What's new

AC66U as AP Merlin 380.70 Guest network restrict LAN access

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Rogfitz

New Around Here
I have an Asus AC5300 as primary router, gateway and DHCP server and an AC66U as a secondary AP. On the AC66U I have created a Wifi Guest Network that I don't want to access my LAN. Only the AC5300 for internet access and a single Chromecast.

I get this to work when using stock firmware version 3.0.0.4.382_51641-g46d2311 and connecting with Telnet and writing following commands:

#!/bin/sh
#nvram commit
killall eapd
eapd
#enable wifi guest isolation (for wifi clients only, not lan)
wl -i wl0.1 ap_isolate 1
#block lan access to/from wifi guests
ebtables -I FORWARD 1 -d Broadcast -j ACCEPT
ebtables -I FORWARD 1 -s ##:##:##:##:##:01 -j ACCEPT
ebtables -I FORWARD 1 -d ##:##:##:##:##:01 -j ACCEPT
ebtables -I FORWARD 1 -s ##:##:##:##:##:02 -j ACCEPT
ebtables -I FORWARD 1 -d ##:##:##:##:##:02 -j ACCEPT
ebtables -I FORWARD 4 -i wl0.1 -j DROP
ebtables -I FORWARD 4 -o wl0.1 -j DROP

The ##:##:##:##:##:01 and ##:##:##:##:##:02 being the MAC-addresses to my AC5300 and Chromecast.

But since I haven't been able to run these commands automatically on the AC66U on startup (is it possible?) I tried the Merlin 380.70 firmware instead. I successfully made the commands run on startup in the "service-start" script, but it doesn't work! Instead the Guest Network can't connect at all. No IP from the DCHP on AC5300 is received. And even if I use Static IP allocation on my client I can't connect to the Internet.

Any ideas what I'm doing wrong?
 
It would have been useful if you had quoted the original source for the script you're using. Or better still just added your question to the existing thread. It would have also given it more context and highlighted the fact that the author hadn't gotten the script to work properly.

https://www.snbforums.com/threads/guest-wireless-lan-blocking-in-access-point-mode.50071/

AFAICT this script would never achieve what the author intended (i.e. isolating the AP guests from the main router's LAN).
 
FYI the script works just fine with the latest stock firmware 3.0.0.4.382_51641-g46d2311 as I wrote.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top