sbnMerlin 1.2.6 - Network Isolation Tool based on Guest Networks, June 26 2024

[janico82]

Hello Guys,

I'm writing this post to share the update version of the script I made that automatically creates ethernet bridge instances {bridge} for network isolation, based on the active Guest Networks. An ethernet bridge is a device commonly used to aggregate other individual ethernets (like: eth1, eth2, wl0.1, …) into one bigger ('logical') ethernet, this bigger ethernet corresponds to the bridge network interface. So it’s possible to create automatic separated networks allowing to isolate Guest Network traffic from the main network (lan).

The script was based on Renjie Wu’s blog post about "LAN port isolation" and the well-known script: YazFi from @Jack Yaz

This script is able to work with Wireless guest networks (wl0.2, wl0.3, wl1.2 and wl1.3) on AsusWRT-Merlin, and allows to:
* Automatic creation of ethernet bridge instances, based on active guest wireless networks and settings.
* Manage wireless interface isolation, for the interfaces mapped in the bridge instance.
* Map other ethernet interfaces to the bridge instance.
* Manage Internet and one-way access for the bridge instance.
* Custom DHCP(ip range, default gateway and static list) and DNS settings for the bridge instance.
* Custom ethernet bridge and packet filtering rules for the bridge instance.

For ethernet bridge instances created by AsusWRT-Merlin (br1 and br2), the script allows to:
* Manage wireless interface isolation, for the interfaces mapped in the bridge instance.
* Map other ethernet interfaces to the bridge instance.
* Manage Internet and one-way access for the bridge instance.
* Custom DHCP(static list) and DNS settings for the bridge instance.
* Custom ethernet bridge and packet filtering rules for the bridge instance.

** ChangeLog **
v.1.2.6
* New feature: structural change in order to support tri-band and quad-band devices. [Thanks to @Martinski ] **attention** Please check the configuration file changes in FAQs, and the new port mapping features.
v.1.2.5
* Bugfix: intranet connection problem that allows bridge(br0) ethernet devices to connect to other ethernet devices on other bridges.
* Bugfix: wireless connection problem that forbids device connection between devices in the same bridge.
* New feature: more control on custom iptables rules that allow connection between a single IP addresses cross bridges. [Thanks to @arne123 ]
* New feature: more control on custom ebtables and iptables rules, that allows to control the insertion “-I” or deletion “-D” of other rules created by Asuswrt-Merlin or sbnMerlin. **attention** Custom rules must be reviewed.
v.1.2.4
* Bugfix: enable Spanning Tree Protocol for the default bridge(br0) when using sbnMerlin.
* Bugfix: regex formula problem applied to the custom iptables nat table. [Thanks to @arne123 ]
* Bugfix: internet access iptables rule optimization, and problem in iptables with dual wan failover or load balance. [Thanks to @arne123 and @Mikey Dread ]
v.1.2.1
* New feature: ability to configure bridge-specific DNS servers. [Thanks to @visortgw ]
* Bugfix: dnsmasq and hosts files miss configuration with multiple bridges caused by wrong sed pattern. [Thanks to @arne123 ]
* Bugfix: problem with the removal of bridge(br9) when the SSID of wl0.3 and wl1.3 are changed to a different name. [Thanks to @visortgw ]

**ATTENTION**: This script is not compatible with other network isolation scripts, and with Asus' Guest Network Pro available in the 3006.102.1-beta 1 firmware version [Thanks to @visortgw ].

Running configuration example:

root:/tmp/home/root# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.04421xxxxxxx       no              eth1
                                                        eth5
                                                        eth6
                                                        eth6.0
                                                        eth7
                                                        eth7.0                                        
br1             8000.04421xxxxxxx       yes             eth1.501
                                                        eth3
                                                        eth3.501
                                                        eth5.501
                                                        eth6.501
                                                        eth7.501
                                                        wl0.1
br8             8000.04421xxxxxxx       yes             eth2
                                                        eth4
                                                        wl0.2
                                                        wl1.2

root:/tmp/home/root# ifconfig br0
br0       Link encap:Ethernet  HWaddr ab:cb:ef:01:23:45
          inet addr:192.168.50.1  Bcast:192.168.50.255  Mask:255.255.255.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:379423 errors:0 dropped:8 overruns:0 frame:0
          TX packets:770385 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:92423595 (88.1 MiB)  TX bytes:375266405 (357.8 MiB)

root:/tmp/home/root# ifconfig br1
br1       Link encap:Ethernet  HWaddr ab:cb:ef:01:23:45
          inet addr:192.168.101.1  Bcast:192.168.101.255  Mask:255.255.255.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:444 errors:0 dropped:444 overruns:0 frame:0
          TX packets:63605 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:26640 (26.0 KiB)  TX bytes:9386700 (8.9 MiB)

root:/tmp/home/root# ifconfig br8
br8       Link encap:Ethernet  HWaddr ab:cb:ef:01:23:45
          inet addr:192.168.108.1  Bcast:192.168.108.255  Mask:255.255.255.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:16764544 errors:0 dropped:25196 overruns:0 frame:0
          TX packets:84869956 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:5262801805 (4.9 GiB)  TX bytes:116707141040 (108.6 GiB)

This project is hosted on GitHub

Is free to use under the GNU General Public License version 3 (GPL 3.0).

It has been tested extensively on the following devices:

• RT-AX86U (Supported, and tested)
• GT-AXE11000 or RT-BE96U (Supported, but needs some tests)
• GT-AXE16000 or GT-BE98 (Supported, but needs some tests)

and I need some feedback from users with other devices.

Supported firmware versions

You must be running firmware no older than:

• Asuswrt-Merlin 384.5
• john9527 fork 374.43_32D6j9527

Installation

Using your preferred SSH client/terminal, copy and paste the following command, then press Enter:

/usr/sbin/curl -fsL --retry 3 "https://janico82.gateway.scarf.sh/asuswrt-merlin/sbnMerlin/master/sbnMerlin.sh" -o /jffs/scripts/sbnMerlin && chmod 0755 /jffs/scripts/sbnMerlin && /jffs/scripts/sbnMerlin install

Please then follow instructions shown on-screen.

Usage

Command Line
To launch the sbnMerlin menu after installation, use:

sh /jffs/scripts/sbnMerlin

#############################################################
##            _           __  __           _ _             ##
##        ___| |__  _ __ |  \/  | ___ _ __| (_)_ __        ##
##       / __| '_ \| '_ \| |\/| |/ _ \ '__| | | '_ \       ##
##       \__ \ |_) | | | | |  | |  __/ |  | | | | | |      ##
##       |___/_.__/|_| |_|_|  |_|\___|_|  |_|_|_| |_|      ##
##                                                         ##
##          https://github.com/janico82/sbnMerlin          ##
##                                                         ##
#############################################################
   sbnMerlin Main menu
   1n.  Edit configuration (editor: nano)
   1v.  Edit configuration (editor: vi)
   2.   Run configuration
   3.   List clients
   d.   Diagnostics menu
   u.   Update check
   e.   Exit
   z.   Uninstall
#############################################################
Choose an option:

For more details on the sbnMerlin configuration items, please check the FAQ's section on GitHub.

The configuration file is located at:

 /jffs/addons/sbnMerlin.d/sbnMerlin.conf

It's possible to use sbnMerlin default editor for managing configuration items, or your prefered editor. sbnMerlin checks every 10 minutes for changes in the configuration file. If you need to apply a configuration immediately, use the sbnMerlin menu.

 

[visortgw]

This definitely peeks my curiosity, but, unfortunately, the installation fails — nothing appears to be downloaded or installed, and no errors are displayed. I'm guessing that the Scarf URL is the culprit.

 

[Viktor Jaep]

This definitely peeks my curiosity, but, unfortunately, the installation fails — nothing appears to be downloaded or installed, and no errors are displayed. I'm guessing that the Scarf URL is the culprit.

Same here...

 

[janico82]

You're right, the scraft url had incorrect parameters.

Installation

Using your preferred SSH client/terminal, copy and paste the following command, then press Enter:

/usr/sbin/curl -fsL --retry 3 "https://janico82.gateway.scarf.sh/asuswrt-merlin/sbnMerlin/master/sbnMerlin.sh" -o /jffs/scripts/sbnMerlin && chmod 0755 /jffs/scripts/sbnMerlin && /jffs/scripts/sbnMerlin install

I've also fixed the url in the original post.

 

[visortgw]

You're right, the scraft url had incorrect parameters.

Installation

Using your preferred SSH client/terminal, copy and paste the following command, then press Enter:

/usr/sbin/curl -fsL --retry 3 "https://janico82.gateway.scarf.sh/asuswrt-merlin/sbnMerlin/master/sbnMerlin.sh" -o /jffs/scripts/sbnMerlin && chmod 0755 /jffs/scripts/sbnMerlin && /jffs/scripts/sbnMerlin install

I've also fixed the url in the original post.

Thanks!

After installation, using "sbnMerlin" at the ssh command line doesn't launch the script — one must use "sh /jffs/scripts/sbnMerlin".

I will be gone for the day, but I intend to try to configure and test on my GT-AX6000 tonight and into tomorrow.

 

[janico82]

Thanks!

After installation, using "sbnMerlin" at the ssh command line doesn't launch the script — one must use "sh /jffs/scripts/sbnMerlin".

I will be gone for the day, but I intend to try to configure and test on my GT-AX6000 tonight and into tomorrow.

Thanks! Please provide all the possible feedback from your experience with sbnMerlin.

 

[dave14305]

Please note the typos in the thread title (snb and ative).

 

[janico82]

Please note the typos in the thread title (snb and ative).

You're right! Thanks for the heads up!

 

[DiliMe]

Wow! Congratulations man!!! Bravo! I think this community was waiting from many years since the the release of 386 for such a script. Congratulations again to you and the ones that did the previous work.

1) I tested and I confirm that a printer connected on LAN4 (eth1) is receiving IP address from 192.168.103.0 scope.

br3             8000.7c10c9b6cb28       yes             eth1
                                                        wl0.2

2) If I modify from 0 to 1 to line br3_allow_onewayaccess=1, I receive "Sorry, rule does not exist". But, then I am able to ping from br0 the IP address located in br3, so it seems that it worked to enable it, but is misleading the error message "Sorry, rule does not exist".
Here is the message:
Do you want to apply sbnMerlin configuration changes? (y/n): y
Starting configuration check of script(sbnMerlin).
Configuration change detected on .config file.
Configuration change detected on bridge(br3) firewall settings. Applying changes.
Sorry, rule does not exist.
Script(sbnMerlin) configuration check complete.
Do you want to apply sbnMerlin configuration changes? (y/n):

Other suggestions:
3) You need to specify in the FAQ section that for editing configuration is using vi, so that people will know to use the specific commands to save and exit.

4) I see in the comments of the config file that you do not recommend modifying settings for br1 and br2. Why?

 

[janico82]

Wow! Congratulations man!!! Bravo! I think this community was waiting from many years since the the release of 386 for such a script. Congratulations again to you and the ones that did the previous work.

1) I tested and I confirm that a printer connected on LAN4 (eth1) is receiving IP address from 192.168.103.0 scope.

br3             8000.7c10c9b6cb28       yes             eth1
                                                        wl0.2

2) If I modify from 0 to 1 to line br3_allow_onewayaccess=1, I receive "Sorry, rule does not exist". But, then I am able to ping from br0 the IP address located in br3, so it seems that it worked to enable it, but is misleading the error message "Sorry, rule does not exist".
Here is the message:
Do you want to apply sbnMerlin configuration changes? (y/n): y
Starting configuration check of script(sbnMerlin).
Configuration change detected on .config file.
Configuration change detected on bridge(br3) firewall settings. Applying changes.
Sorry, rule does not exist.
Script(sbnMerlin) configuration check complete.
Do you want to apply sbnMerlin configuration changes? (y/n):

Other suggestions:
3) You need to specify in the FAQ section that for editing configuration is using vi, so that people will know to use the specific commands to save and exit.

4) I see in the comments of the config file that you do not recommend modifying settings for br1 and br2. Why?

Thanks for the feedback and support @DiliMe.

1) That looks nice!
2) That doesn’t seem to be an output message from sbnMerlin, but an output message from ebtables or iptables, used in firewall cleaning process.
Can you send me a private message with the output of the following command:

iptables -S | grep br3

3) I'll change the FAQs and the sbnMerlin Main menu with the information of the default editor in use.
4) The br1 and br2 bridges are used by Asuswrt-Merlin for Guest Network (wl0.1 and wl1.1 interfaces) and AiMesh. If you enabled this Guest Network 1 with Access Intranet=Disabled the Asuswrt-Merlin will create the br1 bridge.

 

[DiliMe]

I have sent you a private message with the output from iptables -S | grep br3

4) The br1 and br2 bridges are used by Asuswrt-Merlin for Guest Network (wl0.1 and wl1.1 interfaces) and AiMesh. If you enabled this Guest Network 1 with Access Intranet=Disabled the Asuswrt-Merlin will create the br1 bridge.

Related to point 4), for example I would like to be able to modify br2_allow_onewayaccess=1 so that I shall receive access from br0->br2 (VLAN502), but I read in your comments in the script "#do not use, leave default" that you do not recommend modifying the code from br1 and br2.
Also the code for br1 and br2 is commented.
In that case, maybe it would be better to delete those lines related to br1 and br2 rather than somebody to modify it by mistake.

 

[janico82]

I have sent you a private message with the output from iptables -S | grep br3



Related to point 4), for example I would like to be able to modify br2_allow_onewayaccess=1 so that I shall receive access from br0->br2 (VLAN502), but I read in your comments in the script "#do not use, leave default" that you do not recommend modifying the code from br1 and br2.
Also the code for br1 and br2 is commented.
In that case, maybe it would be better to delete those lines related to br1 and br2 rather than somebody to modify it by mistake.

You're right! I'm going to do that.

 

[bennor]

@janico82, just a general comment. You might want to expand and explain in general terms for new folks or non technical folks what your script does. For example, people may not know what an "ethernet bridge" is, how/why it works with user's WiFi Guest Networks, and what they may gain from using your script beyond just using Guest Network WiFi. Does this script tie in with, or impact, or affect users who are using YazFi?

Looking forward to seeing this script progress as bugs are ironed out.

 

[janico82]

@janico82, just a general comment. You might want to expand and explain in general terms for new folks or non technical folks what your script does. For example, people may not know what an "ethernet bridge" is, how/why it works with user's WiFi Guest Networks, and what they may gain from using your script beyond just using Guest Network WiFi. Does this script tie in with, or impact, or affect users who are using YazFi?

Looking forward to seeing this script progress as bugs are ironed out.

Thanks @bennor for the feedback. I'm going to do that!

 

[DiliMe]

4) The br1 and br2 bridges are used by Asuswrt-Merlin for Guest Network (wl0.1 and wl1.1 interfaces) and AiMesh. If you enabled this Guest Network 1 with Access Intranet=Disabled the Asuswrt-Merlin will create the br1 bridge.

I have un-commented all the lines related to br2 and then modified the lines:
br2_enabled=1
br2_allow_onewayaccess=1
I confirm that it is working OK as expected and it didn't break anything else.

For the customization of br1 and br2 it seems risky that a conflict might appear between your script and the GUI config for the Guest WiFi #1. In that case maybe it should be documented so that people pay attention to have the settings aligned (the same) in GUI and in your script.



The details of my network setup: I am having Guest access enabled for both 2,4GHz and 5 GHz and also I am using the the 2 VLANs created (501 for wired IoT and 502 for wired CCTV).
As I wanted to benefit of AiMesh and the VLANs feature (from Guest WiFi), I had to uninstall YazFi since AiMesh.

The biggest benefits for me with this new script sbnMerlin is:
* possibility to easily map LAN ports to br1 or br2
* br0 -> br2 access (that I didn't had before)
* maybe in the future the possibility to use more easily the custom iptables scripts

 

[visortgw]

I am trying to wrap my head around the possibilities here. My current configuration has guest network 1 enabled for both 2.4 and 5 GHz with Intranet access enabled for both — guest network 1 across AiMesh is enabled. I would like to disable Intranet access for both, but some IoT devices do not function properly. I believe that one way access may fix my issues, but YazFi did not work with AiMesh.

# brctl show
bridge name  bridge id          STP enabled  interfaces
br0          8000.04421a599980  no           eth1
                                             eth2
                                             eth3
                                             eth4
                                             eth5
                                             eth6
                                             eth7
                                             tap22
                                             wds0.0.1
                                             wds1.0.1
                                             wl0.1
                                             wl0.4
                                             wl1.1

 

[janico82]

Thanks a lot @DiliMe and @visortgw with your feedback.

The main purpose of sbnMerlin was not to interact with AiMesh's Guest Network. But it’s possible to have limited customization options for that interfaces (wl0.1 and wl1.1), while the other interfaces (wl0.2, wl1.2, wl0.3, and wl1.3) would have full customization options. I have to think about it and test the possible scenarios.

However, I noticed that the GT-AX6000 has more interfaces than RT-AX86U. @visortgw is there more wireless interfaces besides the wl0.4 and wl1.4?

 

[visortgw]

Thanks a lot @DiliMe and @visortgw with your feedback.

However, I noticed that the GT-AX6000 has more interfaces than RT-AX86U. @visortgw is there more wireless interfaces besides the wl0.4 and wl1.4?

The GT-AX6000 was four (4) 1 Gbps LAN ports, one (1) 2.5 Gbps LAN/WAN port (configurable), and one (1) 2.5 Gbps WAN port. I was confused by the three (3) wireless interfaces displayed by brctl show — wl0.1, wl0.4, and wl1.1. I was assuming that wl0.1 and wl1.1 were guest 1 2.4/5.0 GHz, respectively, but I'm not sure about wl0.4, especially since there is nearly zero traffic on the interface. From ifconfig:

wl0.1     Link encap:Ethernet  HWaddr 04:42:1A:59:99:81 
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:3377075 errors:0 dropped:1 overruns:0 frame:0
          TX packets:3790330 errors:0 dropped:324 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3686926254 (3.4 GiB)  TX bytes:765805643 (730.3 MiB)

wl0.4     Link encap:Ethernet  HWaddr 04:42:1A:59:99:84 
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:2 overruns:0 frame:0
          TX packets:1024 errors:0 dropped:1905912 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:99642 (97.3 KiB)

wl1.1     Link encap:Ethernet  HWaddr 04:42:1A:59:99:85 
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:587690 errors:0 dropped:1 overruns:0 frame:0
          TX packets:2286139 errors:0 dropped:293 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:647407002 (617.4 MiB)  TX bytes:612922007 (584.5 MiB)

 

[visortgw]

So... I took some more time to investigate, reconfigure, etc. this morning (I wasn't completely functional last night after driving 8 hours round trip to pick up my MIL for an extended visit). I disabled Intranet access for guest network 1 for both 2.4/5 GHz. Surprisingly, devices on the guest network 1 appear to be fully functional now — most likely due to firmware changes (both Merlin and IoT device firmware) since I last attempted this drill.

Here is the new bridge configuration:

# brctl show
bridge name  bridge id          STP enabled  interfaces
br0          8000.04421a599980  no           eth1
                                             eth2
                                             eth3
                                             eth4
                                             eth5
                                             eth6
                                             eth7
                                             tap22
                                             wds0.0.2
                                             wds1.0.1
                                             wl0.4
br1          8000.04421a599981  yes          eth1.501
                                             eth2.501
                                             eth3.501
                                             eth4.501
                                             eth5.501
                                             eth6.501
                                             eth7.501
                                             wds0.0.2.501
                                             wds1.0.1.501
                                             wl0.1
br2          8000.04421a599985  yes          eth1.502
                                             eth2.502
                                             eth3.502
                                             eth4.502
                                             eth5.502
                                             eth6.502
                                             eth7.502
                                             wds0.0.2.502
                                             wds1.0.1.502
                                             wl1.1

This clearly shows that wl0.1 and wl1.1 are guest network 1 for 2.4/5 GHz, respectively. 501 and 502 are the VLAN tags that Asus uses to segregate guest network 1 from the primary LAN. I still don't know what wl0.4 is...

@janico82, does this possibly provide enough details for you to update sbnMerlin to configure one-way access on guest network 1?

 

[janico82]

Yes it does @visortgw, thanks a lot! I'm going to update sbnMerlin with this new features.