I have an asus AC3200, and was playing around with the "Guest" network functions of the asuswrt firmware today. In particular, the functionality for allowing or disallowing intranet access. In the course of that playing around, I found one thing that I completely expected, and two things that I didn't expect (and don't make any sense to me.)
All these things are in the ebtables bridge tables. According to "brctrl show", "br0" is a bridge between vlan1 (which I believe is a combination of the "LAN" ethernet jacks), "eth1" thru "eth3" (which represent the 2.4GHz radio and 2 5GHz radios in my router), and "wl0.1" which is the "guest" wireless network.
When I disallow intranet access, an entry appears in the "FILTER table of ebtables:
This is completely expected, and tells the BRIDGE to drop any packets whatsoever that it would have normally FORWARDED from or to wl0.1 to/from other members of the bridge. In other words, no packets can travel across the bridge if they come from or go to the guess network (but packets can still route from/to wl0.1 to/from the WAN port which is eth0)
What I didn't expect (and what doesn't make any sense to me) was the following additional entry I found in the 'BROUTING' chain of the broute table:
What this means is that the bridge, if it sees a packet from wl0.1 that is using IPv4, and is a tcp packet destined for the local network (which includes all the other members of the bridge), the bridge should NOT "bridge" the packet, but should instead treat it as if it originates from "wl0.1" (instead of br0.)
That doesn't make any sense. Why only IPv4? Why only tcp packets and not udp or any other packet type? Why bother with this rule at all? Does this rule exclude wl0.1 packets from the FILTER rule (being that the packet would be excluded from the bridge?) If so, wouldn't that allow traffic to be forwarded from wl0.1 to/from the bridge members? (There's nothing in iptables that references the wl0.1 interface, so it seems that it'd get forwarded.)
(That broute table entry, along with the filter table entry, goes away if I ALLOW intranet access.)
If that wasn't confusing enough, I then found the following when examining the ebtables "nat" table:
These entries are always there regardless of it the guest network is allowed intranet access or not...
All that does is to put a "mark" on every packet that passed through the bridge via wifi. It doesn't impact LAN (wired ethernet) traffic. Actually, because marks are usually done with bits, it puts TWO marks on each packet. (bit 1 and bit 2: 0x6 is binary 0110.) Why mark the packets? Nothing in ebtables or iptables makes use of the marks. Is anything else capable of?
All these things are in the ebtables bridge tables. According to "brctrl show", "br0" is a bridge between vlan1 (which I believe is a combination of the "LAN" ethernet jacks), "eth1" thru "eth3" (which represent the 2.4GHz radio and 2 5GHz radios in my router), and "wl0.1" which is the "guest" wireless network.
When I disallow intranet access, an entry appears in the "FILTER table of ebtables:
Code:
-i wl0.1 -j DROP
-o wl0.1 -j DROP
What I didn't expect (and what doesn't make any sense to me) was the following additional entry I found in the 'BROUTING' chain of the broute table:
Code:
-p IPv4 -i wl0.1 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
That doesn't make any sense. Why only IPv4? Why only tcp packets and not udp or any other packet type? Why bother with this rule at all? Does this rule exclude wl0.1 packets from the FILTER rule (being that the packet would be excluded from the bridge?) If so, wouldn't that allow traffic to be forwarded from wl0.1 to/from the bridge members? (There's nothing in iptables that references the wl0.1 interface, so it seems that it'd get forwarded.)
(That broute table entry, along with the filter table entry, goes away if I ALLOW intranet access.)
If that wasn't confusing enough, I then found the following when examining the ebtables "nat" table:
Code:
Bridge chain: PREROUTING, entries: 6, policy: ACCEPT
-i eth2 -j mark --mark-or 0x6 --mark-target ACCEPT
-i eth1 -j mark --mark-or 0x6 --mark-target ACCEPT
-i eth3 -j mark --mark-or 0x6 --mark-target ACCEPT
-i wl0.1 -j mark --mark-or 0x6 --mark-target ACCEPT
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
Bridge chain: POSTROUTING, entries: 6, policy: ACCEPT
-o eth2 -j mark --mark-or 0x6 --mark-target ACCEPT
-o eth1 -j mark --mark-or 0x6 --mark-target ACCEPT
-o eth3 -j mark --mark-or 0x6 --mark-target ACCEPT
-o wl0.1 -j mark --mark-or 0x6 --mark-target ACCEPT
All that does is to put a "mark" on every packet that passed through the bridge via wifi. It doesn't impact LAN (wired ethernet) traffic. Actually, because marks are usually done with bits, it puts TWO marks on each packet. (bit 1 and bit 2: 0x6 is binary 0110.) Why mark the packets? Nothing in ebtables or iptables makes use of the marks. Is anything else capable of?