Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Allow guest network access to single IP for printer

Discussion in 'Asuswrt-Merlin' started by bobley, Oct 6, 2017.

  1. bobley

    bobley Occasional Visitor

    Joined:
    Oct 31, 2016
    Messages:
    17
    I have printer with a static IP. Can I allow the guest network access to the printer on an IP basis? Does that open a vulnerability? The guest network is password protected.

    Alternatively, I could put the printer on the guest network and push my own print jobs over to that.

    Ideally, this would be bidirectional as there's a Macbook that likes to sometimes connect to the guest network.

    Does it matter if the printer is hard wired or on WiFi?
     
  2. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,211
    Location:
    UK
    Does this help?
    https://www.snbforums.com/threads/guest-network-question.36500/#post-298242
     
  3. bobley

    bobley Occasional Visitor

    Joined:
    Oct 31, 2016
    Messages:
    17
    How do I test that? First I went down the path of putting Entware on a USB drive, but then got stuck. Then I used WinSCP to copy a text file I named GuestPrinter.sh which I placed that in the /jffs/scripts folder (just pasted the text into Notepad++).

    After making it executable: chmod a+rx /jffs/scripts/*
    And running: dos2unix /jffs/scripts/*
    I managed to get the script to run in telnet to the point of outputing " **ERROR** Missing arg e.g. wl0.2 or SSID"

    What do I do next? Do I edit the file for my IPs and SSID or will the script ask me?
     
    Last edited: Oct 6, 2017
  4. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,211
    Location:
    UK
    Unless otherwise stated, scripts don't normally require Entware installed.
    If you issue
    Code:
    ./GuestPrinter.sh   -h
    you should see examples of the type of arguments you must supply to the script.

    i.e. the first argument; the name of the SSID (or physical Guest interface) is mandatory, and if you haven't hard-coded a list of your printer IPs in the code by altering the statement:
    Code:
    PRINTERS="10.88.8.131 10.88.8.132"        # <<=== Set DEFAULT!!!!!!
    then the second argument must be the IP of the printer you wish to share.
     
    Last edited: Oct 7, 2017
  5. bobley

    bobley Occasional Visitor

    Joined:
    Oct 31, 2016
    Messages:
    17
    Code:
    ./GuestPrinter.sh SSID printerIP1
    run in telnet gives an output
    Code:
    -sh: A: not found
    [email protected]:/jffs/scripts# (GuestPrinter.sh): 14774 Martnueau Guest WiFi Printer configuration Starting. [L]
    [: wl1.2_ssid=ASUS_guest2: unknown operand
    
    (GuestPrinter.sh): 14774 Martnueau Guest WiFi SSID: (wl0.2) Printer 10.88.8.131 access allowed...
    
    (GuestPrinter.sh): 14774 Martnueau Guest WiFi SSID: (wl0.2) Printer 10.88.8.131 access allowed...
    
    (GuestPrinter.sh): 14774 Martnueau Guest WiFi printer configuration Complete.
    Am I sending the arguments incorrectly? I have one guest SSID and one printer IP to share.

    I also tried
    Code:
    ./GuestPrinter.sh wl0.1 printerIP1
    That seems to work saying
    Code:
    (GuestPrinter.sh): 14774 Martnueau Guest WiFi SSID: SSIDname (wl0.1) Printer IP1 access allowed...
    
    Do I have to do more than just run this once in telnet to get the router to keep this setting?
    I tried adding /GuestPrinter.sh wl0.1 printerIP1 to wan-start, but when executing wan-start, i get ERROR wl0.1 not found. My wan-start has only
    Code:
    #!/bin/sh
    /jffs/scripts/GuestPrinter.sh wlo.1 printerIP
    Does the SSID argument have to be in the wl0.1 form or can it be the SSID name? I tried the name like the help shows and it didn't work.
     
    Last edited: Oct 7, 2017
  6. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,211
    Location:
    UK
    As per the help...the first argument may be:

    either the actual SSID (not the literal text string 'SSID')
    or
    may be specified as wl0.1 etc.

    and the second argument must be the actual IP address of the printer in the form xxx.xxx.xxx.xxx not a printer name.
     
  7. bobley

    bobley Occasional Visitor

    Joined:
    Oct 31, 2016
    Messages:
    17
    Thanks for your help.

    How do I find the actual SSID?

    I've got this opening the correct printer IP for the guest SSID after a router reboot. Is wan-start the place for this or should I put it somewhere else?

    I still can't print or ping the printer IP from the guest WiFi. I'm not sure what might be getting in the way. Does the GuestPrinter script open the printer IP to being pinged?
     
  8. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    3,713
    Location:
    UK
    It's the one you specified on the Guest Network page called "Network Name(SSID)". :rolleyes:
     
  9. bobley

    bobley Occasional Visitor

    Joined:
    Oct 31, 2016
    Messages:
    17
    Yes, I used my SSID name and not merely SSID. Using SSID name as an argument doesn't work, but wl0.1 works.

    I still can't print or ping. If I ping, my own computer IP (and not the printer IP) replies back Destination host unreachable.
     
  10. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    3,713
    Location:
    UK
    Perhaps your SSID had some non-alphanumeric characters that confused the script.

    I could be wrong but the script appears to only allow TCP traffic to the printer, so pings won't work because they are ICMP. Try accessing the printer's webUI from a browser.
     
  11. bobley

    bobley Occasional Visitor

    Joined:
    Oct 31, 2016
    Messages:
    17
    That could be it.
    Can't access webUI.
     
  12. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    3,713
    Location:
    UK
    I've just tried it here and have the same problem. The script appears to be functioning correctly, in the sense that it is creating the ebtables rules, but there is still no LAN access.

    I'm guessing something has changed in the firmware since the script was written. I'll do some more investigating.
     
  13. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,211
    Location:
    UK
    If you are willing to be a beta tester, I will PM you a link to a different script.

    GuestSubnet.sh v1.0x

    This script uses a different method in order to provide advanced Guest WiFi VPN/VLAN/IoT isolation, but it fortunately also addresses your LAN printer access requirement.

    You will need to edit line 177 to change the IP addresses to your printer device(s)
    Code:
    PRINTERS="10.88.8.131 10.88.8.132"                      # LAN printer(s)
    Then run the script for the appropriate SSID/interface you wish to grant access to the printer(s)
    e.g. for WiFi 2.4GHz Guest #1
    Code:
    ./GuestSubnet.sh   wl0.1   autodnsmasq
    or you may find it easier to specify the SSID ;)

    Hopefully you should now be able to successfully PING the printer(s) ?

    NOTE: For a Win10 laptop, whilst connected to the new WiFi Guest (wl0.1) subnet I had to re-install the appropriate printer/driver by creating a separate icon, even though the original Laser printer icon existed - weird o_O
     
    Last edited: Oct 7, 2017
  14. steelskinz

    steelskinz Regular Contributor

    Joined:
    Mar 9, 2015
    Messages:
    124
    Location:
    France
    Cna we do the same with wired printer ? How could i add it in the guest vlan (if it exist).. ? Thanks.
     
  15. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,211
    Location:
    UK
    The access is via IP address, so as long as the printer is connected to the LAN with a reserved DHCP IP then it doesn't matter - wired or Wireless.

    e.g. I have two LAN wired Laser printers and can share them with any of the 6 WiFi Guests.
     
  16. bobley

    bobley Occasional Visitor

    Joined:
    Oct 31, 2016
    Messages:
    17
    Tried the beta guestsubnet.sh
    Code:
    /jffs/scripts/guestsubnet.sh wl0.1  autodnsmasq
    and get
    Code:
    grep: /etc/dnsmasq.conf: No such file or directory
    grep: /etc/dnsmasq.conf: No such file or directory
    cat: can't open '/etc/dnsmasq.conf': No such file or directory
    
    (guestsubnet.sh): 4000 ***ERROR*** Guest WiFi 2.4GHz Client 1 SSID='myGuestSSID' WIFI_IF='wl0.1' WIFI_IP='' WIFI_MASK='' WIFI_SUBNET_PREFIX='.0/24'
    Both /jffs/config/dnsmasq.conf.add and dnsmasq.conf.add-DATE files were created.

    I'll have to test this again when at another router.

    Didn't realize this, but Asus doesn't support restricting intranet access when in AP mode.
     
    Last edited: Oct 9, 2017
  17. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,211
    Location:
    UK


    EDIT: Ahhh I see you have now edited your original post and declared that the router is in AP mode!!!:mad::mad::mad::mad:

     
    Last edited: Oct 10, 2017
  18. bobley

    bobley Occasional Visitor

    Joined:
    Oct 31, 2016
    Messages:
    17
    I'll test this further in a day or so. I thought I could test this in AP mode, but see that I can't. I'll have to wait until I have access to the router in Router mode where I need this implementation.

    Thanks for all the help.
     
  19. bobley

    bobley Occasional Visitor

    Joined:
    Oct 31, 2016
    Messages:
    17
    Back in Router mode. Script seems to work, but I have some glitches of my own doing.

    The script open the ports and I can ping, but it sometimes makes it that devices can't connect to the SSID on which the script acts. I noticed this in AP mode, but it happens in Router mode too. It seems that wan-start is running too early as after I rerun wan-start from telnet, I can again connect to the SSID. Not sure this is the best way to resolve this, in wan-start, before the GuestSubnet script I added
    Code:
     sleep 10 
    Sleep 10 is perhaps a tad too short, but it avoids the script messing up the SSID.

    Do I need to include autodnsmasq in wan-start? It seemed to work without it after running GuestSubnet.sh once with autodnsmasq from telnet. Not sure what the best practice is?

    What is the proper way to convert from wan-start.sh to wan-start? I'm just duplicate in WinSCP and removing the .sh extension.
     
    Last edited: Oct 12, 2017
  20. Martineau

    Martineau Very Senior Member

    Joined:
    Jul 8, 2012
    Messages:
    1,211
    Location:
    UK
    Not sure what you mean by 'seems to' o_O...either the script allows access/printing from the isolated (Internet only) Guest Wifi or it doesn't?

    i.e. not much point investigating your other issues if the basic script functionality doesn't achieve your objective.

    Again not sure what you mean by this as clearly the Guest WiFi will require the WAN to be UP and available ASAP?

    Script execution - wan-start/firewall-start/nat-start - are event driven, and in some environments, these scripts may run twice each during boot.

    As you have found, 'sleep nn' statements are notoriously difficult to get consistently precisely right - without unnecessary overkill.

    Consequently I prefer to use nat-start as it is usually the last to run, although nat-start illogically also still runs during the controlled shutdown request. :eek:

    The help provided by the script regarding the usage of the 'autodnsmasq' directive is slightly ambiguous, but essentially the directive has no effect if the script correctly detects appropriate directives in the active 'dnsmasq.conf'.
    Whilst '/jffs/configs' should persist over reboots, it doesn't hurt to always specify 'autodnsmasq' should the file be found to be AWOL during the boot.;)
    This works for me:
    Code:
    mv wan-start.sh wan-start
    However, thanks to this 'feedback' and prior information, I have made two tweaks to the GuestSubnet.sh Beta:

    1. If the script detects that the router is in 'AP mode', it will alert the user that 'AP mode' is NOT Supported and terminate.
    2. Slight rewording of the help regarding the use of the 'autodnsmasq' directive.

    Code:
    ./GuestSubnet.sh -h
    #======================================================================================================= © 2016-2017 Martineau, v1.02
    #
    # Configure Guest WiFi with new DHCP subnet and DNS using '/etc/dnsmasq.conf'
    #
    #
    # Usage:    GuestSubnet  ['help' | '-h']
    #                        [wifi_interface | ssid ] | ['del'] ['autodnsmasq'] [ 'ssid='name]
    #
    #           GuestSubnet  wl0.1
    #                        Guest WiFI interface wl0.1 will have the DHCP subnet and DNS applied as pre-defined in /jffs/configs/dnsmasq.conf.add
    #           GuestSubnet  del
    #                        Guest WiFI interface wl0.1 will be reset to default.
    #           GuestSubnet  wl0.2 autodnsmasq
    #                        Guest WiFi interface wl0.2 will have new DHCP and DNS directives inserted into /jffs/configs/dnsmasq.conf.add
    #                              if they don't already exist.
    #                        NOTE: dnsmasq will be bounced.
    #           GuestSubnet  Guest242
    #                        Guest WiFI SSID 'Guest242' (possibly wl0.2?) will have the new DHCP subnet and DNS applied
    
     
    Last edited: Oct 13, 2017

Share This Page