Menu
What's new
By:
Filters Better Search

How to restrict guest network intranet to SSH & http only?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

B

BaronVonchesto

Occasional Visitor
So some background first on what I'm doing. I have an Asus AC66U running ASUSWRT-merlin (380.70).

My main home network is running on 192.168.1.xxx/24

I'm planning to engage a freelance dev on fiverr to do some dev work for me, to interface with an industrial device using my raspberry pi. To that end I need to give WAN SSH access to my pi so the dev can work remotely. However I'm concerned about the security of giving access to my home network to some unknown guy on the internet, so want to restrict access as much as possible.

So what I had in mind was to put the raspberry pi onto a guest wifi network where I can assign a "static" DHCP IP to the raspberry pi (say 192.168.2.2). I will port forward ports 80, 443 and (some other port translated to 22) to the raspberry pi so that the dev can ssh to the pi and the web server is accessible from WAN.

However I also want to be able to SSH/SFTP to the pi from my main LAN, and also access the web server, while blocking all access to my LAN from the pi (so allow initiation of traffic from 192.168.1.x -> 192.168.2.x but not the other way round), other than that I need the pi to have access to the internet as usual. I also want to make sure the pi cannot SSH to the router or access the web admin interface of the router.

Is this doable with Merlin? I have a basic idea of how IPTABLES work, but not enough knowledge to create the rules myself.
Or else I'm not averse to switching from Merlin to FreshTomato, though I'd like to avoid this if I can since it would mean downtime of internet access for my family who are online 24/7

Here's an image my my proposed network topology and what i'd like to acheive:
network map.jpg

PS: once the dev is done with his work I will revoke the SSH key i give him and remove the port forwarding set in the router.
 
Last edited:
BaronVonchesto said:
So some background first on what I'm doing. I have an Asus AC66U running ASUSWRT-merlin (380.70).

My main home network is running on 192.168.1.xxx/24

I'm planning to engage a freelance dev on fiverr to do some dev work for me, to interface with an industrial device using my raspberry pi. To that end I need to give WAN SSH access to my pi so the dev can work remotely. However I'm concerned about the security of giving access to my home network to some unknown guy on the internet, so want to restrict access as much as possible.

So what I had in mind was to put the raspberry pi onto a guest wifi network where I can assign a "static" DHCP IP to the raspberry pi (say 192.168.2.2). I will port forward ports 80, 443 and (some other port translated to 22) to the raspberry pi so that the dev can ssh to the pi and the web server is accessible from WAN.

However I also want to be able to SSH/SFTP to the pi from my main LAN, and also access the web server, while blocking all access to my LAN from the pi (so allow initiation of traffic from 192.168.1.x -> 192.168.2.x but not the other way round), other than that I need the pi to have access to the internet as usual. I also want to make sure the pi cannot SSH to the router or access the web admin interface of the router.

Is this doable with Merlin? I have a basic idea of how IPTABLES work, but not enough knowledge to create the rules myself.
Or else I'm not averse to switching from Merlin to FreshTomato, though I'd like to avoid this if I can since it would mean downtime of internet access for my family who are online 24/7

Here's an image my my proposed network topology and what i'd like to acheive:
View attachment 36262
PS: once the dev is done with his work I will revoke the SSH key i give him and remove the port forwarding set in the router.
Click to expand...
YazFi will do the bulk of this. The cross network communication of SSH and HTTPS can be achieved using a YazFi user script to add pinhole iptables rules for those ports
 
Jack Yaz said:
YazFi will do the bulk of this. The cross network communication of SSH and HTTPS can be achieved using a YazFi user script to add pinhole iptables rules for those ports
Click to expand...
yea YazFi was the first thing I looked into. unfortunately the AC66U is not supported by YazFi even though it is in the supported list as the final merlin firmware available is older than the minimum firmware needed for YazFi
 
BaronVonchesto said:
yea YazFi was the first thing I looked into. unfortunately the AC66U is not supported by YazFi even though it is in the supported list as the final merlin firmware available is older than the minimum firmware needed for YazFi
Click to expand...
Are you not able to install John's fork? 380.70 is riddled with security flaws
 
Jack Yaz said:
Are you not able to install John's fork? 380.70 is riddled with security flaws
Click to expand...
but why would I want to do that? I'm not familiar with john's fork but I know it is based on an older 374 release. What possible reason would i want to go through the hassle of going back to an older firmware base?

Surely at this point I'd be better off moving to something like Tomato instead?
 
BaronVonchesto said:
but why would I want to do that? I'm not familiar with john's fork but I know it is based on an older 374 release. What possible reason would i want to go through the hassle of going back to an older firmware base?

Surely at this point I'd be better off moving to something like Tomato instead?
Click to expand...
374 was the release that it was originally forked from. Since then it has been continuously updated with security fixes and features, a lot of which are back ported from the current Merlin release. So just because it says "374" in the name doesn't mean it's old or out of date.
 
okay I guess it couldn't hurt to try installing the latest john's fork
Though from what I've read I have to do a factory reset and won't be able to restore settings from a saved config file, but rather reconfigure everything right? As im coming from 380 merlin
 
Correct. Full reset to factory defaults. Minimal and Manual configuration to secure the router and connect to your ISP.
 
well I switched my router firmware to the latest john's fork, did a full factory reset before and after the flash, then reformatted jffs2 partition and reconfigured the bare minimum.

However I notice that the 5GHz wifi stays on 20MHz channel width no matter what I change the setting to. This is reported by InSSIDer, whereas previously I had it fixed to 40MHz width. The wifi performance is also worse then what it used to be when I was running Merlin 380.

My laptop shows the link rate as 242Mbps on 802.11ac, and running jPerf the best I can get is around 110Mbps after multiple tests. Previously i could push around 180-200Mbps on wireless.

I know there are a lot of things that affects wifi performance so should I open a separate thread for this? For the record there are 0 other 5GHz wifi networks detected in the vicinity as shown by inSSIDER so I should have the best possible SNR when im just 30 feet away from the router within line of sight.
 
Report the problem in the dedicated thread for the release of John's fork that you're using. That way John and other users of the fork will see it.

Bear in mind that transmit power will vary on the 5GHz band depending on which channels you are using. So for example, my UK router has significantly less power on channels 36-64 compared to 100-144. YMMV
 
ColinTaylor said:
Report the problem in the dedicated thread for the release of John's fork that you're using. That way John and other users of the fork will see it.

Bear in mind that transmit power will vary on the 5GHz band depending on which channels you are using. So for example, my UK router has significantly less power on channels 36-64 compared to 100-144. YMMV
Click to expand...
Thanks I shall do just that.

What mattes more in wireless communication is not the transmit power but rather the Signal to Noise Ratio. As I said i was some 30 feet away from the router in line of sight, and there are no 5GHz networks on or adjacent to the channel my SSID is on. So unless there is some non wifi noise in the spectrum, I should have the best theoretically possible SNR, and the detected RF strength was around -60dB, which is pretty strong
 
You must log in or register to reply here.

Similar threads

H
Asus RT-AX58U v2 Merlin: Route all traffic to Pi-hole (running directly on router itself)
Replies
12
Views
601
bidh
B
M
ssh access with DNS name takes a long time where it did not used to
Replies
0
Views
418
my03
M
B
HTTP Possible btwn Guest and WAN?
Replies
0
Views
160
billrouter
B
B
How to set up guest network on RT-AX86U-PRO
Replies
7
Views
554
BosseSwede
B
R
Disable Intranet access for a LAN port (not the WiFi Guest network)?
Replies
13
Views
518
Tech9
Tech9
Similar threads
Thread starter Title Forum Replies Date
D How to restrict VPN network access to certain IP Range or Hosts for specific VPN client Asuswrt-Merlin 8
K Guest Network Pro (sdn) only 1 guest wifi broadcasting Asuswrt-Merlin 0
R Disable Intranet access for a LAN port (not the WiFi Guest network)? Asuswrt-Merlin 13
T GT BE98 Pro Guest Network Cannot Disable Intranet Access Asuswrt-Merlin 3
Siff Printing from Guest Network (ASUSWRT-Merlin 3004.388.8_2) Asuswrt-Merlin 5
W Quick Network/Guest question Asuswrt-Merlin 14
R RT-AX86U Pro LAN Port on Guest Network Asuswrt-Merlin 9
I Guest net / subnet for wired connections? Asuswrt-Merlin 4
J Devices connected through wifi extender are showing up under guest IP subnet Asuswrt-Merlin 3
M Any workaround to expand Guest Network 'features' on Mesh for IoT Devices | AX86U Asuswrt-Merlin 2

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 802 (members: 30, guests: 772)
Top