What's new

sbnMerlin 1.2.6 - Network Isolation Tool based on Guest Networks, June 26 2024

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I just installed v1.2.1. Thank you for adding bridge DNS servers! I currently only have guest network 1 enabled with separate SSIDs, both isolated.
Code:
#### Settings for Bridge 1 ####
br1_enabled=0
br1_ifnames=""
br1_dns1_x="8.8.8.8"
br1_dns2_x="8.8.4.4"
br1_staticlist=""
br1_ap_isolate=1
br1_allow_internet=1
br1_allow_onewayaccess=0
br1_allow_routeraccess=0

#### Settings for Bridge 2 ####
br2_enabled=0
br2_ifnames=""
br2_dns1_x="8.8.8.8"
br2_dns2_x="8.8.4.4"
br2_staticlist=""
br2_ap_isolate=1
br2_allow_internet=1
br2_allow_onewayaccess=0
br2_allow_routeraccess=0

I believe that there are some issues with the client list generated by sbnMerlin:
  1. There are missing clients as compared to Network Map client list in router web UI.
  2. I don't understand why interfaces are listed as "ethernet" instead of "wl0.1" or "wl1.1" for some clients.
Code:
bridge name     interfaces      client IP address    client MAC address   client name       
br1             wl0.1           192.168.101.197      xx:xx:xx:xx:20:28    AWAIR-ELEM-xx2028 
br1             wl0.1           192.168.101.237      xx:xx:xx:xx:D8:01    WYZE_CAKP2JFUS-xxxxxxxxD801
br1             wl0.1           192.168.101.114      xx:xx:xx:xx:C0:C1    WYZE_CAKP2JFUS-xxxxxxxxC0C1
br1             wl0.1           192.168.101.138      xx:xx:xx:xx:61:D0    WYZE_CAM_OG       
br1             wl0.1           192.168.101.176      xx:xx:xx:xx:DA:32    ESP_xxDA32       
br1             wl0.1           192.168.101.187      xx:xx:xx:xx:F4:72    ESP_xxF472       
br1             wl0.1           192.168.101.93       xx:xx:xx:xx:D2:00    ESP_AxxD200       
br1             wl0.1           192.168.101.161      xx:xx:xx:xx:F1:0C    net_a1_F10C       
br1             wl0.1           192.168.101.86       xx:xx:xx:xx:D8:7A    DA16600_D87A     
br1             ethernet        192.168.101.215      xx:xx:xx:xx:F0:7C    Indoorcam         
br1             ethernet        192.168.101.84       xx:xx:xx:xx:8C:4C    espressif         
br1             ethernet        192.168.101.144      xx:xx:xx:xx:A8:E9    192.168.101.144   
br1             ethernet        192.168.101.52       xx:xx:xx:xx:56:D5    WYZE_CAKP2JFUS-xxxxxxxx56D5
br1             ethernet        192.168.101.13       xx:xx:xx:xx:4F:E2    HL_PAN3-xxxxxxxx4FE2
br1             ethernet        192.168.101.99       xx:xx:xx:xx:DE:8C    ESP_xxDE8C       
br1             ethernet        192.168.101.7        xx:xx:xx:xx:A5:0C    XL824-xxxxxx     
br1             ethernet        192.168.101.79       xx:xx:xx:xx:07:DA    192.168.101.79   
br1             ethernet        192.168.101.26       xx:xx:xx:xx:67:EB    192.168.101.26   
br1             ethernet        192.168.101.8        xx:xx:xx:xx:32:F5    192.168.101.8     
br1             ethernet        192.168.101.9        xx:xx:xx:xx:B3:AF    WYZE_CAKP2JFUS-xxxxxxxxB3AF
br1             ethernet        192.168.101.173      xx:xx:xx:xx:F6:53    MyQ-91E           
br1             ethernet        192.168.101.233      xx:xx:xx:xx:B8:28    WYZE_CAKP2JFUS-xxxxxxxxB828
br1             ethernet        192.168.101.10       xx:xx:xx:xx:46:F0    ChimePro-f0       
br1             ethernet        192.168.101.213      xx:xx:xx:xx:07:5E    192.168.101.213   
br1             ethernet        192.168.101.43       xx:xx:xx:xx:CD:85    WYZE_CAKP2JFUS-xxxxxxxxCD85
br1             ethernet        192.168.101.95       xx:xx:xx:xx:50:B6    WYZE_CAKP2JFUS-xxxxxxxx50B6
br1             ethernet        192.168.101.241      xx:xx:xx:xx:90:86    192.168.101.241   
br1             ethernet        192.168.101.71       xx:xx:xx:xx:42:05    ChimePro-05       
br2             wl1.1           192.168.102.110      xx:xx:xx:xx:F8:C2    192.168.102.110
Thank's @visortgw! sbnMerlin client lists pretends to extend the Network Map because it didn't show devices connected to other bridges than br0. So the function for listing clients is based on the mac addresses of the arp table, then for each mac address the script checks the connected wireless interface and finally the list is completed with information of dns.

So for the list you've sent, the script didn't find the wireless interface the devices are connected. Can you send me privately the arp table? This device uses AiMesh?
 
It is not often that I comment on scripts (unless I have an issue). I did not see this post until today. I've been busy with other projects and have not had a lot of time to browse these forums.

I am thrilled to see this script. I wrote my own YazFi replacement script last year as I had a need to add a wired outdoor AP to the guest network. I has been working well thus far. I never published my script as it is very much hands on to configure over several files (script, dnsmasq.add, firewall, services-event, etc). I never had the want or ambition to automate my script for the broader community (basically no time to do it or to provide support afterwards).

Very well done and my hand reached out to you for a heartly handshake.

Cheers!!
Thanks a lot for the feedback @Jeffrey Young
 
Thank's @visortgw! sbnMerlin client lists pretends to extend the Network Map because it didn't show devices connected to other bridges than br0. So the function for listing clients is based on the mac addresses of the arp table, then for each mac address the script checks the connected wireless interface and finally the list is completed with information of dns.

So for the list you've sent, the script didn't find the wireless interface the devices are connected. Can you send me privately the arp table? This device uses AiMesh?
I can, but not until 4 May after I return home. Yes, I use AiMesh. Please send me command(s) to use display ARP table.
 
I can, but not until 4 May after I return home. Yes, I use AiMesh. Please send me command(s) to use display ARP table.
Thanks @visortgw for the support! I think that "ethernet" devices on your list, are devices from AiMesh, but I must get more info on that.

The command is "arp -a"
 
Thanks @visortgw for the support! I think that "ethernet" devices on your list, are devices from AiMesh, but I must get more info on that.

The command is "arp -a"
That's easy enough to take care of remotely. Check for private message momentarily.
 
I have an issue with internet access on the bridge, possibly because of how my provider works; it's PPPoE split into vlans for TV, phone and internet. Had to set the VLAN for internet in the IPTV tab: wan0_ifname=vlan6. Just enabling internet in the script does not work. If I add a rule to -A FORWARD -i br8 -o ppp0 -j ACCEPT (and one to -A FORWARD -i ppp0 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT ) I can retrieve some websites, but most (at least partially) time out (often for CDN content). A simple way to reproduce is (from a machine on the bridge):

Code:
wget https://www.google.com
[...]
‘index.html’ saved [19746]

wget https://www.reddit.com
--2024-04-25 21:51:38--  https://www.reddit.com/
Resolving www.reddit.com (www.reddit.com)... 199.232.149.140
Connecting to www.reddit.com (www.reddit.com)|199.232.149.140|:443... connected.
^C
What am I missing?
 
I have an issue with internet access on the bridge, possibly because of how my provider works; it's PPPoE split into vlans for TV, phone and internet. Had to set the VLAN for internet in the IPTV tab: wan0_ifname=vlan6. Just enabling internet in the script does not work. If I add a rule to -A FORWARD -i br8 -o ppp0 -j ACCEPT (and one to -A FORWARD -i ppp0 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT ) I can retrieve some websites, but most (at least partially) time out (often for CDN content). A simple way to reproduce is (from a machine on the bridge):

Code:
wget https://www.google.com
[...]
‘index.html’ saved [19746]

wget https://www.reddit.com
--2024-04-25 21:51:38--  https://www.reddit.com/
Resolving www.reddit.com (www.reddit.com)... 199.232.149.140
Connecting to www.reddit.com (www.reddit.com)|199.232.149.140|:443... connected.
^C
What am I missing?
@arne123! Frist of all thanks for the bugfix suggestions!

For the Internet access problem, I think there are some issues with the internet interface in the firewall rules. Can you send me privately the output of the following commands:

nvram show | grep wan
iptables -S FORWARD

Thanks for your feedback.
 
Hello @janico82. I am testing your sbnMerlin to isolate a dubious Windows corporate laptop on ethernet and so far your script is working very well at that.

Question: I use @Ranger802004 (honestly Asus-saving) Dual Wan Failover Script, but I notice when I test either wan failover or load balance, anything on a sbnMerlin bridge loses internet access if the primary wan is down. I am a complete amateur, but it looks like your script always uses "wan0" never "wan1," so anytime wan0 is down, nothing goes through it. Is there an easy way to fix that where it uses either?

In any case, sbnMerlin fills a big functionality hole and I will likely keep using it even if dual wan is not possible on a bridge. I hope they add this to AMTM. Thank you!
 
Hello @janico82. I am testing your sbnMerlin to isolate a dubious Windows corporate laptop on ethernet and so far your script is working very well at that.

Question: I use @Ranger802004 (honestly Asus-saving) Dual Wan Failover Script, but I notice when I test either wan failover or load balance, anything on a sbnMerlin bridge loses internet access if the primary wan is down. I am a complete amateur, but it looks like your script always uses "wan0" never "wan1," so anytime wan0 is down, nothing goes through it. Is there an easy way to fix that where it uses either?

In any case, sbnMerlin fills a big functionality hole and I will likely keep using it even if dual wan is not possible on a bridge. I hope they add this to AMTM. Thank you!

Thanks a lot @Mikey Dread for the feedback!

Yes, you're right sbnMerlin only uses wan0 and never wan1 because the only use case I had was this one.

Can you help understand the behavior of AsusMerlin with the Dual Wan Failover Script in order to fix sbnMerlin Script, by sending me in private the output of the following commands with the primary wan and with the failover:

Code:
nvram show | grep wan
iptables -S FORWARD
 
@janico82, your solution and new updated sbnMerlin version 1.2.4 now works perfectly with with the Dual Wan Failover script, doesn't miss anything switching between the two wans now. Thank you!!!

Will let you know if I run across anything else in further testing. Thanks again!
 
I am having trouble following the custom packet filtering rules example in the FAQ. I would like devices on wl0.2 to have only access to a single IP on my regular network. If I understand correctly, In sbnMerlin if set "allow_internet" and "onewayaccess" to 1, then I should make a file br3_iptables.filter with just one line like this?

INPUT -i wl0.2 -o br0 -d 192.168.1.6 -j ACCEPT

My iptables skills are poor at best, so I not sure I am even close on this one.
 
I am having trouble following the custom packet filtering rules example in the FAQ. I would like devices on wl0.2 to have only access to a single IP on my regular network. If I understand correctly, In sbnMerlin if set "allow_internet" and "onewayaccess" to 1, then I should make a file br3_iptables.filter with just one line like this?

INPUT -i wl0.2 -o br0 -d 192.168.1.6 -j ACCEPT

My iptables skills are poor at best, so I not sure I am even close on this one.
Mikey, with sbnMerlin script you can't for now. The onewayaccess enables the access from the lan network to all the bridge devices, and it’s independent from the internetaccess. So you can allow onewayaccess without internetaccess.

But if you need to allow access from a single IP address to the bridge devices, or from the lan network to a single device on the bridge, I have to make some changes on the custom packet filtering function.

I’ve to make some tests and plan the release with that options. Are you also available to test that?
 
Last edited:
Mikey, with sbnMerlin script you can't for now. The onewayaccess enables the access from the lan network to all the bridge devices, and it’s independent from the internetaccess. So you can allow onewayaccess without internetaccess.

But if you need to allow access from a single IP address to the bridge devices, or from the lan network to a single device on the bridge, I have to make some changes on the custom packet filtering function.

I’ve to make some tests and plan the release with that options. Are you also available to test that?

Ah that would explain why what I tried wouldn’t work haha! I think sbnMerlin is almost perfect already, but would be happy to help test.
 
Hello there. I have a second asus router running in AP mode/DHCP Server Turned off and would like to setup and isolate the guest network on It and just allow dns requests to pass through to the main network to be filtered main network located at 192.168.1.0/24

Is this possible with this script? if so should it run on the main gateway router or the second AP mode router?
 
Hello thanks for working on this script. I may be a total noob but I am trying to just have 1 guest network for all my IoT devices, but allow my private main LAN one way access to it.

Your script automatically has br3 active with all others disabled. How would I be able to config this to? I am using a RT-AX86U and the guest LAN is using the 192.168.101.0 subnet.
 
Hello there. I have a second asus router running in AP mode/DHCP Server Turned off and would like to setup and isolate the guest network on It and just allow dns requests to pass through to the main network to be filtered main network located at 192.168.1.0/24

Is this possible with this script? if so should it run on the main gateway router or the second AP mode router?
@Rajjco, you can't run sbnMerlin script in AP mode devices, and also, sbnMerlin can't for now allow only dns requests.
I'm still developing a method to give more control to the custom firewall rules function, so stay tuned.

For your scenario, I would install the sbnMerlin script in the main device, activate the Guest Network 1 or 2 with AIMesh enabled to the AP mode device, and deny Internet access to that network.

Now I must ask you why you need to allow dns requests to pass through the main network?
 
Last edited:

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top