sbnMerlin 1.2.6 - Network Isolation Tool based on Guest Networks, June 26 2024

[sirzur]

I have a GT-AX6000 with Merlin firmware (3004.388.7) and have installed the script primarily because i want to set up a separate vlan which I can access from my main (v)lan. In my scenario, both Guest Network1 2.4Ghz and 5Ghz are enabled with intranet access disabled. Running "bctl show" in terminal has the following results, which indicates that the br1 and br2 bridge are created. All good so far

admin@GT-AX6000-BF08:/tmp/home/root# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.58112251bf08 no eth1
eth2
eth3
eth4
eth5
eth6
eth7
br1 8000.58112251bf09 yes eth1.501
eth2.501
eth3.501
eth4.501
eth5.501
eth6.501
eth7.501
wl0.1
br2 8000.58112251bf0d yes eth1.502
eth2.502
eth3.502
eth4.502
eth5.502
eth6.502
eth7.502
wl1.1

I have set up a separate managed switch and configured two ports for vlan 501, which is associated with br1. My config file for br1 section in sbnMerlin is
br1_enabled=1 # Write your own settings for Bridge 1
br1_ifnames=""
br1_dns1_x=""
br1_dns2_x=""
br1_staticlist=""
br1_ap_isolate=1
br1_allow_internet=1
br1_allow_onewayaccess=1
br1_allow_routeraccess=0

I have connected two ethernet wired devices to the correct ports and they show up in the client list

bridge name interfaces client IP address client MAC address client name
br1 ethernet 192.168.101.238 00:1E:06:30:D1:83 192.168.101.238
br1 ethernet 192.168.101.99 8C:73:6E:FF:B9:6C FujitsuLife


The FujitsuLife device can access the other ethernet devices on the same vlan (192.168.101.238). I have not checked whether it is vice versa, but assume so.

However I cannot seem to be able to access 192.168.101.238 device from my main lan (vlan1), even though I have set br1_allow_onewayaccess=1. I have read the whole thread and this should be possible even with the router created br1. Is there something I am doing wrong?

I am testing access by trying to ping the vlan 501 devices via command prompt

 

[janico82]

Hello

I have a GT-AX6000 with Merlin firmware (3004.388.7) and have installed the script primarily because i want to set up a separate vlan which I can access from my main (v)lan. In my scenario, both Guest Network1 2.4Ghz and 5Ghz are enabled with intranet access disabled. Running "bctl show" in terminal has the following results, which indicates that the br1 and br2 bridge are created. All good so far

admin@GT-AX6000-BF08:/tmp/home/root# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.58112251bf08 no eth1
eth2
eth3
eth4
eth5
eth6
eth7
br1 8000.58112251bf09 yes eth1.501
eth2.501
eth3.501
eth4.501
eth5.501
eth6.501
eth7.501
wl0.1
br2 8000.58112251bf0d yes eth1.502
eth2.502
eth3.502
eth4.502
eth5.502
eth6.502
eth7.502
wl1.1

I have set up a separate managed switch and configured two ports for vlan 501, which is associated with br1. My config file for br1 section in sbnMerlin is
br1_enabled=1 # Write your own settings for Bridge 1
br1_ifnames=""
br1_dns1_x=""
br1_dns2_x=""
br1_staticlist=""
br1_ap_isolate=1
br1_allow_internet=1
br1_allow_onewayaccess=1
br1_allow_routeraccess=0

I have connected two ethernet wired devices to the correct ports and they show up in the client list

bridge name interfaces client IP address client MAC address client name
br1 ethernet 192.168.101.238 00:1E:06:30:D1:83 192.168.101.238
br1 ethernet 192.168.101.99 8C:73:6E:FF:B9:6C FujitsuLife


The FujitsuLife device can access the other ethernet devices on the same vlan (192.168.101.238). I have not checked whether it is vice versa, but assume so.

However I cannot seem to be able to access 192.168.101.238 device from my main lan (vlan1), even though I have set br1_allow_onewayaccess=1. I have read the whole thread and this should be possible even with the router created br1. Is there something I am doing wrong?

I am testing access by trying to ping the vlan 501 devices via command prompt

Hi @siriuz, everything seems to be working properly.

When you say that you want to access the vlan 501 devices from you main lan (vlan1), the main lan are the devices connect from br0, right?

If so, could you send me privately the result of the following command:

iptables -S FORWARD

The firewall rule that disables access from br0 to br1, is the following (so it should not exist):

-A FORWARD -i br0 -o br1 -j DROP

 

[sirzur]

Yes, the main lan are the devices connected to br0 (or at least I assume so. The device is definitely not connected to br 2 because the IP address starts with 192.168.1. rather than 192.168.102. ). Running code "iptables -S FORWARD" does not show the firewall rule, so it looks like it has been dropped

admin@GT-AX6000-BF08:/tmp/home/root# iptables -S FORWARD
-P FORWARD ACCEPT
-A FORWARD -j IPSEC_DROP_SUBNET_ICMP
-A FORWARD -j IPSEC_STRONGSWAN
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j WGSF
-A FORWARD -j OVPNSF
-A FORWARD -i br2 -j WGNPControls
-A FORWARD -i br1 -j WGNPControls
-A FORWARD -i br2 -o eth0 -j ACCEPT
-A FORWARD -i br1 -o eth0 -j ACCEPT
-A FORWARD ! -i br0 -o eth0 -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br+ -p tcp -m tcp --dport 853 -j DNSFILTER_DOT
-A FORWARD -j WGCF
-A FORWARD -j OVPNCF
-A FORWARD -j VPNCF
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -j DROP

I am using an older Netgear GSS116E managed switch between the router and the device. Could it have something to do with it? My configuration is Internet>modem>GT-AX6000>unmanaged switch>GS116E>device on vlan501. Is there any other troubleshooting diagnostic that I can run?

 

[networkdown]

It seems my devices get disconnected from the guest network after some time and is unable to reconnect. After restarting the router they can connect but the same thing happens after half a day. Any idea why this happens?

 

[janico82]

Yes, the main lan are the devices connected to br0 (or at least I assume so. The device is definitely not connected to br 2 because the IP address starts with 192.168.1. rather than 192.168.102. ). Running code "iptables -S FORWARD" does not show the firewall rule, so it looks like it has been dropped

admin@GT-AX6000-BF08:/tmp/home/root# iptables -S FORWARD
-P FORWARD ACCEPT
-A FORWARD -j IPSEC_DROP_SUBNET_ICMP
-A FORWARD -j IPSEC_STRONGSWAN
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j WGSF
-A FORWARD -j OVPNSF
-A FORWARD -i br2 -j WGNPControls
-A FORWARD -i br1 -j WGNPControls
-A FORWARD -i br2 -o eth0 -j ACCEPT
-A FORWARD -i br1 -o eth0 -j ACCEPT
-A FORWARD ! -i br0 -o eth0 -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br+ -p tcp -m tcp --dport 853 -j DNSFILTER_DOT
-A FORWARD -j WGCF
-A FORWARD -j OVPNCF
-A FORWARD -j VPNCF
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -j DROP

I am using an older Netgear GSS116E managed switch between the router and the device. Could it have something to do with it? My configuration is Internet>modem>GT-AX6000>unmanaged switch>GS116E>device on vlan501. Is there any other troubleshooting diagnostic that I can run?

@sirzur, please try one thing: connect a device to Wireless Guest Network 1 (wl0.1) and try access it from lan.

 

[janico82]

It seems my devices get disconnected from the guest network after some time and is unable to reconnect. After restarting the router they can connect but the same thing happens after half a day. Any idea why this happens?

@networkdown the behavior you have mentioned is only with wireless guest networks? Do you have set on the guest configuration any “access time limit”?

 

[sirzur]

@janico82, I had already tried that when I woke up this morning, as a way to rule out the Netgear switch, but no success. I redid the test with no success as you can see from below

See here is the client list connected, where the IP address is 192.168.101.230

bridge name     interfaces      client IP address    client MAC address   client name
br1             wl0.1           192.168.101.230      10:0B:A9:0E:D4:54    FujitsuLife
br1             ethernet        192.168.101.244      60:C5:A8:6F:1D:1C    rakmodule_6F1D1C

Here is me pinging the IP from my 192.168.1 network

Microsoft Windows [Version 10.0.22621.525]
(c) Microsoft Corporation. All rights reserved.

C:\Users\...>ping 192.168.101.230

Pinging 192.168.101.230 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.101.230:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

So one way access is still not possible even over wireless, which seems to rule out the managed switch.

Just to confirm everything, I disconnected the Fujitsu from Guest Network 1 and joined the my main wireless network. (IP4 address on the Fujitsu discovered from command prompt ipconfig) And it shows ping reply. And it is two way as expected ie. I pinged my ethernet connected PC and got a reply on the Fujitsu

C:\Users\...>ping 192.168.1.39

Pinging 192.168.1.39 with 32 bytes of data:
Reply from 192.168.1.39: bytes=32 time=3ms TTL=128
Reply from 192.168.1.39: bytes=32 time=2ms TTL=128
Reply from 192.168.1.39: bytes=32 time=4ms TTL=128
Reply from 192.168.1.39: bytes=32 time=2ms TTL=128

Ping statistics for 192.168.1.39:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 4ms, Average = 2ms

 

[janico82]

@janico82, I had already tried that when I woke up this morning, as a way to rule out the Netgear switch, but no success. I redid the test with no success as you can see from below

See here is the client list connected, where the IP address is 192.168.101.230

bridge name     interfaces      client IP address    client MAC address   client name
br1             wl0.1           192.168.101.230      10:0B:A9:0E:D4:54    FujitsuLife
br1             ethernet        192.168.101.244      60:C5:A8:6F:1D:1C    rakmodule_6F1D1C

Here is me pinging the IP from my 192.168.1 network

Microsoft Windows [Version 10.0.22621.525]
(c) Microsoft Corporation. All rights reserved.

C:\Users\...>ping 192.168.101.230

Pinging 192.168.101.230 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.101.230:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

So one way access is still not possible even over wireless, which seems to rule out the managed switch.

Just to confirm everything, I disconnected the Fujitsu from Guest Network 1 and joined the my main wireless network. (IP4 address on the Fujitsu discovered from command prompt ipconfig) And it shows ping reply. And it is two way as expected ie. I pinged my ethernet connected PC and got a reply on the Fujitsu

C:\Users\...>ping 192.168.1.39

Pinging 192.168.1.39 with 32 bytes of data:
Reply from 192.168.1.39: bytes=32 time=3ms TTL=128
Reply from 192.168.1.39: bytes=32 time=2ms TTL=128
Reply from 192.168.1.39: bytes=32 time=4ms TTL=128
Reply from 192.168.1.39: bytes=32 time=2ms TTL=128

Ping statistics for 192.168.1.39:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 4ms, Average = 2ms

Ok that's odd!

@sirzur please disable the sbnMerlin on bridge(br1), by changing the configuration option br1_enable to 0.

By default asuswrt-merlin will allow access from the main lan to any other bridge. That why the following iptables rules exists:

-A FORWARD -i br0 -j ACCEPT

 

[sirzur]

So I have disabled br1 ie set br1_enabled=0 (but not disabled in the GUI)

Here are some results

admin@GT-AX6000-BF08:/tmp/home/root# iptables -S FORWARD
-P FORWARD ACCEPT
-A FORWARD -j IPSEC_DROP_SUBNET_ICMP
-A FORWARD -j IPSEC_STRONGSWAN
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j WGSF
-A FORWARD -j OVPNSF
-A FORWARD -i br2 -j WGNPControls
-A FORWARD -i br2 -o eth0 -j ACCEPT
-A FORWARD ! -i br0 -o eth0 -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br+ -p tcp -m tcp --dport 853 -j DNSFILTER_DOT
-A FORWARD -j WGCF
-A FORWARD -j OVPNCF
-A FORWARD -j VPNCF
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -j DROP


admin@GT-AX6000-BF08:/tmp/home/root# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.58112251bf08       no              eth1
                                                        eth2
                                                        eth3
                                                        eth4
                                                        eth5
                                                        eth6
                                                        eth7
br1             8000.58112251bf09       yes             eth1.501
                                                        eth2.501
                                                        eth3.501
                                                        eth4.501
                                                        eth5.501
                                                        eth6.501
                                                        eth7.501
                                                        wl0.1
br2             8000.58112251bf0d       yes             eth1.502
                                                        eth2.502
                                                        eth3.502
                                                        eth4.502
                                                        eth5.502
                                                        eth6.502
                                                        eth7.502
                                                        wl1.1

When I look at Guest Network on the GUI, Guest Network 1 2.4 GHz still shows enabled. However when I plug a PC to the relevant ethernet port (VLAN 501) on my Netgear managed switch, the PC does not get an IP address

Listing of the client list shows a weird IP address at br1

bridge name     interfaces      client IP address    client MAC address   client name
br1             ethernet        169.254.51.133       8C:73:6E:FF:B9:6C    169.254.51.133

Maybe when I have some time tomorrow or day after, I will enable Guest Network 2, determine the bridge, reconfigure the Netgear managed switch so that a couple of ports are associated with the new VLAN and see whether one way access works. Maybe there is something funky going on with the VLAN natively created by the router (VLAN 501 and VLAN 502) when Guest Network 1, 2.4 GHz and 5GHz is enabled

One other thing, the SSID of Guest network 1, 2.4GHZ still shows up on my scan of wifi network, but attempts to connect are unsuccessful with connection attempts terminating when the device is trying to obtain an IP address

 

[janico82]

So I have disabled br1 ie set br1_enabled=0 (but not disabled in the GUI)

Here are some results

admin@GT-AX6000-BF08:/tmp/home/root# iptables -S FORWARD
-P FORWARD ACCEPT
-A FORWARD -j IPSEC_DROP_SUBNET_ICMP
-A FORWARD -j IPSEC_STRONGSWAN
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j WGSF
-A FORWARD -j OVPNSF
-A FORWARD -i br2 -j WGNPControls
-A FORWARD -i br2 -o eth0 -j ACCEPT
-A FORWARD ! -i br0 -o eth0 -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br+ -p tcp -m tcp --dport 853 -j DNSFILTER_DOT
-A FORWARD -j WGCF
-A FORWARD -j OVPNCF
-A FORWARD -j VPNCF
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -j DROP


admin@GT-AX6000-BF08:/tmp/home/root# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.58112251bf08       no              eth1
                                                        eth2
                                                        eth3
                                                        eth4
                                                        eth5
                                                        eth6
                                                        eth7
br1             8000.58112251bf09       yes             eth1.501
                                                        eth2.501
                                                        eth3.501
                                                        eth4.501
                                                        eth5.501
                                                        eth6.501
                                                        eth7.501
                                                        wl0.1
br2             8000.58112251bf0d       yes             eth1.502
                                                        eth2.502
                                                        eth3.502
                                                        eth4.502
                                                        eth5.502
                                                        eth6.502
                                                        eth7.502
                                                        wl1.1

When I look at Guest Network on the GUI, Guest Network 1 2.4 GHz still shows enabled. However when I plug a PC to the relevant ethernet port (VLAN 501) on my Netgear managed switch, the PC does not get an IP address

Listing of the client list shows a weird IP address at br1

bridge name     interfaces      client IP address    client MAC address   client name
br1             ethernet        169.254.51.133       8C:73:6E:FF:B9:6C    169.254.51.133

Maybe when I have some time tomorrow or day after, I will enable Guest Network 2, determine the bridge, reconfigure the Netgear managed switch so that a couple of ports are associated with the new VLAN and see whether one way access works. Maybe there is something funky going on with the VLAN natively created by the router (VLAN 501 and VLAN 502) when Guest Network 1, 2.4 GHz and 5GHz is enabled

One other thing, the SSID of Guest network 1, 2.4GHZ still shows up on my scan of wifi network, but attempts to connect are unsuccessful with connection attempts terminating when the device is trying to obtain an IP address

Yeah.. that's quite a strange behavior. But remember that the bridge(br1) is created natively by asuswrt-merlin when you enabled the wireless guest network 1, 2.4GHz with intranet access disabled.

I've never tested the usage of vlan 501 because I haven't managed switches. So I can't help you with that.

But what I can help you with is with the mapping of ethernet ports to the bridges you want, like: mapping the eth1 to the bridge(br1) and any device connected on that port will have access to network 192.168.101.0/24. For that you need to enable wireless guest network 1, 2.4GHz with intranet access disabled, enable the bridge(br1) configuration option on sbnMerlin and mapping the ethernet ports with the configuration option br1_ifnames="eth1", for example.

Before that I recommend restarting the router.

 

[sirzur]

Thanks, I will try to do a bit more troubleshooting over the next couple of days and report back. I think I will first try to map eth5 port (which should be my 2.5G lan port, currently unused) to br1, connect some devices to it, bypassing the switches altogether and see whether one way access works. If it does, then I might not even bother with the managed switch.

 

[vlord]

Sorry @vlord but Ai Mesh only works with guest networks 1 (2.4 Ghz or 5 Ghz). This option is by design.

Asked differently, what happens if you try to run this on a normal Asus Merlin (non mesh) Access Point? I’m not looking for the guest networks to talk with each other, just isolation from the main network. They can be uniquely isolated from the main network and that would meet my needs.

 

[sirzur]

OK, here is where I should get hit over the head. I forgot the first rule. When there are issues, reboot.

Anyways, when I woke up this morning and before anyone was awake to access the internet I rebooted the router. Turned on the Netgear managed switch and connected a couple of devices to it, confirmed that the devices were on VLAN 501. And as I am sure you would expect, I could ping them from my main network. No excuses and sorry for the trouble that I gave you and the help you provided @janico82. And hopefully this helps anyone who has issues - reboot. Even though you set a static IP4 address on the isolated VLAN (or other configs) and that works without rebooting, it does not mean that a router reboot is not necessary

 

[janico82]

Asked differently, what happens if you try to run this on a normal Asus Merlin (non mesh) Access Point? I’m not looking for the guest networks to talk with each other, just isolation from the main network. They can be uniquely isolated from the main network and that would meet my needs.

@vlord, the sbnMerlin script should be executed in the main router. It is not meant to work in Access Point mode routers.

 

[xerox3500]

Hi @janico82, I wanted to ask if

br$_ipaddr
br$_netmask
br$_dhcp_start
br$_dhcp_end

options are supported for bsb bridges? I want to use this with AiMesh.

 

[janico82]

Hi @janico82, I wanted to ask if

br$_ipaddr
br$_netmask
br$_dhcp_start
br$_dhcp_end

options are supported for bsb bridges? I want to use this with AiMesh.

Sorry @xerox3500, but those options are asuswrt-merlin defaults, and I didn't find the right place to change then permanently.
That's why they aren't supported by sbnMerlin script.

 

[matthew_eli]

Just to report this when installing on GT-BE98:

/jffs/scripts/sbnMerlin: line 2894: can't create /jffs/addons/sbnMerlin.d/sbnMerlin.log: nonexistent directory
du: /jffs/addons/sbnMerlin.d/sbnMerlin.log: No such file or directory
[: bad number
Older Merlin firmware detected - service-event requires 384.5 or later. Please update to the latest version.

Requirements for script(sbnMerlin 1.2.6) not met, please check the device logs.

Fixed by manually adding the sbnMerlin.d folder before the installation

 

[matthew_eli]

Does sbnMerlin propagate its settings to AiMesh node as well (of course if the bridge includes the wl* interface shared with AiMesh nodes)? Because for GT-BE98 it does not seem to work in this way

 

[janico82]

Just to report this when installing on GT-BE98:

/jffs/scripts/sbnMerlin: line 2894: can't create /jffs/addons/sbnMerlin.d/sbnMerlin.log: nonexistent directory
du: /jffs/addons/sbnMerlin.d/sbnMerlin.log: No such file or directory
[: bad number
Older Merlin firmware detected - service-event requires 384.5 or later. Please update to the latest version.

Requirements for script(sbnMerlin 1.2.6) not met, please check the device logs.

Fixed by manually adding the sbnMerlin.d folder before the installation

Does sbnMerlin propagate its settings to AiMesh node as well (of course if the bridge includes the wl* interface shared with AiMesh nodes)? Because for GT-BE98 it does not seem to work in this way

Thanks' a lot for the feedback @matthew_eli, I need to correct the output messages at the installation stage, and the version detection.

Please check for sbnMerlin instruction because it has some issues with Asus' Guest Network Pro.

sbnMerlin script must be only executed on router mode devices. So the bridge settings are managed by this device. Which settings do you need to propagate?

 

[matthew_eli]

Thanks' a lot for the feedback @matthew_eli, I need to correct the output messages at the installation stage, and the version detection.

Please check for sbnMerlin instruction because it has some issues with Asus' Guest Network Pro.

sbnMerlin script must be only executed on router mode devices. So the bridge settings are managed by this device. Which settings do you need to propagate?

Thanks Janico for your reply!

I'd like to manually assign IPs to clients and starting IP for DHCP server on br53. The guest network is propagated to AiMesh nodes. I used the standard settings listed on Github (i.e.):

br53_staticlist=<ab:cd:ef:01:23:45>192.168.108.10>8.8.8.8>HOMEPC<ab:cd:ef:01:23:46>192.168.108.11>>Xbox<ab:cd:ef:01:23:47>192.168.168.108.12>>
br53_dhcp_start="192.168.108.2"

But it seems the settings are not "processed" by the script and the DHCP still assign adresses to the clients, nor even starting from the dhcp_start address