RT-AC68U: guest networks in AP mode using vlan and iptables

[robca]

I'm trying to set up a guest network for my IOT devices, and failing miserably

I have a main RT68U connected via WAN to the internet. I'm also running Diversion on this router. A second RT68U is configured as AP, and its WAN port is connected port 4 of the main RT68U. I only need to have a guest network (2.4 and 5GHz) on the AP, due to signal strength and the positioning of the IOT devices

I'm trying to use this https://www.snbforums.com/threads/expand-the-guest-network-to-two-merlin-routers.61231 as a guide.

On the AP, from the UI, I add guest networks for 2.4 and 5GHz, then from SSH I do the following (for now as individual commands, will use custom scripts once everything works)

robocfg vlan 101 ports "0t 5t"
vconfig add eth0 101
ifconfig vlan101 up

brctl addbr br1
brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl addif br1 vlan101
brctl addif br1 wl0.1
brctl addif br1 wl1.1
ifconfig br1 up

nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="vlan101 wl0.1 wl1.1"
nvram set lan1_ifname="br1"
nvram commit

killall eapd
eapd

That seems to work and create a vlan101, and the vlan cannot communicate with anything for now.

Then on the main RT68U, I add the following lines to a newly created /jffs/configs/dnsmasq.conf.add

interface=br1

dhcp-range=br1,192.168.20.2,192.168.20.254,255.255.255.0,86400s
dhcp-option=br1,3,192.168.20.1
dhcp-option=br1,6,192.168.20.1

and reboot. That allows dnsmasq to provide ip addresses to the vlan.

I create the same vlan101 on the main router, tied to lan port 4

robocfg vlan 101 ports "4t 5t"
vconfig add eth0 101
ifconfig vlan101 up
brctl addbr br1
brctl stp br1 on
brctl addif br1 vlan101
ifconfig br1 192.168.20.1 netmask 255.255.255.0
ifconfig br1 up
nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="vlan101"
nvram set lan1_ifname="br1"
nvram commit

And finally use iptables to ensure packets flow as expected (which I think it's the part where I have a problem). I get really confused by iptables and the author of that thread also seemed unsure

# Allow BR1 to access WAN
iptables -D FORWARD -i br1 -m state --state NEW -j ACCEPT >/dev/null 2>&1
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT

# Prevent BR1 from accessing BR0 and vice versa
iptables -D FORWARD -i br1 -o br0 -m state --state NEW -j DROP >/dev/null 2>&1
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP

iptables -D FORWARD -i br0 -o br1 -m state --state NEW -j DROP >/dev/null 2>&1
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP

# I don t know what it does.
iptables -D INPUT -i br1 -m state --state NEW -j DROP >/dev/null 2>&1
iptables -I INPUT -i br1 -m state --state NEW -j DROP

# Allow DNSMASQ to distribute IP addresses for br1.
iptables -D INPUT -i br1 -p tcp --dport 53 -j ACCEPT >/dev/null 2>&1
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT

# Allow DNSMASQ to distribute IP addresses for br1.
iptables -D INPUT -i br1 -p udp -m multiport --dport 53,67 -j ACCEPT >/dev/null 2>&1
iptables -I INPUT -i br1 -p udp -m multiport --dport 53,67 -j ACCEPT

sleep 1
killall eapd
eapd

I can connect to the guest lan on the AP, and I get an IP address in the right range (so I know that the dnsmasq and part of the iptables commands work). But then I have no connectivity at all. It looks as if the vlan101 on the AP is not properly working.

I tried setting a vlan101 just on the main router, using all the same commands (just adding wl0.1 and wl1.1 where appropriate), and from that router everything works. So it looks as if the concept of creating a vlan, bridge and iptables works when everything is just on a single device

I think I have a problem where the vlan101 traffic on port 4 of the main router (which is the traffic from the AP) is not properly redirected. Clients connected to the guest network of the AP get an IP address, but cannot ping anything on the internet, nor access any internet resource.

Can someone please provide pointers to help me troubleshoot the problem? I don't expect to have the scripts fixed for me, but I'm way out of my depth here...

 

[robca]

Providing some additional information

I did notice that my main router had a CPU value of 8t not 5t

1: vlan1: 1 2 3 4 8t
2: vlan2: 0 8

And in another post I found that if the NAT acceleration is enabled (Auto), CTF is on and it shows the CPU as 8t instead of 5t. Disabling that setting it goes back to 5t and now the basic redirection works. CFT optimization messes up quite a few things, so disabling it makes sense

Problem is, it's incredibly unreliable. The connection stops working every few seconds, and even trying to run a speedtest.net test, it usually hangs halfway or shows very unreliable speeds (I usually have around 80 mbps, with the vlan101 enabled it jumps from a few mbps to ~30mbps maximum). I checked the CPU load on the main router (and it's really low), so I'm not sure what I did wrong

Any pointer to help troubleshoot is appreciated

 

[eibgrad]

If you're trying to use a second router as an AP for guests or IOT devices, then all you have to do is daisy chain that second router (configured as a router), via its WAN, to the primary router's LAN, then add a couple rules to the secondary router's firewall to prevent those guests/IOTs from gaining access to the "upstream" primary router's network, and only the internet. Simple.

What you appear to be doing is making things much more difficult by converting the second router to *only* an AP, which then forces the primary router to take full responsibility for the AP's network using a new VLAN, modifying DNSMasq, etc., all of which is unnecessary.

Your current approach would make a lot more sense if you intended to use only *one* router to support both the primary and guest/IOTs networks, the latter via virtual APs and perhaps VLANs if you needed wired support too. But again, this is NOT necessary if you're working w/ multiple routers. Just assign each router responsibility for its own respective networks.

 

[eibgrad]

Not sure where a third device/router came into the discussion.

If you're saying that you want the second router to support *both* the primary router's network (let's say that's 192.168.1.x) and another network for guest/IOT devices (let's say that's 192.168.2.x), then it might be easier to use Tomato for the secondary router, since you can then disable the WAN (reassign it to the LAN), disable its DHCP server, assign it a LAN ip in the same network as the primary router, and patch them LAN to LAN, making it part of the primary router's network. At that point, you could define a new bridge (e.g., br1) and reassign the APs of the default bridge (br0) to that new bridge. Finally, a few firewall rules could be added to the secondary router to isolate the guests/IOTs from the primary network.

At least that's how *I* would do it.

Unfortunately, as good as Merlin is, its lack of support for defining additional bridges or VLANs in the GUI (AFAIK) makes things more difficult and error prone since you're forced to resort to scripting, so I personally avoid it whenever possible. Esp. when it's just easier to use Tomato, where most of this can be configured in the GUI.

Also, notice in my description that there's no need for additional VLANs. VLANs only come into the picture if you need *wired* support (not just wireless) for the guest/IOT network. If you do, then Tomato makes this much easier as well. Creating bridges and VLANs is all done in the GUI.

Just a thought.

 

[grifo]

Have you disabled CTF on your main router or on the AP? It has to be done on the AP, check out this post, it may be the post you've already looked at but I'm not sure you did that on the AP and not doing it causes exactly the unreliable connection you're experiencing.

 

[robca]

Have you disabled CTF on your main router or on the AP? It has to be done on the AP, check out this post, it may be the post you've already looked at but I'm not sure you did that on the AP and not doing it causes exactly the unreliable connection you're experiencing.

That was it! Thanks so much. Yes, as you suspected, I had disabled CTF only on the main router, not the AP. Once I disabled CTF (per the link you sent) on the AP and rebooted, everything started working as expected, with no performance issue. Truly appreciate the help

 

[robca]

Not sure where a third device/router came into the discussion.

If you're saying that you want the second router to support *both* the primary router's network (let's say that's 192.168.1.x) and another network for guest/IOT devices (let's say that's 192.168.2.x), then it might be easier to use Tomato for the secondary router, since you can then disable the WAN (reassign it to the LAN), disable its DHCP server, assign it a LAN ip in the same network as the primary router, and patch them LAN to LAN, making it part of the primary router's network. At that point, you could define a new bridge (e.g., br1) and reassign the APs of the default bridge (br0) to that new bridge. Finally, a few firewall rules could be added to the secondary router to isolate the guests/IOTs from the primary network.

At least that's how *I* would do it.

Unfortunately, as good as Merlin is, its lack of support for defining additional bridges or VLANs in the GUI (AFAIK) makes things more difficult and error prone since you're forced to resort to scripting, so I personally avoid it whenever possible. Esp. when it's just easier to use Tomato, where most of this can be configured in the GUI.

Also, notice in my description that there's no need for additional VLANs. VLANs only come into the picture if you need *wired* support (not just wireless) for the guest/IOT network. If you do, then Tomato makes this much easier as well. Creating bridges and VLANs is all done in the GUI.

Just a thought.

My bad, I misread your suggestion. Thanks for the additional explanation. Yes, now I see what you mean, definitely simpler. But I might need to run the same guest network even on the main router and might use wired connections, so I like the extra flexibility of the vlan. I got this to work for now, so I think I'm set but, just for my information: which build of Tomato do you use?

I looked around, and I can only find old Tomato builds for my RT-AC68U, from Dec 2017. I'd be worried about my security using builds that old. Is Tomato for the AC68U still updated?

 

[ColinTaylor]

I looked around, and I can only find old Tomato builds for my RT-AC68U, from Dec 2017. I'd be worried about my security using builds that old. Is Tomato for the AC68U still updated?

https://www.freshtomato.org/

 

[grifo]

That was it! Thanks so much. Yes, as you suspected, I had disabled CTF only on the main router, not the AP. Once I disabled CTF (per the link you sent) on the AP and rebooted, everything started working as expected, with no performance issue. Truly appreciate the help

You are very welcome. You can enable CTF on your main router if you don't have other reasons to keep it off as it is beneficial and it doesn't cause problems to this configuration .

 

[robca]

You are very welcome. You can enable CTF on your main router if you don't have other reasons to keep it off as it is beneficial and it doesn't cause problems to this configuration .

Thanks again. I just tried, but if I change it on the main router things stop working. Not sure why, but in any case my cable WAn is slow enough (~80mbps) that it should not make that much of a difference

Stupid question: is there a way to assign a MAC address to a vlan? I know I can assign router ports to a vlan, but I just realized that one of my IOT devices is behind an unmanaged switch so I can't use the port where the switch is connected (because it would also put all the other devices behind that switch on the vlan)

I know I can get a cheap managed switch and tag a vlan there, but I was wondering if I could use MAC addresses to route everything inside the AC68U

 

[grifo]

Thanks again. I just tried, but if I change it on the main router things stop working. Not sure why, but in any case my cable WAn is slow enough (~80mbps) that it should not make that much of a difference

Have you changed back the CPU port from 5 to 8 on robocfg?

Stupid question: is there a way to assign a MAC address to a vlan? I know I can assign router ports to a vlan, but I just realized that one of my IOT devices is behind an unmanaged switch so I can't use the port where the switch is connected (because it would also put all the other devices behind that switch on the vlan)

I know I can get a cheap managed switch and tag a vlan there, but I was wondering if I could use MAC addresses to route everything inside the AC68U

No there isn't a way to do that as a router or managed switch port can assign untagged traffic (eg. coming from an end device or an unmanaged switch) to only one vlan, if you need to use another vlan on the same port it has to be tagged so you need a managed switch.

 

[robca]

Have you changed back the CPU port from 5 to 8 on robocfg?

No, I didn't. Last time I tried to use port 8t my main router kept hanging. But it's well worth a try, didn't think about that, thanks. I will try it in a day or two, today my wife starts being pretty annoyed with all the network glitches

No there isn't a way to do that as a router or managed switch port can assign untagged traffic (eg. coming from an end device or an unmanaged switch) to only one vlan, if you need to use another vlan on the same port it has to be tagged so you need a managed switch.

That's what I thought... managed switch order placed, that was cheap enough not to think twice about it

Out of curiosity, if I may bother you once more. I tried connecting my AP to an unmanaged switch, and connect that unmanaged switch to port 4 of my main router. Everything still works, the vlan101 tagged packets from the AP go only to the internet, while the other devices on that switch go to the main network (vlan1). Here's the output from my robocfg show

   1: vlan1: 1 2 3 4 5t
   2: vlan2: 0 5
 101: vlan101: 4t 5t

Am I right in thinking that if I were to remove port 4 from vlan1, devices connected to port 4 would only be part of vlan101, while in my case the already tagged packets from the vlan101 are properly handled, and everything else on port 4 is treated as vlan1?

Still trying to wrap my head around how exactly a vlan and tagging works. It's ok if you prefer not o waste any more time on my questions, I will read some more...

 

[grifo]

Yes if you remove port 4 from vlan1 and untag vlan101 on it all untagged traffic on port 4 will be assigned to vlan101 so you could use port 4 as a dedicated port for your IOT and/or guest devices only but if you need the port for devices belonging to different vlans you have to assign it to multiple vlans and create a trunk (a link between 2 routers or managed switches that carries multiple vlans) between it and the managed switch you've bought which will then connect the single end devices.

Yep with your current configuration any frames tagged with vlan101 coming in port 4 will be assigned to vlan101 and everything else (eg. all untagged traffic coming from end devices either directly or via the unmanaged switch) will be assigned to vlan1.

Some unmanaged switches will forward vlan tagged frames but as the tag adds 4 bytes to ethernet frames, large frames may be dropped if over the MTU. Other unmanaged switches will drop them altogether. But the problem arises when you connect your end devices to the unmanaged switch as traffic originated from the end devices is untagged and the switch can't tag it so it will always end up on the untagged vlan1 at the router or AP end.

 

[robca]

That's great, thanks again for all your time and patience! It all makes sense now, as soon as the managed switch gets here, the last few IOT devices will be finally "segregated" to a dedicated vlan and I won't have to worry as much about IOT security, or lack thereof. As the joke goes, "security is the S in IOT"

The most worrisome devices were wireless only, so at least that part is secure now.

 

[grifo]

No probs. Be aware that there's one more moving part when doing SSIDs to VLANs, you have to create a couple of scripts both on the router and on the AP to reset the wlan guest interfaces to their correct bridge, else each time the wireless gets reset they'll go back to br0, see the last 2 paragraphs of this post for info and sample config.

 

[robca]

Are you saying that the wireless interfaces can get reset, even if I do not change anything? Or is that a risk only if I make changes on the AP?

I looked at your scripts, but I must say I'm confused by this statement "You need 2 scripts, one that looks out for wireless restarts ". That first script is executed at the end of a service, and I would have expected some sort of conditional statement to call the other script. How does your first script decide to call the other? I understand the need to check that $1 is restart and $2 is service, but I'm not sure how your script does that...

 

[grifo]

Are you saying that the wireless interfaces can get reset, even if I do not change anything? Or is that a risk only if I make changes on the AP?

They'll get reset each time the wireless restarts which happens after any change to the wireless configuration, like changing the channel number or another wifi parameter or turning off and on a guest wlan, which you are likely to do at some point. It can also happen after changes not strictly related to the wifi but that may still trigger a wireless restart and it may even happen without any changes if the router restarts the wireless on its own due to a problem.

I looked at your scripts, but I must say I'm confused by this statement "You need 2 scripts, one that looks out for wireless restarts ". That first script is executed at the end of a service, and I would have expected some sort of conditional statement to call the other script. How does your first script decide to call the other? I understand the need to check that $1 is restart and $2 is service, but I'm not sure how your script does that...

The service-event-end script is executed by the firmware after every wireless restart (or other events according to the parameters you add to it), that's the conditional part, it then calls the other script which assigns back the wlan guest interfaces to the right bridge.

 

[robca]

The service-event-end script is executed by the firmware after every wireless restart (or other events according to the parameters you add to it), that's the conditional part, it then calls the other script which assigns back the wlan guest interfaces to the right bridge.

I'm still confused, sorry. I understand that service-restart-end is called when any service call completes, and 2 parameters are passed, $1 and $2. First argument is the event (typically stop, start or restart), second argument is the target (wireless, httpd, etc...).

But your script seems to execute at every service-restart-end call, no matter what event and what service

grifo@r1:/jffs/scripts# cat service-event-end
#!/bin/sh
restart=$1
wireless=$2
#call script to reset bridges
sh /jffs/scripts/bridge-reset &

I'm not a good sh script writer, but the way I read your script, you assign two unused variable the $1 and $2 value, then just start a background process to your other script and terminate.

I would have expected something to check if the services-restart-end is called by the right service/event (i.e. $1=restart and $2=wireless), and only in that case start the other script

What am I missing?

 

[grifo]

I'm not a shell scripting expert either, I'm a network guy. I came up with that by trial and error and with some help by one of the forum star posters, @Martineau, and it works well, it never gave me any problems.

I remember I tried various combinations for the parameters syntax and settled with that which worked, keep in mind the service-event script was introduced relatively recently (firmware 384.5) and there were no example scripts on the forum. Here are the posts from back then.

If you or anyone else can improve it all the better.

 

[robca]

I'm not a shell scripting expert either, I'm a network guy. I came up with that by trial and error and with some help by one of the forum star posters, @Martineau, and it works well, it never gave me any problems.

I remember I tried various combinations for the parameters syntax and settled with that which worked, keep in mind the service-event script was introduced relatively recently (firmware 384.5) and there were no example scripts on the forum. Here are the posts from back then.

If you or anyone else can improve it all the better.

I'll play with it and see if I can get the logic to work

I actually think that your script simply runs every time that a service-end event is fired, for any reason, and only the last line is needed (or, even simpler, just rename the second script service-event-end: it will take a fraction of a second more to run and return, but it's not blocking anyway). Given that you simply set values that do not influence anything else, worst case it runs for nothing and simply sets the values to the same value they have at that time, and in the best case (i.e. when the event is really for a wireless restart), it does what needs to be done

I don't think that service-event-end is invoked frequently enough to worry about the fraction of time it takes to run a script even if not needed. And the two extra restart=$1 and wireless=$2 have no effect, but also cause no real delay. But the programmer in me hates seeing inefficient code so I guess that's why i'm trying to figure out better ways to do it

Anyway, got everything I needed, hanks again for all the help