Access Intranet option for Wired clients

[xman1]

Just wondering if the option for wireless clients to disable intranet access can also be applied to wired clients?

The idea is for wired IoT devices that I do not control and therefor do not trust be limited from accessing my internal network. I don't see anything that may help facilitate this but it is quite possible I missed it in a search.

 

[ColinTaylor]

There's no option to do that in the GUI. It might be possible to do it with custom scripts depending on which model of router you have.

 

[drinkingbird]

Just wondering if the option for wireless clients to disable intranet access can also be applied to wired clients?

The idea is for wired IoT devices that I do not control and therefor do not trust be limited from accessing my internal network. I don't see anything that may help facilitate this but it is quite possible I missed it in a search.

I have one of my physical ports in the Guest VLAN 502, but this has to be done with a script and it is harder to do on the HND routers (like the 8x ones). Pretty simple on my RT-AC1900/RT-AC68U.

 

[xman1]

I have an RT-AC88U. I assume it would be the same as yours?

 

[drinkingbird]

I have an RT-AC88U. I assume it would be the same as yours?

Nope totally different, much more difficult unfortunately. Yours is an HND chipset. Though someone in here did do it recently I believe. As long as you use Guest Wireless 1 you should have two VLANs, 501 and 502, then you just need to create a script to move one of the wired ports into that VLAN. I think it can be done using the "IP Link" command but not positive. Sorry not much experience with the HND routers so hopefully someone else may be able to help. It shouldn't be too terrible if all you want to do is move a physical port into an existing VLAN.

 

[ColinTaylor]

The RT-AC88U is not an HND model AFAIK.

 

[drinkingbird]

I have an RT-AC88U. I assume it would be the same as yours?

Actually it seems like you should be able to do what you need with BRCTL

You'll need to do "brctl show" to see what bridge the VLAN you want (501 for 2.4ghz guest and 502 for 5ghz guest) is attached to, then move the port to that bridge.

Example
brctl delif br0 eth4 <<-- remove LAN port #1 from native VLAN (make sure your LAN is BR0 but it should be)
brctl addif xxx eth4 <<-- add LAN port #1 to guest bridge (replace xxx)

Note the ports on the 8x series routers are usually reversed, so LAN port 1 is ETH4 and LAN port 4 is ETH1 etc. Update above for whatever port you want to use, and repeat if you want more than 1 port.

This can be scripted and put into services-start, but note if you change settings this can get overwritten so you have to remember to reboot the router or reapply the settings. Or you can use service-event script to have it reapply frequently whenever something changes.

 

[drinkingbird]

The RT-AC88U is not an HND model AFAIK.

Oh, I thought all the AC8x were. If not, then much easier.

 

[drinkingbird]

I have an RT-AC88U. I assume it would be the same as yours?

Sorry based on what Colin said, makes sense to check.

SSH into the router

do "robocfg show" If you get an output, then you're golden, changing is very easy.

This is what I have on my script:

robocfg vlan 1 ports "1 2 3 5t" - remove port 4 from VLAN 1
robocfg vlan 501 ports "1t 5t" - trunk (tag) 2.4ghz guest VLAN 501 out to my other access point which is on port 1 (and remove 501 from other ports since not needed there)
robocfg vlan 502 ports "4 5t" - put LAN port 4 into 5ghz guest VLAN 502 (and remove 502 from other ports since not needed there)

You always have to have "5t" as that is the CPU. You need to have 386 code (or newer) and Guest wireless 1 enabled for this to work (reboot after enabling guest wireless to ensure all the vlan configs get applied, on mine 502 didn't show up until after reboot).

Net result of above is port 1 sends VLAN 1 untagged and VLAN 501 tagged to my other AP which handles both regular and guest SSIDs.
port 2-3 are normal untagged LAN ports in VLAN 1
Port 4 is untagged guest port in VLAN 502

I used 501 for other AP since it is 2.4ghz only and 502 since a wired gig port is "high performance" which seemed to go well with 5ghz guest. In reality, it doesn't matter, you can use one, the other, both, whatever you want. If you want two guest ports I'd put them in the same VLAN if you want them to be able to see each other and have good throughput (will bypass the router and just use the switch) or put them in separate VLANs if you don't want them to see each other. So two guest ports in 501 should be able to do a full gig between each other. One in 501 and one in 502 won't be able to see each other at all but will be able to access the internet.

 

[xman1]

Yep, they are there. How to redirect a port to them is now the question. Need to get out my linux skillz.


eth2.501 Link encap:Ethernet HWaddr X
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:862320 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:56859788 (54.2 MiB)

eth2.502 Link encap:Ethernet HWaddr X
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:771106 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:43397238 (41.3 MiB)


robocfg show
Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 1 jumbo: off mac: x
Port 1: 1000FD enabled stp: none vlan: 1 jumbo: off mac: x
Port 2: 1000FD enabled stp: none vlan: 1 jumbo: off mac: x
Port 3: 1000FD enabled stp: none vlan: 1 jumbo: off mac: x
Port 4: 1000FD enabled stp: none vlan: 2 jumbo: off mac: x
Port 5: 1000FD enabled stp: none vlan: 1 jumbo: off mac: x
Port 7: 1000FD enabled stp: none vlan: 1 jumbo: off mac: x
Port 8: 1000FD enabled stp: none vlan: 2 jumbo: off mac: x
VLANs: BCM5301x enabled mac_check mac_hash
1: vlan1: 0 1 2 3 5 7 8t
2: vlan2: 4 8u
501: vlan501: 0t 1t 2t 3t 5t 7t 8t
502: vlan502: 0t 1t 2t 3t 5t 7t 8t

 

[xman1]

Sorry based on what Colin said, makes sense to check.

SSH into the router

do "robocfg show" If you get an output, then you're golden, changing is very easy.

This is what I have on my script:

robocfg vlan 1 ports "1 2 3 5t" - remove port 4 from VLAN 1
robocfg vlan 501 ports "1t 5t" - trunk (tag) 2.4ghz guest out to my other access point (and remove it from other ports since not needed there)
robocfg vlan 502 ports "4 5t" - put LAN port 4 into 5ghz guest (and remove from other ports since not needed there)

You always have to have "5t" as that is the CPU. You need to have 386 code (or newer) and Guest wireless 1 enabled for this to work (reboot after enabling guest wireless to ensure all the vlan configs get applied).

Net result of above is port 1 sends VLAN 1 untagged and VLAN 501 tagged to my other AP
port 2-3 are normal untagged LAN ports in VLAN 1
Port 4 is untagged guest port in VLAN 502

I used 501 for other AP since it is 2.4ghz only and 502 since a wired gig port is "high performance" which seemed to go well with 5ghz guest. In reality, it doesn't matter, you can use one, the other, both, whatever you want. If you want two guest ports I'd put them in the same VLAN if you want them to be able to see each other and have good throughput (will bypass the router and just use the switch) or put them in separate VLANs if you don't want them to see each other. So two guest ports in 501 should be able to do a full gig between each other. One in 501 and one in 502 won't be able to see each other at all but will be able to access the internet.

Awesome! Thanks!

 

[drinkingbird]

Awesome! Thanks!

Obviously if above doesn't work (no robocfg) then you need to look at the other post and use brctl and figure out which bridge interfaces to use. But you should be able to get it to work either way.

EDIT - OK I see it does work, so you're in good shape. Just modify what I put to reflect that you have 8 ports not 4 like mine.

Yours is a bit different in that the WAN Port is 4 instead of 0 too.

Basically just remove whatever port(s) you want to be guest from VLAN 1 and add them to 501 and/or 502. Note that the robocfg command overwrites what is there so you have to put all ports, not just the ones you want to change.

Another thing to note, Guest Wireless 1 (the one that uses VLANs and separate subnets) - LAN can access guest, but guest can't access LAN
Guest wireless 2 and 3 which share the LAN subnet but uses firewall rules to block communication - LAN can't access guest, and guest can't access LAN

 

[xman1]

I am assuming that 8t is my CPU on this one? See my robocfg output above.

Edit: If it looks confusing it is because I have LACP enabled for a NAS.

Edit2: Guess the best way to see is to experiment. Nothing is permanent until a script is made.

 

[drinkingbird]

I am assuming that 8t is my CPU on this one? See my robocfg output above.

OK yours is an interesting setup, it has two switches. You can only control ports 0-3 (which map backwards to physical ports 1-4) and possibly 5 which is the second switch.

Port 5 feeds the second switch which you can't change individual ports on apparently, so anything you change on port 5 affects all 4 of those ports (which may be what you want, 4 guest ports).

4 should be WAN (don't touch it) and 8 should be CPU. No idea what port 7 is.

Have a look at this

Odd RT-AC88U Port Assignments

Per the review below, the Asus RT-AC88U has two switches. https://www.smallnetbuilder.com/wireless/wireless-reviews/32910-asus-rt-ac88u-dual-band-wireless-ac3100-gigabit-router-reviewed Physical ports 1-4 are connected to the Broadcom BCM4709C0KFEBG switch and ports 5-8 are connected to the...

www.snbforums.com

 

[drinkingbird]

I am assuming that 8t is my CPU on this one? See my robocfg output above.

Edit: If it looks confusing it is because I have LACP enabled for a NAS.

Edit2: Guess the best way to see is to experiment. Nothing is permanent until a script is made.

Hm maybe 7 is related to LACP. Yeah you'll have to toy around with it. From what I can see you can control the first 4 ports individually, then the second 4 ports as a whole.

Between ifconfig, brctl show, and robocfg show you should be able to see what happens when you plug and unplug each port. If you can spare all 4 ports then maybe you can just set port 5 to guest which will give you 4 guest ports. However they will all be able to see each other (but not the LAN) so that may not be what you want.

Note that 8t just means port 8 and tag the vlan (vlan trunking). Every vlan must be tagged to the CPU, except VLAN 2 which goes untagged. Also odd that yours has an "8u" for the WAN VLAN 2, the lack of "t" should mean untagged. Another mystery there, maybe u means to strip the tag off if it is there. On mine, the WAN VLAN 2 is
2: vlan2: 0 5

so no "t" or "u" specified. Dunno as long as you don't touch the WAN port or VLAN you're fine there, whatever it has should stay.

 

[xman1]

Thanks for all your help. You gave me some clues to go off of.

 

[xman1]

To anyone following this thread... I ran into a problem. External switch... If I set the VLAN for one device over there, I have to set it for all devices connected to that switch.

The above will help for a device I have plugged directly into the router, but it doesn't work for my TV and my Cable box. Why? They are plugged into a switch that is connected via a single port via a single cable that runs under the house. The TV I want to give Intranet access to and the cable box I want just internet access. This presents a new problem.

The solution is to mod the firewall directly. I have determined IPTables is installed on my device. This might even be easier as now I can mod an individual device on the network without a script, though IPTables is notorious for being hard to configure. I have made it output all the current rules.

 

[drinkingbird]

To anyone following this thread... I ran into a problem. External switch... If I set the VLAN for one device over there, I have to set it for all devices connected to that switch.

The above will help for a device I have plugged directly into the router, but it doesn't work for my TV and my Cable box. Why? They are plugged into a switch that is connected via a single port via a single cable that runs under the house. The TV I want to give Intranet access to and the cable box I want just internet access. This presents a new problem.

The solution is to mod the firewall directly. I have determined IPTables is installed on my device. This might even be easier as now I can mod an individual device on the network without a script, though IPTables is notorious for being hard to configure. I have made it output all the current rules.

Yeah if your external switch is not a smart switch, then everything connected to it will get the VLAN of whatever port it is plugged into. If it is a smart switch, then you can still make it work, just a bit of modification needed to the script and some configs on that switch via the GUI.

You should be able to look at existing iptables rules, specifically ones related to BR1 and BR2 (the two Guest interfaces) to get an idea of what is needed. It can be a bit daunting. Some rules will specify BR1 and BR2 and others will fall under default drop etc.

Note whatever rules you modify you'll still need to script it, I don't believe they'll survive a reboot, maybe mistaken though.

You can get a smart switch fairly cheap, that is an option too. In that case you would tag the guest VLAN facing that switch (leave VLAN 1 untagged), then on the switch assign VLAN 1 to the device you want on the main LAN and 501 (or 502) on the device you want on the guest.

Last option, if 100 meg is enough for those two devices, your single ethernet cable can carry two 100M links which you could then plug directly into the router ports.