Is there a way for an RT-N66U to run in AP mode with *only* guest network access? i.e. no LAN acces

[jcy]

Hi, is there a way to set up an RT-N66U in AP mode that won't access my LAN but leaving Guest network functionality in place? I'd like to completely forbid LAN access but still need a way for guests to surf the internet only.

Thanks.

 

[CaptainSTX]

Hi, is there a way to set up an RT-N66U in AP mode that won't access my LAN but leaving Guest network functionality in place? I'd like to completely forbid LAN access but still need a way for guests to surf the internet only.

Thanks.

The guest network when running Merlin's firmware by definition restricts individuals connecting to Internet access only. I'm not sure about stock ASUS firmware.

If you want to be absolutely sure no guests can reach your LAN you could also double NAT the N66U behind your primary router. By having your guests on their own subnet it should be impossible for them to connect to any resources on your primary LAN.

 

[coldwizard]

The guest network when running Merlin's firmware by definition restricts individuals connecting to Internet access only. I'm not sure about stock ASUS firmware.

Sorry CaptainSTX, original poster said using AP mode. Therefore AP based restriction not possible from GUI. Both Guest and Main Wifi SSIDs get the access of the port the wired cable is connected to.

Here is a script that you can run on Merlin's firmware which will work to restrict Wifi users on the AP to Internet only. The wired ports on the AP will still have Internet access. This script is not perfect as guest only needs to know the MAC address of the LAN devices to access them.
Note when testing that MAC addresses are cached so you need the reboot the testing device (not the N66U) after running the script.

#!/bin/sh
# set -v
# set -x
# Add LAN Restrictions to ASUS WRT when running as AP
# VER 1.1 20150123 PHI
# VER 2.0 20150214 COLDWIZARD

# logger $0 "begins"
rtIPaddr=`ip -f inet route show | grep -i default | awk '{FS = " " }{print $3}'`
#rtIPaddr=`nvram get lan_gateway`
ping -c 1 -W 1 -q $rtIPaddr # force a lookup to ensure arp table has router mac
router=`arp -an $rtIPaddr` # Get Router Info
lladdr="${router%%" at "*}" # Find beginning of at in arp line
macbegin=`expr "${#lladdr}" + 5` # Get beginning of mac addr
rtmac=`expr substr "$router" "$macbegin" 17` # Get router mac addr

# List of WiFi names to block
# MyGuestWiFiNames=" `nvram get wl0_vifnames` `nvram get wl1_vifnames` " # all Guest
MyGuestWiFiNames=" eth1 eth2 wl0.1 wl1.1 wl0.2 wl1.2 wl0.3 wl1.3 " # reordered Guest and normal WiFi names


logger $0 "Router mac address is $rtmac Guest WiFis are: $MyGuestWiFiNames"

# Insert chain in ebtables
InsLoc=1

# Flush done the hard way with deletes and inserts to leave any other rules in chain
# ebtables -F FORWARD # Flush the chain first in case of re-running...

#  FROM Router

#    allow router LAN interface to communicate with all users
ebtables -D FORWARD -s $rtmac -j ACCEPT
ebtables -I FORWARD $InsLoc -s $rtmac -j ACCEPT
InsLoc=`expr $InsLoc + 1`

#  TO Router

#    allow access to router and Internet
ebtables -D FORWARD -d $rtmac -j ACCEPT
ebtables -I FORWARD $InsLoc  -d $rtmac -j ACCEPT
InsLoc=`expr $InsLoc + 1`


# allow all users to send broadcast traffic to router LAN for ARP and DHCP
ebtables -D FORWARD -d Broadcast -j ACCEPT
ebtables -I FORWARD $InsLoc  -d Broadcast -j ACCEPT
InsLoc=`expr $InsLoc + 1`

# drop ARP protocol to prevent Guest getting MAC address for local devices
# drop anything else from/to Guest WiFi
for GuestWiFi in $MyGuestWiFiNames
   do
      ebtables -D FORWARD -i $GuestWiFi -j DROP
      ebtables -I FORWARD $InsLoc -i $GuestWiFi -j DROP
      InsLoc=`expr $InsLoc + 1`

      ebtables -D FORWARD -o $GuestWiFi -j DROP
      ebtables -I FORWARD $InsLoc -o $GuestWiFi -j DROP
      InsLoc=`expr $InsLoc + 1`
   done

# ebtables -L --Ln --Lc  #debug check

InsLoc=`expr $InsLoc - 1`
logger $0 "ends with $InsLoc rules"

#

If you want to be absolutely sure no guests can reach your LAN you could also double NAT the N66U behind your primary router. By having your guests on their own subnet it should be impossible for them to connect to any resources on your primary LAN.

This is easier but, not perfect as guest only needs to know the IP address of the LAN devices to access them.

 

[jcy]

Sorry CaptainSTX, original poster said using AP mode. Therefore AP based restriction not possible from GUI. Both Guest and Main Wifi SSIDs get the access of the port the wired cable is connected to.

Here is a script that you can run on Merlin's firmware which will work to restrict Wifi users on the AP to Internet only. The wired ports on the AP will still have Internet access. This script is not perfect as guest only needs to know the MAC address of the LAN devices to access them.
Note when testing that MAC addresses are cached so you need the reboot the testing device (not the N66U) after running the script.

First, coldwizard, thank you for your script. Your help is greatly appreciated.

Second, the script doesn't appear to run on reboot of the AP, what step am I stupidly overlooking?

Third, when I run the script manually, it produces this output:

admin@RT-N66R:/jffs/scripts# ./ap.sh
PING 192.168.37.1 (192.168.37.1): 56 data bytes

--- 192.168.37.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.494/0.494/0.494 ms
Sorry, rule does not exist.
Sorry, rule does not exist.
Sorry, rule does not exist.
Sorry, rule does not exist.
Sorry, rule does not exist.
Sorry, rule does not exist.
Sorry, rule does not exist.
Sorry, rule does not exist.
Sorry, rule does not exist.
Sorry, rule does not exist.
Sorry, rule does not exist.
Sorry, rule does not exist.
Sorry, rule does not exist.
Sorry, rule does not exist.
Sorry, rule does not exist.
Sorry, rule does not exist.
Sorry, rule does not exist.
Sorry, rule does not exist.
Sorry, rule does not exist.
admin@RT-N66R:/jffs/scripts#

When I re-run the script manually, the "rule does not exist error" does not appear:

admin@RT-N66R:/jffs/scripts# ./ap.sh
PING 192.168.37.1 (192.168.37.1): 56 data bytes

--- 192.168.37.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.534/0.534/0.534 ms
admin@RT-N66R:/jffs/scripts#

At which point, the script appears to work but unfortunately I have a slight wrinkle. I have DHCP disabled on the AP because our LAN uses an MS server for DHCP.

If I enable DHCP on the AP, I believe it will conflict with the MS DHCP server. Is there a way to have DHCP enabled (i think in DD-WRT they use something called a masq) only for wireless requests?

Thank you again, I hope that there is some way I can re-pay you for your efforts.

 

[coldwizard]

First, coldwizard, thank you for your script. Your help is greatly appreciated.

Second, the script doesn't appear to run on reboot of the AP, what step am I stupidly overlooking?

Third, when I run the script manually, it produces this output:
...
When I re-run the script manually, the "rule does not exist error" does not appear:

The script deletes the rules and then adds them so that you will only have one set of rules left if the script is rerun. The error messages are from the deleting of the non-existent rules the first time. Take the # off the line "# set -x" near the beginning and you will see the commands as they are executed.

I did not give the file name to place the script into because I do not remember where I had it as I have since changed to using router mode. You can look in Merlin's documentation for possible file names to place the script into.

At which point, the script appears to work but unfortunately I have a slight wrinkle. I have DHCP disabled on the AP because our LAN uses an MS server for DHCP.

If I enable DHCP on the AP, I believe it will conflict with the MS DHCP server. Is there a way to have DHCP enabled (i think in DD-WRT they use something called a masq) only for wireless requests?

If you want a separate DHCP for the guests, use the router mode as CaptainSTX recommended and then you do not need my script.