Option to disable wirless login?

[ColinTaylor]

The command appears to be correct. I've just tried it again here on my router and it's working (blocking) fine.

I'll have to think about it....

Is there anything unusual about your setup? You are in router mode, not AP or bridge?

 

[amplatfus]

We have:
1. dnsmasq redirect as adware;
2. entware-NG on port 81 with PHP and MySQ
3. network on IPv4
4. Dynamically Ban Malicious IP's using IPSet (Martineau version)
5. IP class from 172.x.x.1
6. redirect for VPN for specific IP
7. services on ports 6789 NZBget, transmission on 9091.
8. wireless router mode (Default)

Maybe point 4 could be the reason?
Thanks!

 

[Odkrys]

Hope you have some advice.

Did you connect to 2.4G ?

 

[amplatfus]

Hi.

No, I have Smart Connect on so both 2.4G and 5G are on same SSID. I tried with Smart Connect off with same result.
Still searching. If I found the fix I will post. If you have ideas please post.
Thank you!

 

[Odkrys]

Hi.

No, I have Smart Connect on so both 2.4G and 5G are on same SSID. I tried with Smart Connect off with same result.
Still searching. If I found the fix I will post. If you have ideas please post.
Thank you!

eth1 only work for 2.4Ghz. Add eth2 rule also and try again.

 

[Martineau]

We have:
1. dnsmasq redirect as adware;
2. entware-NG on port 81 with PHP and MySQ
3. network on IPv4
4. Dynamically Ban Malicious IP's using IPSet (Martineau version)
5. IP class from 172.x.x.1
6. redirect for VPN for specific IP
7. services on ports 6789 NZBget, transmission on 9091.
8. wireless router mode (Default)

Maybe point 4 could be the reason?

I don't think my script would have any bearing on your issue .....but you can always disable/remove the script and then retry.

Did you check the ebtables rule statistics to see if it is being triggered:

ebtables -t filter -L --Lmac2 --Lc --Ln

 

[amplatfus]

In the meantime I disabled again Smart Connect rule and in addition I renamed the SSID to differentiate the 2.4G. Then I connect to 2.4G and I have no access to gui. But on 5G still accessing it.
Here is the output:

router@asus:/tmp/home/root# ebtables -t filter -L --Lmac2 --Lc --Ln
Bridge table: filter

Bridge chain: INPUT, entries: 2, policy: ACCEPT
1. -p IPv4 -i eth2 --ip-dst 172.16.0.1 --ip-proto tcp --ip-dport 80 -j DROP , pcnt = 0 -- bcnt = 0
2. -p IPv4 -i eth1 --ip-dst 172.16.0.1 --ip-proto tcp --ip-dport 80 -j DROP , pcnt = 177 -- bcnt = 10620

Bridge chain: FORWARD, entries: 0, policy: ACCEPT

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

I think it seems that 5G is not dropping traffic. I have Smart Connect off, and my phone on 2Ghz and my laptop on 5Ghz.
Please, could this be a hint?
Thank you!

 

[amplatfus]

Another hint is that I cannot see the eth2 with below command, even I have Smart Connect still off.

router@asus:/tmp/home/root# brctl show
bridge name   bridge id       STP enabled   interfaces
br0       8000.3497f6229900   no              vlan1
                                               eth1

So I am wondering what ethX 5Ghz network is used on AC88U?

Even so, I added the rules below (eth2 and even eth3) without success. Only 2Ghz is dropped to gui.

ASUSWRT-Merlin RT-AC88U 380.70-0 Sun Apr  8 18:06:08 UTC 2018
router@asus:/tmp/home/root# ebtables -t filter -L --Lmac2 --Lc --Ln
Bridge table: filter

Bridge chain: INPUT, entries: 3, policy: ACCEPT
1. -p IPv4 -i eth3 --ip-dst 172.16.0.1 --ip-proto tcp --ip-dport 80 -j DROP , pcnt = 0 -- bcnt = 0
2. -p IPv4 -i eth2 --ip-dst 172.16.0.1 --ip-proto tcp --ip-dport 80 -j DROP , pcnt = 0 -- bcnt = 0
3. -p IPv4 -i eth1 --ip-dst 172.16.0.1 --ip-proto tcp --ip-dport 80 -j DROP , pcnt = 13 -- bcnt = 780

Bridge chain: FORWARD, entries: 0, policy: ACCEPT

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

Could you please help me out?
Thanks!

 

[Martineau]

So I am wondering what ethX 5Ghz network is used on AC88U?
I added the rules below (eth2 and even eth3) without success. Only 2Ghz is dropped to gui.

Have you checked

cat /proc/net/dev

or even the NVRAM variables

nvram show | grep eth1

for the valid active interfaces?

 

[amplatfus]

Thanks, here we can see the output:

router@asus:/tmp/home/root# cat /proc/net/dev
Inter-|   Receive                                                |  Transmit
 face |bytes    packets errs drop fifo frame compressed multicast|bytes    packets errs drop fifo colls carrier compressed
    lo: 109462062  512337    0    0    0     0          0         0 109462062  512337    0    0    0     0       0          0
  ifb0:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
  ifb1:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
  fwd0:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
  fwd1:       0  122746    0    0    0     0          0         0  9712942   80488    0    0    0     0       0          0
   agg:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
  eth0: 148053926  211238    0    0    0     0          0         0 145033826  212359    0    0    0     0       0          0
 dpsta:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
  eth1: 1288527    5998    0    0    0     0          0        99  3897252   12264    0   23    0     0       0          0
  eth2:       0       0    0    0    0     0          0         0 130816715  122770    0    0    0     0       0          0
 vlan1: 9563274   80488    0    0    0     0          0       596 12887949   39082    0    0    0     0       0          0
 vlan2:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
   br0: 24293715  167588    0    0    0     0          0         0 15258067   46108    0    0    0     0       0          0
  ppp0: 134483466  128742    0    0    0     0          0         0 12471201   87612    0    0    0     0       0          0
 tun21:       0       0    0    0    0     0          0         0        0       0    0    0    0     0       0          0
 tun15: 5222463   10095    0    0    0     0          0         0  1656391   12356    0    0    0     0       0          0
router@asus:/tmp/home/root# nvram show | grep eth1
wl0_ifname=eth1
wl1_bsd_if_select_policy=eth1
size: 61746 bytes (69326 left)
bsd_ifnames=eth1 eth2
lan_ifnames=vlan1 eth1 eth2
wl_ifnames=eth1 eth2
acs_ifnames=eth1 eth2

So eth2 exist, but have packets only for transmit not for receive? Please, can you suggest what I should try next?
PS: it is not because Dynamically Ban Malicious IP's using IPSet (Martineau version) I disable it ans still have access to GUI via 5GHz.
Many thanks!

 

[ColinTaylor]

That's interesting. There's some code here to do with gmac3, which I totally don't understand. Anyway, as a random idea, try blocking using interface fwd1.

 

[amplatfus]

I locked fwd1. GUI can still be accessed via 5GHz. What about vlan1 (is this all traffic?) or tun15 (could be this VPN traffic)? Thanks!

Bridge chain: INPUT, entries: 2, policy: ACCEPT
1. -p IPv4 -i fwd1 --ip-dst 172.16.0.1 --ip-proto tcp --ip-dport 80 -j DROP , pcnt = 0 -- bcnt = 0
2. -p IPv4 -i eth1 --ip-dst 172.16.0.1 --ip-proto tcp --ip-dport 80 -j DROP , pcnt = 4 -- bcnt = 240

 

[ColinTaylor]

tun15 is the VPN. vlan1 is the LAN ports, so if you block that your wired connections won't have access.

There's some more information in lan.c about gmac3 : "In 3GMAC mode, skip wl interfaces that avail of hw switching". So I think that's what's happening. What do you get from:

nvram get gmac3_enable
nvram get fwd_wlandevs

 

[amplatfus]

router@asus:/tmp/home/root# nvram get gmac3_enable
1
router@asus:/tmp/home/root# nvram get fwd_wlandevs
eth2

Thanks. Means we are close?

 

[ColinTaylor]

Maybe. I suggest that you try disabling gmac3 and see if you start getting traffic going through the eth2 interface.

There may be a GUI option for this but I don't know, so:

nvram set gmac3_enable=0
nvram commit
reboot

Try this at your own risk. I have no idea what the consequences of that change will be (some sort of performance hit I would assume). The router might even change that value back again, I don't know.

 

[Sinner]

well then I guess I don't use a vpn so I guess no reason to use merlin.

Open source really getting abandoned. As I said the asus router stock firmware already lets you specify an ip, but thats even easier to spoof then mac address. at least its patching constantly when dd-wrt and other open source communities haven't updated for the ac68u in years?

The ISP routers even let you disable wireless logins. I'm starting to wonder if I would of been better off buying a commercial isp router. Like Actiontec. I'm a little in shock. I think consumer routers are going to be as dead as open source software is soon.

Its just a sad day when isp routers have progressed to the point of being way more secure then consumer routers. What is the world coming to. That backdoor port isnot being exploited by anyone, yet they have all the security options to stop most low level actors that consumer routers no longer have cause most morons constantly parrot that they are trivial, which in turn is really are making open source obsolete and its communities seemingly naive ghost towns. Inside sabotage?

AGAIN> I don't live in the woods or no mans land where you don't have neighbors all around your apartment or house. Also in this day and age.... Only A FOOL trusts all the iot devices on his wireless lan.

And telling me to disable wireless is a real facetious and impractical reply.

RIP consumer router and open source communities. Don't blame the FTC or manufacturers, blame yourselves.

Aes encryption is no easy task to hack. But if someone dis have the desire your more concerned about people getting into your router? I could see that concern if u were all wireless but since you want to disable wireless u must at least have a few wired devices and be fine

 

[amplatfus]

Maybe. I suggest that you try disabling gmac3 and see if you start getting traffic going through the eth2 interface.

There may be a GUI option for this but I don't know, so:

nvram set gmac3_enable=0
nvram commit
reboot

Try this at your own risk. I have no idea what the consequences of that change will be (some sort of performance hit I would assume). The router might even change that value back again, I don't know.

Tried at my own risk. After those 3 commands and reboot the value is back to 1. Please any other thoughts? Thanks!

 

[ColinTaylor]

Tried at my own risk. After those 3 commands and reboot the value is back to 1. Please any other thoughts? Thanks!

Clutching at straws:

nvram set gmac3_enable=0
nvram commit
service restart_wireless

 

[ColinTaylor]

How about this:

nvram get stop_gmac3

nvram set stop_gmac3=1
nvram commit
reboot

 

[amplatfus]

Thanks @ColinTaylor You got the fix. Here are the steps I used to make it work on RT-AC88U:

ASUSWRT-Merlin RT-AC88U 380.70-0 Sun Apr  8 18:06:08 UTC 2018
router@asus:/tmp/home/root# nano /jffs/scripts/firewall-start
#Source: https://www.snbforums.com/threads/option-to-disable-wirless-login.47786/page-3#post-418798
ebtables -D INPUT -i eth1 -p ip4 --ip-protocol tcp --ip-destination $(nvram get lan_ipaddr) --ip-destination-port 80 -j DROP
ebtables -I INPUT -i eth1 -p ip4 --ip-protocol tcp --ip-destination $(nvram get lan_ipaddr) --ip-destination-port 80 -j DROP
ebtables -D INPUT -i eth2 -p ip4 --ip-protocol tcp --ip-destination $(nvram get lan_ipaddr) --ip-destination-port 80 -j DROP
ebtables -I INPUT -i eth2 -p ip4 --ip-protocol tcp --ip-destination $(nvram get lan_ipaddr) --ip-destination-port 80 -j DROP

router@asus:/tmp/home/root# nvram get gmac3_enable
1
router@asus:/tmp/home/root# nvram get fwd_wlandevs
eth2
router@asus:/tmp/home/root#

#setting stop_gmac3=1
router@asus:/tmp/home/root# nvram set stop_gmac3=1
router@asus:/tmp/home/root# nvram commit
router@asus:/tmp/home/root# reboot

#after reboot
router@asus:/tmp/home/root# nvram get gmac3_enable
0

router@asus:/tmp/home/root# ebtables -t filter -L --Lmac2 --Lc --Ln
Bridge table: filter

Bridge chain: INPUT, entries: 2, policy: ACCEPT
1. -p IPv4 -i eth2 --ip-dst 192.168.0.1 --ip-proto tcp --ip-dport 80 -j DROP , pcnt = 14 -- bcnt = 840
2. -p IPv4 -i eth1 --ip-dst 192.168.0.1 --ip-proto tcp --ip-dport 80 -j DROP , pcnt = 16 -- bcnt = 960

Bridge chain: FORWARD, entries: 0, policy: ACCEPT

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
router@asus:/tmp/home/root#

I will try to find what 3GMAC mode is.
Edit1: Found this https://www.snbforums.com/threads/r...65-is-now-available.37295/page-38#post-419226
Thank you all a lot!