Ricardo Carreira
New Around Here
Hi,
I Have an ASUS RT-AC88U,
I Want to Isolate Port 2 and Guest Wifi 2 into a separate network (br1) that can´t access (br0)
This is my Config:
"/jffs/scripts/services-start"
"/jffs/scripts/nat-start"
"/jffs/scripts/firewall-start"
"/jffs/scripts/dnsmasq.conf.add"
The Problem is i don´t have a working DHCP and no Internet Connection.
What am I missing?
Thanks
I Have an ASUS RT-AC88U,
I Want to Isolate Port 2 and Guest Wifi 2 into a separate network (br1) that can´t access (br0)
This is my Config:
"/jffs/scripts/services-start"
Code:
#!/bin/sh
# Make sure the script is indeed invoked
touch /tmp/000-services-start
robocfg vlan 1 ports "1 3 5 7 8t"
robocfg vlan 3 ports "2 8t"
robocfg vlan 100 ports "4t 8t"
robocfg vlan 105 ports "0 4t"
# Add vlan3 to eth0
vconfig add eth0 3
ifconfig vlan3 up
# Delete those interfaces that we want to isolate from br0
logger -t "isolate_port" "services-start: deleting Guest WIFI from br0"
brctl delif br0 wl0.2
brctl delif br0 wl1.2
# Create a new bridge br1 for isolated interfaces
logger -t "isolate_port" "services-start: creating br1 with LAN 2 (eth3)"
brctl addbr br1
brctl stp br1 on # STP to prevent bridge loops
brctl addif br1 vlan3
brctl addif br1 wl0.2
brctl addif br1 wl1.2
# Fix WPA2 on guest wifi
nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="vlan3 wl0.2 wl1.2"
nvram set lan1_ifname="br1"
nvram commit
killall eapd
eapd
# Set up the IPv4 address for br1
# Here we set the subnet to be 192.168.2.0/24
# IPv6 link local address will be assigned automatically
logger -t "isolate_port" "services-start: setting up IPv4 address for br1"
ifconfig br1 192.168.2.1 netmask 255.255.255.0
ifconfig br1 allmulti up
logger -t "isolate_port" "services-start: all done"
date >> /tmp/000-services-start
"/jffs/scripts/nat-start"
Code:
#!/bin/sh
# Make sure the script is indeed invoked
touch /tmp/000-nat-start
logger -t "isolate_port" "nat-start: applying POSTROUTING rules for br1"
# NAT inside 192.168.2.0/24 on br1
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -d 192.168.2.0/24 \
-o br1 -j MASQUERADE
iptables -t nat -A POSTROUTING -o vlan100 -s 192.168.2.0/24 -j MASQUERADE
logger -t "isolate_port" "nat-start: all done"
date >> /tmp/000-nat-start
"/jffs/scripts/firewall-start"
Code:
#!/bin/sh
# Make sure the script is indeed invoked
touch /tmp/000-firewall-start
logger -t "isolate_port" "firewall-start: applying INPUT rules for br1"
# Allow new incoming connections from br1
iptables -I INPUT -i br1 -m state --state NEW -j ACCEPT
# Only forbid br1 access the web UI and SSH of the main router
iptables -I INPUT -i br1 -p tcp --dport 80 -j DROP
iptables -I INPUT -i br1 -p tcp --dport 22 -j DROP
logger -t "isolate_port" "firewall-start: applying FORWARD rules for br1"
# Forbid packets from br1 to be forwarded to other interfaces
iptables -I FORWARD -i br1 -j DROP
# Allow packet forwarding inside br1
iptables -I FORWARD -i br1 -o br1 -j ACCEPT
# Allow packet forwarding between br1 and vlan100 (WAN)
iptables -I FORWARD -i br1 -o vlan100 -j ACCEPT
# Allow one-way traffic from br0 to br1
iptables -I FORWARD -i br0 -o br1 -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -m state \
--state RELATED,ESTABLISHED -j ACCEPT
logger -t "isolate_port" "firewall-start: all done"
date >> /tmp/000-firewall-start
"/jffs/scripts/dnsmasq.conf.add"
Code:
interface=br1
# DHCPv4 range: 192.168.2.100 - 192.168.2.254, netmask: 255.255.255.0
# DHCPv4 lease time: 86400s (1 day)
dhcp-range=br1,192.168.2.100,192.168.2.254,255.255.255.0,86400s
# DHCPv4 router (option 3): 192.168.2.1
dhcp-option=br1,3,192.168.2.1
The Problem is i don´t have a working DHCP and no Internet Connection.
What am I missing?
Thanks