfig -a from the 'Run CMD' page to verify that the interface was created as wl0.1 and proceed as follows;

this is going to need to be added to /jffs/scripts/wan-start

#!/bin/sh
WANIP=$(/sbin/ifconfig eth0|grep 'inet addr'|cut -d':' -f2|awk '{print $1}')
brctl delif br0 wl0.1
brctl addbr br1
brctl addif br1 wl0.1
ifconfig br1 192.168.85.1 netmask 255.255.255.0 broadcast 192.168.85.255
iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to $WANIP
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP

chmod a+rx /jffs/scripts/*

this gets the guest network on a separate subnet, 192.168.85.0, internet access and no access to the other intranet

for dhcp/dns, i'm going to refer to skydoc's thread, once again; http://forums.smallnetbuilder.com/showthread.php?t=14141

as far as more intricate vlan stuff, you'll have to find that out from somebody else, i'm afraid.

[edit1] sorry, was pretty wasted by the time i finished this script; some notes:

this does not take into account what might happen if your WAN IP changes without a reboot. i assume the iptables list gets cleared and the wan-start script is re-executed when it comes back up. also, this script will likely need to be modified to take into account users with their router set in AP mode. i don't feel like switching my router over because i just reconfigured everything with some extensive rules and such, sorry.

additionally, i average about 1 bash script every 2 years, so somebody far better than I would be more useful in making this setup more robust[/edit1]

[edit2/] making this edit because i want to give credit where it's due, don't want anybody getting the wrong idea that i can work miracles. unfortunately, i don't remember where all i cobbled this together from as my state of mind wasn't exactly 100%. a user from dd-wrt was one of them, though. that's where i got the iptables rules, iirc. the bit of magic that gets $WANIP came from somewhere i found via google as well.

 

[starfall]

This is working for me now on my AC68U after tweaking the nvram settings and restarting eapd. Check it out here - SSID to VLAN