RT-AC87U running Merlin
378.56_2 in Router Mode with DHCP server disabled because I already have on on the LAN and it ain't going nowhere. And let me tell you - this is not my first Rodeo!
After MANY days of research and trial/error I came up with a working configuration. I finally stumbled across lots of good info when I googled "Asus" + "Merlin" + "br1" (br1 because I started to get the feeling I needed to create a new bridge). While you can incoporate a VLAN, I did find that it wasn't needed for my purposes, which was simply to deny access to the LAN for WiFi guests. In summary, you just need to enable the jffs stuff and then plug in the following script and config then reboot.
Make sure you've already configured the guest network for 2.4Ghz and make sure to give it access to the intranet. Rules in the script will deny access to the LAN. DO NOT configure a 5Ghz network at this time. More on that later!
In /jffs/scripts/firewall-start (<-- that is the script file - with no extension and do make sure you save the file in UNIX type). Make sure the permissions are 777 and it's executable. (I am not the creator of the following files - just modified them so they worked)
Code:
#!/bin/sh
# DebugLogging
## exec 1>>/tmp/firewall-start.log 2>&1
# modified with help from https://github.com/the-darkvoid/AsusWRT-Merlin-AC87U/blob/master/library/isolate-guest-wifi
# modified with help from http://www.snbforums.com/threads/guest-network-with-dns-filtering.17740/
# get list of configured guest wireless networks
Guest24=$(nvram get wl0_vifs)
Guest5=$(nvram get wl1_vifs)
# create new bridge for guests
brctl addbr br1
# Move all Guest wireless to br1
# attempt to move wireless guest fails (no security only works) until restart of eapd below
lan1names=""
for GuestWifiDevice in $Guest24 $Guest5
do
brctl delif br0 $GuestWifiDevice
brctl addif br1 $GuestWifiDevice
# add name to list with preceding blank
lan1names="$lan1names $GuestWifiDevice"
done
# Give the bridge an IP that is off LAN - will be used for guest gateway
/sbin/ifconfig br1 192.168.10.1 netmask 255.255.255.0 broadcast 192.168.10.255
/usr/sbin/ebtables -t broute -I BROUTING -p ipv4 -i br1 -j DROP
/usr/sbin/ebtables -t broute -I BROUTING -p ipv6 -i br1 -j DROP
/usr/sbin/ebtables -t broute -I BROUTING -p arp -i br1 -j DROP
/usr/sbin/iptables -I FORWARD -i br1 -j ACCEPT
/usr/sbin/iptables -I INPUT -i br1 -j ACCEPT
# keep guests from accessing the router interface
/usr/sbin/iptables -I FORWARD -i br1 -d 192.168.1.1/24 -j DROP
/usr/sbin/iptables -I INPUT -i br1 -d 192.168.1.1/24 -j DROP
# Set appropriate firewall rules for new br1
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
# if guest wifi moved, set some nvram variables and restart eapd to fix security
if [ "x$lan1names" != "x" ]
then
nvram set lan_ifnames="vlan1 eth1 wifi0"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="$lan1names"
nvram set lan1_ifname="br1"
# restart eapd
killall eapd
eapd
fi
I am not sure that all those rules are valid, but they seem work for me. In particular the ebtables lines don't seem to get applied as "ebtables -L" doesn't show any entries.
/sbin/service restart_dnsmasq
Add dnsmasq mods to /jffs/configs/dnsmasq.config.add (<-- again, filename)
Code:
interface=br1
dhcp-range=br1,192.168.10.50,192.168.10.65,255.255.255.0,4h
dhcp-option=br1,3,192.168.10.1
# DNS servers are OpenDNS family friendly
dhcp-option=br1,6,208.67.222.123,208.67.220.123
Reboot and have a beer to your success.
Now, about the 5Ghz... it is supposed to be on virtual interface wl1.1 according to all the documentation I can find. However ifconfig doesn't show the interface at all so I don' know what is going on. I've left it in the script above and it doesn't break anything. At the same time it simply doesn't work! You can connect to the guest network SSID just fine, but you'll pull an IP from the LAN and will have all the access it's entitled to. wl1.1 did not exist in the factory firwares either. So I just decided that Guests don't get to use 5Ghz. What do I care? They're just guests
FWIW, the "Guest Networking" offered in the factory and Merlin builds is simply worthless and shouldn't even be advertised until the support for a "proper" guest network is incorporated. And I just don't understand why it's not!?! How hard would it be to add a few fields to the Guest network page for the dnsmasq stuff and create the rules to separate the networks, but in the actual base code and not jffs? I'm sure it could be done much more elegantly with minimal effort.
Merlin, thanks for all you've done for the community and I'd like for you to give a stab at an answer for that last question if you've got the time and inclination. If you actually do answer I'll probably fall down.