What's new

How to isolate AP clients/guests from rest of network?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

BrashIntermediary

New Around Here
I've spent some time Googling this already, but I'm still unclear as how to best accomplish this. I have an older Asus RT-N16 I just flashed with Merlin, and I'd like to use it as a secondary AP on my existing home network.

That itself is simple enough, but I'd also like to use this AP to create a new, isolated guest network. In other words, I'd like all its connected clients (both WiFi and Ethernet) to be isolated from the rest of my network. Ideally these guest devices would have an Internet connection but wouldn't be able to access any other network resources.

Based on this thread (http://www.snbforums.com/threads/vlan-network.33216/), I'm not sure whether this is best accomplished via VLANs or DHCP/subnet magic.

I'm usually intermediate level when it comes to network stuff, but I haven't yet found a good resource to really clarify these core concepts for me. Figuring out how to accomplish this is obviously my first priority, but ideally I'd like to understand the solution as well.
 
If all you need from this AP is only an isolated guest network, then simply plug in a LAN cable from your main router to the WAN port and set it up as a Router (not an AP).

Use a secure password for the main WiFi ssid's and NEVER share them with anyone.

Setup the Guest WiFi with the 'isolate intranet' option checked and everyone that connects will only have access to internet and nothing else.
 
I was initially thinking of trying it this way, but I've also read elsewhere that one NAT router behind another can sometimes cause problems for certain devices/apps. Is that something to be worried about?

Hopefully this weekend I can get some time to test it out.
 
Setup the Guest WiFi with the 'isolate intranet' option checked and everyone that connects will only have access to internet and nothing else.

Gotta be careful here - misconfiguration can expose LAN resources to the guest network - depends on the vendor and how the Guest network is handled - some do VLAN's, some just do 802.11 AP isolation, but at the end of the day, understand how your Router/AP handles things like this, and test the heck out of it.
 
First of all, I just realized I probably posted this in the wrong forum. If so, my apologies, and hopefully this thread can be moved to its proper home.

Anyway, I'm still becoming familiar with Merlin, but I've now got guest WiFi setup with intranet isolation enabled. I haven’t had any time to really test things yet, but I'm guessing this isolation setting will only affect wireless clients on the guest network, right?

I’m also guessing the isolation setting will only stop these wireless clients from seeing each other. Anything on the WAN side will still be open game, no?

After looking at the routing tables, I’m wondering if it’s possible to make some additional static routing rules that would help me achieve the desired result. I’m not at home to access my router at the moment, but bear with me here.

Say I’ve got my primary router set up with a LAN IP of 192.168.1.1 and subnet of 192.168.1.0/24. I’ve connected my secondary Asus Merlin router (in router mode), with a LAN IP of 192.168.2.1 and a subnet of 192.168.2.0/24.

Based on the Asus routing tables it appears all packets on the second subnet are directed to the LAN, while all other packets go to the WAN interface. Could I add some additional routing rules that would drop all traffic to the WAN/primary subnet (192.168.1.*), except for the primary router/gateway itself?

I’m guessing multiple VLANs could accomplish what I want, but I don’t any see such options anywhere within Merlin. I’m not averse to adding some custom scripts within Merlin to achieve what I’m looking for, but I don’t really know where to start (or if I’m barking up the wrong tree).
 
With business grade hardware, we do this with VLANs...often tagging an SSID to a special VLAN which we sent to a different interface on the edge router, different DHCP service...thus different subnet. As well as have a "guest isolation" mode enabled on that guest wireless SSID.

With residential level hardware, unmanaged switches, etc...it becomes difficult due to lack of certain features. However, Merlin firmware does support a "client isolation" feature, which you can enable on this "guest" network. The client isolation feature basically walls off each wireless client that joins that SSID...so that the ONLY resource they can communicate with is the gateway IP address...thus, the internet. They're effectively VLAN'd off from the primary LAN and connected computers on the physical LAN.
 
Smth. like this works for me.
It might not work on all firmware - better said, I've had to make my own fork of latest Merlin to make it work...


# allow bootps/67 and bootpc/68
ebtables -A FORWARD -p IPv4 -i wl0.+ --ip-protocol UDP --ip-destination-port 67 -j ACCEPT
ebtables -A FORWARD -p IPv4 -i wl0.+ --ip-protocol UDP --ip-destination-port 68 -j ACCEPT

# allow TCP ssh/22 and domain/53 ports on <GW>
ebtables -A FORWARD -p IPv4 -i wl0.+ --ip-destination <GW> --ip-protocol TCP --ip-destination-port 22 -j ACCEPT
ebtables -A FORWARD -p IPv4 -i wl0.+ --ip-destination <GW> --ip-protocol TCP --ip-destination-port 53 -j ACCEPT
ebtables -A FORWARD -p IPv4 -i wl0.+ --ip-destination <GW> --ip-protocol UDP --ip-destination-port 53 -j ACCEPT

# protect private networks
ebtables -A FORWARD -p IPv4 -i wl0.+ --ip-dst 192.168.0.0/16 -j DROP
ebtables -A FORWARD -p IPv4 -i wl0.+ --ip-dst 172.16.0.0/16 -j DROP
ebtables -A FORWARD -p IPv4 -i wl0.+ --ip-dst 10.0.0.0/8 -j DROP

# avoid incoming broadcasts
ebtables -A FORWARD -p IPv4 -o wl0.+ --ip-dst 239.255.255.0/24 -j DROP
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top