Access Point mode - Guest Network

[MDunkleSr]

I've got 2 RT-N66Us on my network. One in Wireless Router mode, the other in Access Point mode. I was setting up Guest Network on each of them (which might be overkill I admit), and I noticed that the setting for Access Intranet is not present on the AP.

Is this an oversight? Should a Guest Network config on a AP be allowed to exclude Intranet traffic? Or does it do so already?

Thanks in advance,

Mike

 

[ColinTaylor]

The router has no way of knowing what traffic coming from the access point should be excluded from the intranet or not. The router treats the clients as though they were attached by cable to the LAN ports (which they sort of are).

 

[L&LD]

Yes, as ColinTaylor stated, when in AP mode, all clients have full access to the network.

You could set up the router in router mode and only give out the Guest ssid and password. If you need both (access to the LAN and isolated) the easiest way is with two AP's with one in router mode (for the Guest network) and one in AP mode to be able to communicate with the rest of the devices as needed.

 

[A.D.]

The router has no way of knowing what traffic coming from the access point should be excluded from the intranet or not.

One might add that this is only true as long as the Access Point mode does not support e.g. VLAN tagging (in this case to distinguish guest WiFi vs other traffic), which could then be evaluated by the router.

These features are commonly available for professional devices. And even the not very expensive Gigaset N510 IP Pro allows to tag its VoIP traffic for QoS handling by the involved network components.

Sounds somewhat tempting to add this...

EDIT:

• Overview of VLAN based concepts
• Hint that asuswrt-merlin supports VLANs
• Useless Thread
• asuswrt-merlin shows VLAN IDs for ports on Tools -> System Information page in AP modde
• merlin VLAN IDs can be set for ports at least via logging in via ssh (see "Method 2")

However, that would still require AP mode to support directing its traffic to a specific port, which would additionally require port group support.

And personally, I wouldn't want a second LAN cable, so VLAN tagging appears more attractive to me.

Looks like key ingredients are available, BUT...? Or can NVRAM manipulation do the trick?

 

[A.D.]

Yes, as ColinTaylor stated, when in AP mode, all clients have full access to the network.

I'd assume that features built-in to the Access Point itself might need to be excluded from this statement -- I guess diffferent guest WiFi on the same AP would still be isolated from each other, and whether or not the media server would be accessible is questionable -- at least the UPnP/DLNA packets shouldn't reach the guest WiFis on the same device -- but once you get hold of the local IP address it starts to depend on details of the AP mode implementation.

 

[ColinTaylor]

One might add that this is only true as long as...

The ASUS doesn't support any of those scenarios out of the box. It would require significant bespoke scripting on both routers for it to work, which is probably beyond the scope of the OP's question.

 

[A.D.]

The ASUS doesn't support any of those scenarios out of the box. It would require significant bespoke scripting on both routers for it to work [...]

Do you have a pointer for me; where do I start to read? Because I'd want to have VLAN tagging for my guest network if it's possible (and can be assumed to perform reasonably well).

 

[ColinTaylor]

Sorry, no idea.

The existing router VLANs were only ever designed to be used internally by the router, not manipulated by the user. Their implementation varies between different router models. Also, RMerlin had to reverse engineer some of the code as it is closed source.

The link aggregation guides/discussions are probably your best bet.

 

[A.D.]

The ASUS doesn't support any of those scenarios out of the box. It would require significant bespoke scripting on both routers for it to work, which is probably beyond the scope of the OP's question.

@MDunkleSr is already using asuswrt-merlin, so my impression was that he's open to running modified firmware. And while this forum is limited to asuswrt-merlin and it seems that asuswrt-merlin does not support the use case, it looks as if e.g. DD-WRT will, both by using a separate port or by VLAN tagging. Which, in my view, is worth a respective hint. Hope it's not against forum rules. (Note that both articles are pretty old.) (Disclaimer: I have no experience with DD-WRT so far.)

 

[MDunkleSr]

Thank you all! Lots of great information. I apologize if some of this has gone over my head & I begin asking questions that are a bit rudimentary, this type of config is new to me. Some extra background: I have been running modified firmware for some time, but I've never tried to use multiple routers before. My new house is big enough that I cannot get solid wi-fi coverage out of just one router. So, I've gone w/ 2 RT-N66Us primarily so that I could flash them both w/ asuswrt-merlin. The second router at the far end of the house was simply going to serve to provide additional wi-fi coverage to make up the shortfall of the primary. As such, I set it up as an AP vs a full router just to keep things simple. I do have a wired connection running from the primary to the AP, so it's not a bridge config.

This not being a bridge config is what prompted the original question. The AP is a member of the network via the wired connection, and it gets it's IP from the main router (static DHCP). With that, I assumed that the guest setting would then allow hiding wired resources that are part of the network in the same way that the primary router can. Perhaps I have missed a setting? The AP is reporting all the network resources when I view the client list - including the ones that are direct connected to the primary router. This seemed a bit strange to me, I was expecting to only see a list of clients connected to the AP. Perhaps I've misunderstood what the purpose of the AP is, and I'm using that wrong?

Any additional suggestions are appreciated.

 

[A.D.]

[...] I assumed that the guest setting would then allow hiding wired resources that are part of the network in the same way that the primary router can. Perhaps I have missed a setting? The AP is reporting all the network resources when I view the client list - including the ones that are direct connected to the primary router. This seemed a bit strange to me, I was expecting to only see a list of clients connected to the AP. [...]

When in AP mode, the AP device itself is completely invisible to network clients; you can think of it as a switch. It has its IP address is only for its non-AP features like config interface and media server.

Regarding guest WiFi, since it's not implemented by VLAN tagging or similar, it works only "inside the box" so different guest WiFis will probably not see each other, and also the UPnP/DLNA messages of the device will probably be hidden from them; but as I said before, if its IP address is known to a guest WiFi client then I'd make a test to be sure. And as soon as the data packets leave the device, they are treated equally to those of any other network client.

If you want a clean separation of guest access throughout the whole infrastructure then you'll have to think in the direction of VLANs as already mentioned.

 

[paraplu]

You could also create some ebtables rules to isolate the guest devices.
See also http://www.snbforums.com/threads/guest-network-in-access-point-mode.7021/

 

[A.D.]

You could also create some ebtables rules to isolate the guest devices. See also http://www.snbforums.com/threads/guest-network-in-access-point-mode.7021/

That's an interesting pointer, although the thread loses steam towards the end and leaves me a bit confused, as some posts seem to indicate that guest WiFi is meaningless in AP mode (no isolation), while others seem to suggest that it won't work without fixing ebtables, and you are saying that with ebtables, a real isolation can be established.

But to achieve the same level of isolation as if the ASUS were the only device and the router, one would have to forbid access to the primary router (e.g. its config UI, but also to other subnets). That's not going to be achieved by the example in the referenced thread, is it?

 

[paraplu]

That's an interesting pointer, although the thread loses steam towards the end and leaves me a bit confused, as some posts seem to indicate that guest WiFi is meaningless in AP mode (no isolation), while others seem to suggest that it won't work without fixing ebtables, and you are saying that with ebtables, a real isolation can be established.

But to achieve the same level of isolation as if the ASUS were the only device and the router, one would have to forbid access to the primary router (e.g. its config UI, but also to other subnets). That's not going to be achieved by the example in the referenced thread, is it?

With additional ebtables/iptables rules you could block certain ports towards your router, I guess. Haven't tried the latter for myself yet. Will try out soon though, as I am currently also using a similar AP isolation.

 

[L&LD]

Thank you all! Lots of great information. I apologize if some of this has gone over my head & I begin asking questions that are a bit rudimentary, this type of config is new to me. Some extra background: I have been running modified firmware for some time, but I've never tried to use multiple routers before. My new house is big enough that I cannot get solid wi-fi coverage out of just one router. So, I've gone w/ 2 RT-N66Us primarily so that I could flash them both w/ asuswrt-merlin. The second router at the far end of the house was simply going to serve to provide additional wi-fi coverage to make up the shortfall of the primary. As such, I set it up as an AP vs a full router just to keep things simple. I do have a wired connection running from the primary to the AP, so it's not a bridge config.

This not being a bridge config is what prompted the original question. The AP is a member of the network via the wired connection, and it gets it's IP from the main router (static DHCP). With that, I assumed that the guest setting would then allow hiding wired resources that are part of the network in the same way that the primary router can. Perhaps I have missed a setting? The AP is reporting all the network resources when I view the client list - including the ones that are direct connected to the primary router. This seemed a bit strange to me, I was expecting to only see a list of clients connected to the AP. Perhaps I've misunderstood what the purpose of the AP is, and I'm using that wrong?

Any additional suggestions are appreciated.

See my reply in post 3.

Use the router in Router mode and only give out the Guest ssid and password for that router. Then guests will stay isolated.

 

[A.D.]

See my reply in post 3. Use the router in Router mode and only give out the Guest ssid and password for that router. Then guests will stay isolated.

Could you help me understand this approach better please.

If the secondary device, intended as an access point, is operated in router mode, then it cannot be used as a media server for the whole network, unless the ASUS exposes its internal features on the WAN interface in router mode (and I do hope that's not the case).

This means that if one wants media server functionality, it must be deployed on the primary router, which implies that it would be visible to clients of the guest network without further measures. The same applies for any other functionality at the primary router, such as additional subnets, a connected VoIP box, the config pages of the WAN modem(s)/router(s) etc.

If the above is not wrong, then in the absence of VLAN tagging, I think there's still hope regarding operating the second device as an AP along the lines of the following (which would also help balancing load -- let the primary device handle WAN and the secondary be a media server).

With additional ebtables/iptables rules you could block certain ports towards your router, I guess.

After a first look, it might e.g. be possible to use the ebtables MAC NAT mechanism to present all guest WiFi traffic to the outside with a unique (otherwise nonexisting) MAC address (if there's a per-SSID ebtable or any other filtering available to distinguish guest WLAN traffic from the rest). Additionally, packets must be restricted to targeted the primary router. Then, in the primary router, all traffic with the guest WiFi's MAC address must be restricted to target the WAN port.

Just a thought at this point in time. Will look into this fancy stuff but can't name an ETA now.

 

[paraplu]

To give you a heads-up on the ebtables approach: isolation works perfectly fine towards other devices on the same subnet. But, full access to AP and Router is available. Combined with strong passwords and/or ssh key-only access, proved to work fine.
The only thing that bothers me is the performance impact. Each and every packet from guest goes through bridge filters hence no hardware acceleration. On my R7000 cpu load goes up to 50% with a 500/500 Mbps connection.

 

[A.D.]

Thanks for the update!

Regarding the ebtables approach suggested here to isolate an AP's guest WiFi:

isolation works perfectly fine towards other devices on the same subnet. But, full access to AP and Router is available. Combined with strong passwords and/or ssh key-only access, proved to work fine.

I figured myself yesterday that in AP mode, the AP and its services aren't hidden from the guest WiFi networks, so that's the starting point and the ebtables rules suggested in that post don't prevent that -- it's too late in FORWARD. Of course it would be possible; for an overview of the ebtables mechanism see here.

What I don't like about that approach is that everything at and past the router isn't isolated, including services and other subnets there. I'm thinking of two approaches for that but haven't finished my experiments yet.

The only thing that bothers me is the performance impact. Each and every packet from guest goes through bridge filters hence no hardware acceleration. On my R7000 cpu load goes up to 50% with a 500/500 Mbps connection.

Are you sure your router offers HW acceleration on the WiFi <-> LAN path? If so, for which operations exactly? I believe the biggest impact is caused by encryption/decryption and packet resizing, not by filtering. Have you compared the CPU load to the same setup without the ebtables rules?