I can ssh to my router from guest wifi network

[v1rt]

By default, ssh shouldn't be accessible from guess network. I don't want to create another iptables rule since this should be a default deny rule.

Why is it open?

 

[RMerlin]

By default, ssh shouldn't be accessible from guess network. I don't want to create another iptables rule since this should be a default deny rule.

Why is it open?

Because there is no restriction on Guest clients toward the router itself.

 

[v1rt]

Got it. I shouldn't have assumed that guest network is like dmz. I'll add rules then.

 

[coldwizard]

Because there is no restriction on Guest clients toward the router itself.

Are you saying this has gotten broken again by Asus?

From your change log:

...
374.43 (6-June-2014)
...
- FIXED: Restricted guests still had access to the router (Asus bug introduced in GPL 4887)
...

 

[v1rt]

WOW, so we shouldn't be able to ssh to it then from guest network

 

[v1rt]

fyi, I am also able to connect to the webpage console. My router is at 192.168.1 subnet while my laptop on guest network was on subnet 192.168.2

 

[RMerlin]

Are you saying this has gotten broken again by Asus?

From your change log:

It's been so long, I don't remember the details of that particular fix. I'd make sure that the OP did disable Intranet access on his Guest network configuration first.

 

[hardtotell]

Guest Network page, try:
Access Intranet = OFF

My Wi-Fi guests cannot access the router. The TCP ports are all blocked by default. However, the ICMP ping is not blocked.

 

[v1rt]

It's been so long, I don't remember the details of that particular fix. I'd make sure that the OP did disable Intranet access on his Guest network configuration first.

I will check once I get home. I remember not turning it on especially I recently installed Merlin.

 

[v1rt]

Guest Network page, try:
Access Intranet = OFF

My Wi-Fi guests cannot access the router. The TCP ports are all blocked by default. However, the ICMP ping is not blocked.

I remember a setting from last night, something like, Access network from WAN, I remember it was set to No.

I don't remember seeing Intranet. If it was there, I didn't change it. If it was on by default, then that's the reason why I'm able to ssh to the router. I'll check it once I get home.

 

[v1rt]

Sorry guys, I didn't forget you. I was so busy working on my diy camera slider
Here it is. It's set to off. So looks like bug resurrected.

 

[RMerlin]

Sorry guys, I didn't forget you. I was so busy working on my diy camera slider
Here it is. It's set to off. So looks like bug resurrected.

I tested it here, and it's working fine for me. Both the webui and SSH access were correctly blocked.

 

[v1rt]

What's missing in my configuration then? Is it because I have a firewall-start script?

 

[RMerlin]

What's missing in my configuration then? Is it because I have a firewall-start script?

You could have a rule in your firewall that's allowing clients to bypass the block. Could be that you enabled WAN access to SSH. No idea what else could be different on your configuration.

 

[v1rt]

I removed my firewall-start and restarted firewall. I can still connect to it.

 

[v1rt]

fyi, my firmware is 378.51

 

[RMerlin]

fyi, my firmware is 378.51

It's usually a good idea to ensure you are running the latest version before reporting issues.

 

[RMerlin]

Also, which router model are you using? Which band are you connecting to?

 

[v1rt]

I have ASUS RT-AC68U.
When I was testing it, I was in 2.4. I'm going to test 5ghz now.

 

[v1rt]

I connected to my 5ghz guest network and I was able to ssh to my router.