AC66U as AP Merlin 380.70 Guest network restrict LAN access

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Rogfitz

New Around Here
I have an Asus AC5300 as primary router, gateway and DHCP server and an AC66U as a secondary AP. On the AC66U I have created a Wifi Guest Network that I don't want to access my LAN. Only the AC5300 for internet access and a single Chromecast.

I get this to work when using stock firmware version 3.0.0.4.382_51641-g46d2311 and connecting with Telnet and writing following commands:

#!/bin/sh
#nvram commit
killall eapd
eapd
#enable wifi guest isolation (for wifi clients only, not lan)
wl -i wl0.1 ap_isolate 1
#block lan access to/from wifi guests
ebtables -I FORWARD 1 -d Broadcast -j ACCEPT
ebtables -I FORWARD 1 -s ##:##:##:##:##:01 -j ACCEPT
ebtables -I FORWARD 1 -d ##:##:##:##:##:01 -j ACCEPT
ebtables -I FORWARD 1 -s ##:##:##:##:##:02 -j ACCEPT
ebtables -I FORWARD 1 -d ##:##:##:##:##:02 -j ACCEPT
ebtables -I FORWARD 4 -i wl0.1 -j DROP
ebtables -I FORWARD 4 -o wl0.1 -j DROP

The ##:##:##:##:##:01 and ##:##:##:##:##:02 being the MAC-addresses to my AC5300 and Chromecast.

But since I haven't been able to run these commands automatically on the AC66U on startup (is it possible?) I tried the Merlin 380.70 firmware instead. I successfully made the commands run on startup in the "service-start" script, but it doesn't work! Instead the Guest Network can't connect at all. No IP from the DCHP on AC5300 is received. And even if I use Static IP allocation on my client I can't connect to the Internet.

Any ideas what I'm doing wrong?
 

ColinTaylor

Part of the Furniture
It would have been useful if you had quoted the original source for the script you're using. Or better still just added your question to the existing thread. It would have also given it more context and highlighted the fact that the author hadn't gotten the script to work properly.

https://www.snbforums.com/threads/guest-wireless-lan-blocking-in-access-point-mode.50071/

AFAICT this script would never achieve what the author intended (i.e. isolating the AP guests from the main router's LAN).
 

Rogfitz

New Around Here
FYI the script works just fine with the latest stock firmware 3.0.0.4.382_51641-g46d2311 as I wrote.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top