What's new

Force LAN port 4 to use the Guest network for Asus/merlin RT-AC68U

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

hardtotell

Regular Contributor
I needed to restrict LAN port#4 for Internet only use, just like the Wireless Guest Network access. Then I plug an 8-port Ethernet switch into LAN port 4 of the RT-AC68U router, to expand the number of Internet-only wired connections. It is for attaching wired network devices that have no business on my local area network, but need to access the Internet.

After a couple hours of research I got it working. Here it is. It should restrict LAN port#4 to the Internet only, exactly like the Wireless Guest Network access built into the router. Anyone see a hole? Suggestions? Thank you.


/jffs/scripts/services-start

Code:
#!/bin/sh

# force LAN port 4 to use the Guest network
robocfg vlan 1 ports "1 2 3 5t"
robocfg vlan 10 ports "4 5t"
vconfig add eth0 10
ifconfig vlan10 up
brctl addif br0 vlan10
ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
ebtables -t filter -I FORWARD  -i vlan10 -o ! vlan2 -j DROP
ebtables -t filter -I FORWARD  -i ! vlan2 -o vlan10 -j DROP
 
vlan2 works? the interface is named eth0 as opposed to the way tomato does things
 
Yes, the vlan2 works. Apparently it's not an interface because it's not listed by 'ifconfig'? I got it from 'robocfg show'. The eth0 works too. Here are the corrected scripts:

/jffs/scripts/services-start

Code:
#!/bin/sh

# force LAN port 4 to use the Guest network
robocfg vlan 1 ports "1 2 3 5t"
robocfg vlan 10 ports "4 5t"
vconfig add eth0 10
ifconfig vlan10 up
brctl addif br0 vlan10


/jffs/scripts/firewall-start

Code:
#!/bin/sh

if [ "$1" = "eth0" ]; then

# force LAN port 4 to use the Guest network
ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
ebtables -t filter -I FORWARD  -i vlan10 -o ! eth0 -j DROP
ebtables -t filter -I FORWARD  -i ! eth0 -o vlan10 -j DROP

fi
 
you might want to replace eth0 with `nvram get wan0_ifname` - (including backticks) this should change eth0 to ppp0 for PPPoE users to make the script more universal. sorry, should have thought of it earlier

and replace the lan ip/net with `nvram get lan_ipaddr`
 
Last edited:
Since the firewall-start script gets passed the name of the WAN interface, as $1, I put everything in the firewall-start script. Unfortunately I'm not on site to test, but it probably work.


/jffs/scripts/firewall-start

Code:
#!/bin/sh

# RT-AC68U force LAN port 4 to use the Internet-only Guest network
WAN0_IFNAME = $1
robocfg vlan 1 ports "1 2 3 5t"
robocfg vlan 10 ports "4 5t"
vconfig add $WAN0_IFNAME 10
ifconfig vlan10 up
brctl addif br0 vlan10
ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
ebtables -t filter -I FORWARD -i vlan10 -o ! $WAN0_IFNAME -j DROP
ebtables -t filter -I FORWARD -i ! $WAN0_IFNAME -o vlan10 -j DROP

fi
 
I need some advise similar to port 4.
I have recently purchased Asus AC router and due to ISP subscribed, I selected the profile the port 4 with IPTV enabled. but I'm not using IPTV.
Is there a way command to enable and disable the NVRam to make it work? Thanks.
 
Last edited:
Just updating this thread with the working version of my script. I've also had success with using the Virtual Server / Port Forwarding feature, in the Asuswrt-Merlin GUI, to port forward to a computer on my Ethernet/LAN Port#4 Guest Network. To test it locally, you must use a Tor Browser or VPN, to come in from the Internet. Otherwise, the router seems to recognize the local interface and block access, as designed.

/jffs/scripts/firewall-start
Code:
# force LAN port 4 to use the Guest Network for RT-AC68U
robocfg vlan 1 ports "1 2 3 5t"
robocfg vlan 10 ports "4 5t"
vconfig add eth0 10
ifconfig vlan10 up
brctl addif br0 vlan10
ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
ebtables -t filter -I FORWARD -i vlan10 -o ! eth0 -j DROP
ebtables -t filter -I FORWARD -i ! eth0 -o vlan10 -j DROP
 
I added all my Smart TVs to the guest network since they have no business on my local area network. However, now the MiniDLNA cannot be seen by the Smart TVs. Here's the fix:

An extra Ethernet Bridge rule is needed for each Smart TV to discover and access the media server. The MAC address of each Smart TV must be specified to accept port 8200 (Minidlna), as follows.

/jffs/scripts/firewall-start
Code:
#!/bin/sh
# force LAN port 4 to use the Internet-only Guest Network
# AND allow wired Ethernet Smart TVs on the Guest Network to access the media server
robocfg vlan 1 ports "1 2 3 5t"
robocfg vlan 14 ports "4 5t"
vconfig add eth0 14
ifconfig vlan14 up
brctl addif br0 vlan14
ebtables -t broute -I BROUTING -p IPv4 -i vlan14 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
ebtables -t broute -I BROUTING -p IPv4 -i vlan14 --src 00:aa:bb:cc:dd:ee --ip-dst 192.168.1.1 --ip-proto tcp --ip-dport 8200 -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 -i vlan14 --src 00:aa:bb:cc:dd:ef --ip-dst 192.168.1.1 --ip-proto tcp --ip-dport 8200 -j ACCEPT
ebtables -t filter -I FORWARD -i vlan14 -o ! eth0 -j DROP
ebtables -t filter -I FORWARD -i ! eth0 -o vlan14 -j DROP

I'm a bit unclear as to what those ACCEPT rules actually mean. However, it seems to work just fine.
 
I added all my Smart TVs to the guest network since they have no business on my local area network. However, now the MiniDLNA cannot be seen by the Smart TVs. Here's the fix: An extra Ethernet Bridge rule is needed for each Smart TV to discover and access the media server
First - A BIG thank you for figuring this out, and posting it. -- I've been using a Netgear HomePlug Powerline adapter, and only recently started playing with alternate firmwares. One port from the router plugs into the wall, and my SmartTV picks up the signal wired - instead of Wireless. By doing that the TV can act as an Wireless Access Point. Trouble is that AP is on the main LAN. - And there's no option to make it a Guest LAN. (At least w/ the TV).

Following your lead - I put my port2 on a Guest VLAN - so electrical outlets & spare HomePlugs are on Guest. Trouble is so is the SmartTV, and it can't see the WDMyCloud on the main LAN. -- What I'd like is to somehow let only select devices through to connect to the Printer, or WDMyCloud. -- From your description, I think the difference is you are using the Router as a DLNA server, while mine is on another device.
 
@hardtotell

If I read your config correct, you create a new vlan with id 14, untag it to port 4 and drop all traffic to your internal IP range. So this is not really the same VLAN as the Wireless Guest network?

How can I 'bridge' the Wireless Guest Network with a newly created VLAN and use the 'guest' function of the router without adding a rule to drop traffic? I'm asking this because I would like to connect two routers (one in AP mode) and make them share a guest SSID on the same VLAN.

I cannot seem to find any other VLAN's. I do see wl0.1 when I configure a Guest SSID. So I guess we could bind it to a vlan. Some info to get me started would be nice :)
 
It is not the same VLAN as the Wireless Guest Network. The idea was to isolate devices on the same subnet, when plugged into LAN port#4. The goal is to protect the computers on the network from the unknown intentions of multiple smart TVs and appliances also on the same subnet. Sorry, I am not the forum expert on VLANs and bridging.
 
This is exactly what I need but for AC56U.
Should this script run on AC56U or are there any changes needed?
 
This two (2) lines might be different. I think the RT-AC56U numbers differently the ports:
robocfg vlan 1 ports "1 2 3 5t"
robocfg vlan 14 ports "4 5t"
...

Type 'robocfg show' to see the port numbers of your specific router.
 
Thanks for this write up... FYI

If you're using a AC66U, it uses port 8t instead of 5t.

/jffs/scripts/firewall-start
Code:
#!/bin/sh
# force LAN port 4 to use the Guest Network for RT-AC66U
robocfg vlan 1 ports "1 2 3 8t"
robocfg vlan 10 ports "4 8t"
vconfig add eth0 10
ifconfig vlan10 up
brctl addif br0 vlan10
ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
ebtables -t filter -I FORWARD -i vlan10 -o ! eth0 -j DROP
ebtables -t filter -I FORWARD -i ! eth0 -o vlan10 -j DROP
 
First of all, A big thank you! This is extactly what I was looking for.

I have a network of UniFi wireless APs (from Ubiquti) that can handle guest networks
So I intend to create a guest network on a vlan, my switch (Cisco SG-300 handles this vlan and can then connect this vlan to my router). The reason of this is simple: Concrete walls and the router is located in the basement...

Now I have bought a AC87U installed merlin version, after running "robocfg show", I get this list:
Code:
Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 2 jumbo: on mac: 54:75:d0:a6:3f:00
Port 1: 1000FD enabled stp: none vlan: 3 jumbo: on mac: 10:bd:18:82:63:53
Port 2:  DOWN enabled stp: none vlan: 1 jumbo: on mac: 00:00:00:00:00:00
Port 3: 1000FD enabled stp: none vlan: 1 jumbo: on mac: 50:1a:c5:e5:4d:ed
Port 4:  DOWN enabled stp: none vlan: 1 jumbo: on mac: 00:00:00:00:00:00
Port 8:  DOWN enabled stp: none vlan: 1 jumbo: on mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
  1: vlan1: 2 3 5 7t
  2: vlan2: 0 7t
  3: vlan3: 1 7t
1045: vlan1045: 1 5t 7t 8t
1046: vlan1046: 2t 3t
1047: vlan1047: 0 1t 4t 5 7t
1099: vlan1099: 1t 2t 3
1100: vlan1100: 0t 1t 4
1101: vlan1101: 0t 3t 7t 8u
1102: vlan1102: 4t
1103: vlan1103: 0 1t 4t

And according to previous posts I guess that I need to change these lines in the script
robocfg vlan 1 ports "1 2 3 8t"
robocfg vlan 10 ports "4 8t"

to something like this
robocfg vlan 1 ports "2 3 7t"
robocfg vlan 10 ports "4 7t"

Am I on the right track?


EDIT: vlan 3 is my second WAN.. so port 1 should not be there either.
 
Last edited:
Am I on the right track?

I'm not the forum expert on vlans and bridging. That said, I would probably have to guess at it. For your RT-AC87U will it work?

Type 'brctl show'
Pick a vlan in the list you want to modify. For you it's probably vlan1.
Type 'robocfg show' to see the ports for the vlan1. For you this ports is "2 3 5 7t".
Pick a port in this list that you want to move to the new vlan. For you it is the port number "5" that you will move to a new vlan?
So you will use robocfg to change the vlan1 to "2 3 7t", and add a new vlan10 with the ports "5 7t".
Which actual Ethernet port# got affected by this change? It is trial and error.
 
Last edited:
I'm not the forum expert on vlans and bridging. That said, I would probably have to guess at it. For your RT-AC87U will it work?

Type 'brctl show'
Pick a vlan in the list you want to modify. For you it's probably vlan1.
Type 'robocfg show' to see the ports for vlan1. For you this ports is "2 3 5 7t".
Pick a port in this list that you want to move to the new vlan. For you it is the port number "5" that you will move to a new vlan?
So you will use robocfg to change vlan1 to "2 3 7t", and add a new vlan10 with "5 7t".
Will it work? It is trial and error.

:) Yes I guess trial'n'error is the way forward
But you suggest port 5, this may be the port on the back named "1", and in the list from robocfg "4"?

I will test when I get home tonight.
 
Last edited:
How is DHCP handled in this scenario, are you using the ASUS router for this?
And the network? are the networks using same network, ie 192.168.1.x?
 
At home, testing and finds out that I had problem with port 4 (or 1 or 5 depending where I look), so I decided to use port 3 (and move my internal to port 2)
Network is now up. And I can see my router in the guest network. Now I understand that a DHCP server is needed.. (that part I will ask in a new thread)

Here is my settings that seems to work for a RT-AC87U router

Code:
#!/bin/sh
# force LAN port 3 to use the Guest Network for RT-AC87U
robocfg vlan 1 ports "2 5 7t"
robocfg vlan 10 ports "3 7t"
vconfig add eth0 10
ifconfig vlan10 up
brctl addif br0 vlan10
ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
ebtables -t filter -I FORWARD -i vlan10 -o ! eth0 -j DROP
ebtables -t filter -I FORWARD -i ! eth0 -o vlan10 -j DROP

The result is:
Code:
# robocfg show
Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 2 jumbo: on mac: 54:75:d0:a6:3f:00
Port 1:    100FD enabled stp: none vlan: 3 jumbo: on mac: 00:12:f2:33:fb:60
Port 2: 1000FD enabled stp: none vlan: 1 jumbo: on mac: 00:0d:4b:04:2e:ae
Port 3: 1000FD enabled stp: none vlan: 10 jumbo: on mac: 90:94:e4:fc:7f:b5
Port 4:  DOWN enabled stp: none vlan: 1 jumbo: on mac: 00:00:00:00:00:00
Port 8:  DOWN enabled stp: none vlan: 1 jumbo: on mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
  1: vlan1: 2 5t 7t
  2: vlan2: 0 7t
  3: vlan3: 1 7t
  10: vlan10: 3 7t
1045: vlan1045: 1 5t 7t 8t
1046: vlan1046: 2t 3t
1047: vlan1047: 0 1t 4t 5 7t
1099: vlan1099: 1t 2t 3
1100: vlan1100: 0t 1t 4
1101: vlan1101: 0t 3t 7t 8u
1102: vlan1102: 4t
1103: vlan1103: 0 1t 4t

# brctl show
bridge name  bridge id                       STP enabled  interfaces
br0                  8000.ac9e17961f18    yes                   vlan1
                                                                                        eth1
                                                                                        vlan10


Again, thank you all for this!!
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top