Menu
What's new
By:
Filters Better Search

RT-AX86U Pro LAN Port on Guest Network

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

R

rung

Regular Contributor
As I wait for a 3006 version of Merlin for my RT-AX86U Pro to get VLAN capability someday, I have been moving some less trusted devices to GW1 which acts somewhat like an IOT VLAN. Some of the devices are connecting to the AX3000 mesh node and some are local to the RT-AX86U Pro. I feel this setup is safer in case any device gets malware, the attack surface would be reduced (i.e. more isolated from the router admin interfaces and PCs).

Okay, so here is where I am uncertain: I have a VOIP device connected to eth3 on the RT-AX86U Pro and wanted to move it to GW1 as well. I have added the following commands to my services-start script:
Bash: 
brctl delif br0 eth3 >/dev/null 2>&1 # remove eth3 from main network
brctl addif br1 eth3 >/dev/null 2>&1 # add eth3 to guest network

This seems to work fine. The device uses DHCP and now gets an IP on the GW1 ip range instead while also connecting properly to its external services. To further test the behavior of the port, I hooked up a laptop on eth3 instead and found that it could still see all devices on 192.168.101.xxx (i.e. it is not fully isolated). The good news is it cannot see anything on the main network and the dns on 192.168.101.1 works as expected.

Now does anyone see any issues with what I did and do you recommend any changes or additions (e.g. ways to further isolate the port)?

Thanks,
Rung
 
I wanted to add that I am concerned that this was just way too easy. I must be missing something. I read through a bunch of posts and scripts for something similar and they were all much more complicated. Is this only because of my model or has something changed with the recent firmware to make this easier for all models? I would have thought this feature would be useful for others enough for it to be an normal option or an add-on by now.
 
I have not been successful in isolating the eth3 port and hope someone here can help. For example, I tired to replicate the other broute rules with the flowing commands:
Bash: 
#!/bin/sh

PORT="eth3"
LAN_SUBNET="192.168.101.0/24"
ROUTER_IP="192.168.101.1"
ebtables -t broute -D BROUTING -p IPv4 -i $PORT --ip-dst $ROUTER_IP --ip-proto icmp -j ACCEPT
ebtables -t broute -D BROUTING -p IPv4 -i $PORT --ip-dst $LAN_SUBNET --ip-proto icmp -j DROP
ebtables -t broute -D BROUTING -p IPv4 -i $PORT --ip-dst $ROUTER_IP --ip-proto tcp --ip-dport 53 -j ACCEPT
ebtables -t broute -D BROUTING -p IPv4 -i $PORT --ip-dst $LAN_SUBNET --ip-proto tcp -j DROP
ebtables -t broute -D BROUTING -p IPv4 -i $PORT --ip-dst $LAN_SUBNET -j SKIPLOG

ebtables -t broute -A BROUTING -p IPv4 -i $PORT --ip-dst $ROUTER_IP --ip-proto icmp -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i $PORT --ip-dst $LAN_SUBNET --ip-proto icmp -j DROP
ebtables -t broute -A BROUTING -p IPv4 -i $PORT --ip-dst $ROUTER_IP --ip-proto tcp --ip-dport 53 -j ACCEPT
ebtables -t broute -A BROUTING -p IPv4 -i $PORT --ip-dst $LAN_SUBNET --ip-proto tcp -j DROP
ebtables -t broute -A BROUTING -p IPv4 -i $PORT --ip-dst $LAN_SUBNET -j SKIPLOG

I confirmed the rules are working because the counts are increasing but the port can still see the other clients on GW1. I am guessing I still need to add some rules to iptables but don't know where to start.
 
I can't see the point of messing w/ a firmware that doesn't support VLANs natively. Esp. when you can just daisy-chain an old router (or pick one up off eBay or the local thrift store for cheap, $20-30) that supports FreshTomato or DD-WRT, add the appropriate firewall rules to prevent access to the upstream private IP network (unless you want it to have such access, or limited access), and voila, you're in business.

You could even connect such a router as a wireless client (!) (aka WISP router), so it doesn't even need to be physically local to the primary router. In your own case, it could be sitting right next to the VOIP adapter.

Using a separate/subordinate router is far more powerful a solution because it offers so many other options. And you may already own a suitable router otherwise doing nothing. Think of all the AC routers users are going to be (foolishly) dumping in the next few months as they reach EOL w/ ASUS. The RT-AC68U (and its variants, like the T-Mobile TM-AC1900) and RT-AC88U come to mind specifically as great candidates. But even an old wireless G/N router will do the trick, esp. for low bandwidth applications like the VOIP adapter.
 
eibgrad said:
I can't see the point of messing w/ a firmware that doesn't support VLANs natively. Esp. when you can just daisy-chain an old router (or pick one up off eBay or the local thrift store for cheap, $20-30) that supports FreshTomato or DD-WRT, add the appropriate firewall rules to prevent access to the upstream private IP network (unless you want it to have such access, or limited access), and voila, you're in business.

You could even connect such a router as a wireless client (!) (aka WISP router), so it doesn't even need to be physically local to the primary router. In your own case, it could be sitting right next to the VOIP adapter.

Using a separate/subordinate router is far more powerful a solution because it offers so many other options. And you may already own a suitable router otherwise doing nothing. Think of all the AC routers users are going to be (foolishly) dumping in the next few months as they reach EOL w/ ASUS. The RT-AC68U (and its variants, like the T-Mobile TM-AC1900) and RT-AC88U come to mind specifically as great candidates. But even an old wireless G/N router will do the trick, esp. for low bandwidth applications like the VOIP adapter.
Click to expand...
I have an ac68u that I want to use in the way you described but I'm not sure how to do it. I put freshtomato on it, but how do I set up firewall rules so that the tomato router is isolated from local devices and is only for guest internet access?
Thanks
 
rung said:
I am guessing I still need to add some rules to iptables but don't know where to start.
Click to expand...

So I could never get either iptables or ebtables to isolate the LAN port. The filters are seeing the traffic but do not seem to be able to filter it. I am assuming there is some hardware acceleration happening that causes the data to flow unimpeded by the software. So, mostly for my own edification, I decided to create a new virtual bridge for the port by mimicing what is done for GW1 on br1.

First, I added the following to the services-start script. The commands create a new virtual bridge, moves the LAN port that I want to isolate from br0 to the new one (br_iso), and assigns a separate address space to it:
Bash: 
#!/bin/sh
ISO_PORT="eth3" #LAN port to be moved to isolated network
ISO_BR="br_iso" #Bridge name of isolated network
ROUTER_IP="192.168.200.1" #Router IP on new isolated network

brctl addbr $ISO_BR #create new bridge
brctl stp $ISO_BR on #turn on stp
brctl delif br0 $ISO_PORT #remove isolate port from main network
brctl addif $ISO_BR $ISO_PORT #add isolate port to new isolated network
ifconfig $ISO_BR $ROUTER_IP netmask 255.255.255.0 #set new ip address space
ifconfig $ISO_BR allmulti up #turn on allmulti

Next, I setup a new DHCP server for this new address space by adding the following to the dnsmasq.postconf script:
Bash: 
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh

ISO_BR="br_iso" #Bridge name of isolated network
ROUTER_IP="192.168.200.1" #Router IP on new isolated network
DHCP_RANGE="192.168.200.2,192.168.200.254" #DHCP IP range on new isolated network

pc_append "interface="$ISO_BR $CONFIG
pc_append "dhcp-range="$ISO_BR","$DHCP_RANGE",255.255.255.0,86400s" $CONFIG
pc_append "dhcp-option="$ISO_BR",3,"$ROUTER_IP $CONFIG

Finally, I updated the firewall by mimicing the firewall INPUT and FORWARD rules that is done for GW1/br1. The commands added to the firewall-start script will limit access to the router to DHCP and DNS and only allow data to be sent out of the WAN (to nowhere else in the network).
Bash: 
#!/bin/sh
WAN_PORT=$1
ISO_BR="br_iso" #Bridge name of isolated network

#Update INPUT chain
In=$(($(iptables --line-numbers -v  -t filter -L INPUT | grep gre | awk '{ print $1 }')+1)) #insert new INPUT rules after gre accept rule

iptables -I INPUT $In -i $ISO_BR -j DROP #Deny general access to router
iptables -I INPUT $In -i $ISO_BR -p udp -m udp --dport 68 -j ACCEPT #Except allow DCHP
iptables -I INPUT $In -i $ISO_BR -p udp -m udp --dport 67 -j ACCEPT #Execpt allow DHCP
iptables -I INPUT $In -i $ISO_BR -p tcp -m tcp --dport 53 -j ACCEPT #Except allow DNS
iptables -I INPUT $In -i $ISO_BR -p udp -m udp --dport 53 -j ACCEPT #Except allow DNS

#Update FORWARD chain
Fn=$(iptables --line-numbers -v  -t filter -L FORWARD | grep !br0 | awk '{ print $1 }') #insert new FORWARD rule before global guest bridge drop rule

iptables -I FORWARD $Fn -i $ISO_BR -o $WAN_PORT -j ACCEPT #Allow output traffic to WAN (related returns already allowed)

The results work well. The only drawback I see right now is that the device on the isolated port doesn't show up anywhere on the various client lists like it did when I was piggy backing off of GW1. I have a script that lists all the devices connected to all the virtual bridges right now. Maybe I could create a addon to display the results in the UI?

Anyone see any risks and problems with my approach?

Thanks,
Rung

*edit: missed a line from the services-start script
 
Last edited:
Jherb said:
Thanks. Where do you put this script? Can you do this in the GUI?
Click to expand...

I assume you're using FT (FreshTomato) as I suggested. Go to Administration->Scripts and paste it in the Firewall tab. Save and Reboot.
 
You must log in or register to reply here.

Similar threads

PaulA
Port isolation on RT-AX88U-Pro (router) w/ Merlin w/ Tagged internet ISP
Replies
2
Views
1K
dacotmeister
D
R
Disable Intranet access for a LAN port (not the WiFi Guest network)?
Replies
10
Views
386
bennor
B
L
ASUS RT-AX58U - devices kicked-off wifi over 60 times a day
2
Replies
21
Views
669
ColinTaylor
C
T
GT BE98 Pro Guest Network Cannot Disable Intranet Access
Replies
3
Views
232
bennor
B
M
802.1q VLAN tagging menu missing for WAN interface (Asus RT-AX86U Pro)
Replies
4
Views
392
Michael Levi Hillel
M
Similar threads
Thread starter Title Forum Replies Date
Zakalwe Solved RT-AX86U Pro - Using as PPPoE modem with BT Full Fibter internet Asuswrt-Merlin 8
M RT-AX86U Pro - Merlin: can't get p2p cameras available to wan. Asuswrt-Merlin 4
M 802.1q VLAN tagging menu missing for WAN interface (Asus RT-AX86U Pro) Asuswrt-Merlin 4
N RT-AX86U-Pro, WAN disconnect every 36 hours Asuswrt-Merlin 25
D Comcast email - RT-AX86U Pro - ASUS 3.0.0.6.102_34314 works, Merlin 3004_388.8_2 doesn't Asuswrt-Merlin 16
I [RT-AX86U Pro] Constant blips during video calls Asuswrt-Merlin 8
W Can't install amtm on RT-AX86U Pro Asuswrt-Merlin 4
M How to Enable Hardware Acceleration /RT-AX86U Pro Asuswrt-Merlin 3
D Has Anyone managed to compile r8152.ko driver for the RT-AX86U Pro, help really appreciated Asuswrt-Merlin 9
cowboy Ookla Speedtest is inaccurate in RT-AX86U Pro Results Asuswrt-Merlin 10

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 644 (members: 27, guests: 617)
Top