Is it possible to tag requests from different wireless networks for different VLANs ?

[Anonymouslemming]

Hi all,

I have a RT-AC56U that I use simply as a wifi device on my home network. I would like to enable a guest network that has no access to my internal network, but can reach the firewall / router (pfsense) and access the internet through that.

At the moment, I have a number of VLANs in the house. 1 is the internal network and my 2.4 and 5Ghz wifi connections are on that. I also have a server VLAN separate to the main house LAN so that access to servers is via the firewall. I'd like to add a third as a guest network.

I can't see a way to tag VLANs on the wireless, but could I have a guest wireless network on the Asus (either running ASUSWRT or Merlin) only connect to the network via a specific ethernet port ? That way, that port could be on it's own vlan ?

Thanks in advance,

 

[Martin Bannard]

I have to chime in here too. I don't currently have VLANs configd but wouldn't be opposed to setting them up if possible/required. I've got the RT-AC87U and have a similar problem. If you disable the internal DHCP Server in the setup because you already have one configured (DC) then the Guest Network doesn't work if you disable "Access Intranet" - which is the whole point. The endpoint can authenticate to the AP but cannot access the DHCP server.

To the big brains... is there anyway to make this work with this unit? DHCP relay? I can handle the CLI if required.

 

[Martin Bannard]

RT-AC87U running Merlin 378.56_2 in Router Mode with DHCP server disabled because I already have on on the LAN and it ain't going nowhere. And let me tell you - this is not my first Rodeo!

After MANY days of research and trial/error I came up with a working configuration. I finally stumbled across lots of good info when I googled "Asus" + "Merlin" + "br1" (br1 because I started to get the feeling I needed to create a new bridge). While you can incoporate a VLAN, I did find that it wasn't needed for my purposes, which was simply to deny access to the LAN for WiFi guests. In summary, you just need to enable the jffs stuff and then plug in the following script and config then reboot.

Make sure you've already configured the guest network for 2.4Ghz and make sure to give it access to the intranet. Rules in the script will deny access to the LAN. DO NOT configure a 5Ghz network at this time. More on that later!

In /jffs/scripts/firewall-start (<-- that is the script file - with no extension and do make sure you save the file in UNIX type). Make sure the permissions are 777 and it's executable. (I am not the creator of the following files - just modified them so they worked)

#!/bin/sh

# DebugLogging
## exec 1>>/tmp/firewall-start.log 2>&1

# modified with help from https://github.com/the-darkvoid/AsusWRT-Merlin-AC87U/blob/master/library/isolate-guest-wifi

# modified with help from http://www.snbforums.com/threads/guest-network-with-dns-filtering.17740/

# get list of configured guest wireless networks
Guest24=$(nvram get wl0_vifs)
Guest5=$(nvram get wl1_vifs)

# create new bridge for guests
brctl addbr br1

# Move all Guest wireless to br1
# attempt to move wireless guest fails (no security only works) until restart of eapd below

lan1names=""

for GuestWifiDevice in $Guest24 $Guest5
  do
    brctl delif br0 $GuestWifiDevice
    brctl addif br1 $GuestWifiDevice
    # add name to list with preceding blank
    lan1names="$lan1names $GuestWifiDevice"
  done

# Give the bridge an IP that is off LAN - will be used for guest gateway
/sbin/ifconfig br1 192.168.10.1 netmask 255.255.255.0 broadcast 192.168.10.255

/usr/sbin/ebtables -t broute -I BROUTING -p ipv4 -i br1 -j DROP
/usr/sbin/ebtables -t broute -I BROUTING -p ipv6 -i br1 -j DROP
/usr/sbin/ebtables -t broute -I BROUTING -p arp -i br1 -j DROP
/usr/sbin/iptables -I FORWARD -i br1 -j ACCEPT
/usr/sbin/iptables -I INPUT -i br1 -j ACCEPT
# keep guests from accessing the router interface
/usr/sbin/iptables -I FORWARD -i br1 -d 192.168.1.1/24 -j DROP
/usr/sbin/iptables -I INPUT -i br1 -d 192.168.1.1/24 -j DROP
# Set appropriate firewall rules for new br1
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP

# if guest wifi moved, set some nvram variables and restart eapd to fix security

if [ "x$lan1names" != "x" ]
    then
        nvram set lan_ifnames="vlan1 eth1 wifi0"
        nvram set lan_ifname="br0"

        nvram set lan1_ifnames="$lan1names"
        nvram set lan1_ifname="br1"

    # restart eapd
        killall eapd
        eapd
fi

I am not sure that all those rules are valid, but they seem work for me. In particular the ebtables lines don't seem to get applied as "ebtables -L" doesn't show any entries.

/sbin/service restart_dnsmasq

Add dnsmasq mods to /jffs/configs/dnsmasq.config.add (<-- again, filename)

interface=br1
dhcp-range=br1,192.168.10.50,192.168.10.65,255.255.255.0,4h
dhcp-option=br1,3,192.168.10.1
# DNS servers are OpenDNS family friendly
dhcp-option=br1,6,208.67.222.123,208.67.220.123

Reboot and have a beer to your success.

Now, about the 5Ghz... it is supposed to be on virtual interface wl1.1 according to all the documentation I can find. However ifconfig doesn't show the interface at all so I don' know what is going on. I've left it in the script above and it doesn't break anything. At the same time it simply doesn't work! You can connect to the guest network SSID just fine, but you'll pull an IP from the LAN and will have all the access it's entitled to. wl1.1 did not exist in the factory firwares either. So I just decided that Guests don't get to use 5Ghz. What do I care? They're just guests

FWIW, the "Guest Networking" offered in the factory and Merlin builds is simply worthless and shouldn't even be advertised until the support for a "proper" guest network is incorporated. And I just don't understand why it's not!?! How hard would it be to add a few fields to the Guest network page for the dnsmasq stuff and create the rules to separate the networks, but in the actual base code and not jffs? I'm sure it could be done much more elegantly with minimal effort.

Merlin, thanks for all you've done for the community and I'd like for you to give a stab at an answer for that last question if you've got the time and inclination. If you actually do answer I'll probably fall down.

 

[TomT]

On my AC68U if I connect to the guest wifi I get an IP address in my LANs range, but I can't access any LAN devices.

Isn't that what you want ?

 

[spritezf]

On my AC68U if I connect to the guest wifi I get an IP address in my LANs range, but I can't access any LAN devices.

Isn't that what you want ?

Guest network have the option to disable/enable to access intranet.

 

[Martin Bannard]

Tom, it would work perfectly if you use the onboard DHCP server. However, if you already have one on the network that you must use then you have to disable the onboard DHCP. Which is where the problem is introduced and the solution above works for me.

 

[TomT]

Although I've got multiple devices on my LAN that can do DHCP I'm using the router for simplicity..