Repeater connected to Guest SSID bypassing Access Intranet = Disable

[drinkingbird]

I am experiancing this issue still as well. What about using AImesh and then with the Pro beta firmware I think you can disable ssid's from certain nodes.

All aimesh on 386 and 388 code (not beta, stable) lets you propagate Guest Wireless 1 with isolation enabled to all nodes.

 

[guetech]

If you just configure the repeater as standalone (not WDS) and join it to the guest network, it won't isolate clients from each other but should still block them from hitting your main LAN, though I haven't tried it personally.

I just tried, it is NOT fixed.

Steps:

- Create guest network 1 with intranet disabled on main router (388.2, tried both latest stock and merlin).
- Connect to the guest network, confirm I am indeed in the vlan.
- Setup second router as Repeater mode, connect it to the guest network
- Connect to the repeater
- I am now in the intranet, have full access to intranet clients, to the main router admin, to the mainrouter samba shares.

 

[guetech]

All aimesh on 386 and 388 code (not beta, stable) lets you propagate Guest Wireless 1 with isolation enabled to all nodes.

You are correct that AiMesh does carry the guest 1 isolation. However AiMesh also doesn't allow to disable the main SSID on the node. I don't want devices connected to my main SSID to roam to it. Manually pinning all my clients to stay on the master isn't realistic either.

 

[JJay03]

You are correct that AiMesh does carry the guest 1 isolation. However AiMesh also doesn't allow to disable the main SSID on the node. I don't want devices connected to my main SSID to roam to it. Manually pinning all my clients to stay on the master isn't realistic either.

Exact issue I ran into today and same reason why I did not do AiMesh. I ended up using a different repeater that was not asus but this is a major security flaw. How has it been going on for years now as Asus has known about it.

 

[drinkingbird]

I just tried, it is NOT fixed.

Steps:

- Create guest network 1 with intranet disabled on main router (388.2, tried both latest stock and merlin).
- Connect to the guest network, confirm I am indeed in the vlan.
- Setup second router as Repeater mode, connect it to the guest network
- Connect to the repeater
- I am now in the intranet, have full access to intranet clients, to the main router admin, to the mainrouter samba shares.

Aimesh is the only official way to do it, but using a repeater connected wirelessly to the guest SSID (not WDS, just plain repeater) should isolate anyone connected to that repeater from the main router interface and main LAN. It won't isolate them from the repeater interface or other things connected to the repeater.

WDS works differently and that likely won't isolate anything.

 

[drinkingbird]

You are correct that AiMesh does carry the guest 1 isolation. However AiMesh also doesn't allow to disable the main SSID on the node. I don't want devices connected to my main SSID to roam to it. Manually pinning all my clients to stay on the master isn't realistic either.

Put the clients in roaming block list?

 

[drinkingbird]

Exact issue I ran into today and same reason why I did not do AiMesh. I ended up using a different repeater that was not asus but this is a major security flaw. How has it been going on for years now as Asus has known about it.

It is not a security flaw, and they provided a solution with Aimesh. If you need something more customizable than that, look at Ubiquiti, Mikrotik, etc. The upcoming pro guest features from Asus may add some of what you need.

Have you tried Yazfi?

 

[JJay03]

It is not a security flaw, and they provided a solution with Aimesh. If you need something more customizable than that, look at Ubiquiti, Mikrotik, etc. The upcoming pro guest features from Asus may add some of what you need.

Have you tried Yazfi?

If something is allowing access where it should not thats a security flaw. Asus pro firmware has just enough features for me but it needs tweaks.

 

[guetech]

If something is allowing access where it should not thats a security flaw. Asus pro firmware has just enough features for me but it needs tweaks.

Agreed this is clearly a flaw. I shouldn't be able to trivially access someone's intranet if they give me their isolated guest ssid password...

Can you tell me more about this pro firmware? Where to find it, is it compatible with the regular ax86u?

 

[drinkingbird]

If something is allowing access where it should not thats a security flaw. Asus pro firmware has just enough features for me but it needs tweaks.

What exactly is allowing access that it says it isn't?

 

[drinkingbird]

Agreed this is clearly a flaw. I shouldn't be able to trivially access someone's intranet if they give me their isolated guest ssid password...

Can you tell me more about this pro firmware? Where to find it, is it compatible with the regular ax86u?

You need to know how to set things up correctly, and the limitations of home gear when you get into repeaters/access points hanging off a router. You'll run into this with any home based gear. There are options like Yazfi that may help. AiMesh does what you need it to, I'm sure you can find a way to tweak it so your main SSID is hidden or doesn't allow your clients to roam to it.

But it isn't a flaw if the repeater/AP is not claiming to isolate anything.

 

[JJay03]

What exactly is allowing access that it says it isn't?

Ok I will try to explain another way. Say you are a small business owner of a coffee shop who is using one of these Asus routers. You are allowing free internet access to customers and have it posted on the wall. Anyone can use another Asus router in repeater mode and select your guest network to connect to since they have the password and gain full access to your main wifi network. Guetech did also explain it pretty well I thought.

 

[bennor]

Can you tell me more about this pro firmware? Where to find it, is it compatible with the regular ax86u?

There is the RT-AX86U and then there is the RT-AX86U Pro. Two different routers using different firmware. The Pro version may have additional features not found on the non Pro router.

 

[drinkingbird]

Ok I will try to explain another way. Say you are a small business owner of a coffee shop who is using one of these Asus routers. You are allowing free internet access to customers and have it posted on the wall. Anyone can use another Asus router in repeater mode and select your guest network to connect to since they have the password and gain full access to your main wifi network. Guetech did also explain it pretty well I thought.

How exactly can they do that? They would be able to see other guests connected to that repeater that they take from your guest network (man in the middle attack) but it does not give them access to your main LAN. There are EBTABLES and IPTABLES rules on the main router that prevent that.

 

[JJay03]

Agreed this is clearly a flaw. I shouldn't be able to trivially access someone's intranet if they give me their isolated guest ssid password...

Can you tell me more about this pro firmware? Where to find it, is it compatible with the regular ax86u?

Here is the list someone posted in another thread. The firmware allows you to create guest networks on their own subnet and you can also assign them to switchports in access or trunk mode.

VLAN supported models:

• RT-AX86U Pro, RT-AX88U Pro
• GT-AX11000 Pro, GT-AXE16000, GT-AX6000
• ZenWiFi_Pro_ET12, ZenWiFi_Pro_XT12
• ExpertWiFi Series

 

[JJay03]

How exactly can they do that? They would be able to see other guests connected to that repeater that they take from your guest network (man in the middle attack) but it does not give them access to your main LAN. There are EBTABLES and IPTABLES rules on the main router that prevent that.

It puts you on the main network. You get an IP on the main network and not the guest. Like mentioned its a security flaw. I have not dug deep into the logs to figure out why exactly. Several people have confirmed this if you don't believe us try it yourself.

 

[drinkingbird]

Ok I will try to explain another way. Say you are a small business owner of a coffee shop who is using one of these Asus routers. You are allowing free internet access to customers and have it posted on the wall. Anyone can use another Asus router in repeater mode and select your guest network to connect to since they have the password and gain full access to your main wifi network. Guetech did also explain it pretty well I thought.

This is the flow:

Repeater -> Guest SSID on main router (with access intranet disabled) -> WL Logical interface -> EBTABLES rules dropping traffic destined for main LAN subnet -> IPTABLES INPUT rules blocking traffic destined to router -> IPTABLES FORWARD rules blocking traffic to main LAN.

 

[rung]

I just tried, it is NOT fixed.

Steps:

- Create guest network 1 with intranet disabled on main router (388.2, tried both latest stock and merlin).
- Connect to the guest network, confirm I am indeed in the vlan.
- Setup second router as Repeater mode, connect it to the guest network
- Connect to the repeater
- I am now in the intranet, have full access to intranet clients, to the main router admin, to the mainrouter samba shares.

I wonder if the repeater is somehow getting the main router non-guest wifi psk during setup? Can you run this command on the repeater command line:

nvram show | grep psk

 

[JJay03]

This is the flow:

Repeater -> Guest SSID on main router (with access intranet disabled) -> WL Logical interface -> EBTABLES rules dropping traffic destined for main LAN subnet -> IPTABLES INPUT rules blocking traffic destined to router -> IPTABLES FORWARD rules blocking traffic to main LAN.

That might be the way its designed to work but when using an Asus router in repeater mode that is not the way it works.

 

[drinkingbird]

It puts you on the main network. You get an IP on the main network and not the guest. Like mentioned its a security flaw. I have not dug deep into the logs to figure out why exactly. Several people have confirmed this if you don't believe us try it yourself.

Like I said, disable WDS on main router and just set up your repeater as a standalone repeater. They are not updating or fixing anything with WDS, the technology is old, insecure, and flawed.

If you're running a coffee shop and letting anyone add a WDS node, you should focus on coffee and hire someone to set up your wifi.

Pulled out an AP last night, connected as repeater on my guest network, guests on that AP get 192.168.101.x IPs and cannot hit main LAN or main router.