ASUS RT-AC88U LAN Port 2 + Guest 2 Isolation

Ricardo Carreira

New Around Here
Hi,

I Have an ASUS RT-AC88U,

I Want to Isolate Port 2 and Guest Wifi 2 into a separate network (br1) that can´t access (br0)

This is my Config:


"/jffs/scripts/services-start"
Code:
#!/bin/sh

# Make sure the script is indeed invoked
touch /tmp/000-services-start

robocfg vlan 1 ports "1 3 5 7 8t"
robocfg vlan 3 ports "2 8t"
robocfg vlan 100 ports "4t 8t"
robocfg vlan 105 ports "0 4t"

# Add vlan3 to eth0
vconfig add eth0 3
ifconfig vlan3 up

# Delete those interfaces that we want to isolate from br0
logger -t "isolate_port" "services-start: deleting Guest WIFI from br0"
brctl delif br0 wl0.2
brctl delif br0 wl1.2

# Create a new bridge br1 for isolated interfaces
logger -t "isolate_port" "services-start: creating br1 with LAN 2 (eth3)"
brctl addbr br1
brctl stp br1 on # STP to prevent bridge loops
brctl addif br1 vlan3
brctl addif br1 wl0.2
brctl addif br1 wl1.2

# Fix WPA2 on guest wifi
nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="vlan3 wl0.2 wl1.2"
nvram set lan1_ifname="br1"

nvram commit
killall eapd
eapd

# Set up the IPv4 address for br1
# Here we set the subnet to be 192.168.2.0/24
# IPv6 link local address will be assigned automatically
logger -t "isolate_port" "services-start: setting up IPv4 address for br1"
ifconfig br1 192.168.2.1 netmask 255.255.255.0
ifconfig br1 allmulti up

logger -t "isolate_port" "services-start: all done"
date >> /tmp/000-services-start

"/jffs/scripts/nat-start"

Code:
#!/bin/sh

# Make sure the script is indeed invoked
touch /tmp/000-nat-start
logger -t "isolate_port" "nat-start: applying POSTROUTING rules for br1"

# NAT inside 192.168.2.0/24 on br1
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -d 192.168.2.0/24 \
  -o br1 -j MASQUERADE

iptables -t nat -A POSTROUTING -o vlan100 -s 192.168.2.0/24 -j MASQUERADE

logger -t "isolate_port" "nat-start: all done"
date >> /tmp/000-nat-start

"/jffs/scripts/firewall-start"

Code:
#!/bin/sh

# Make sure the script is indeed invoked
touch /tmp/000-firewall-start
logger -t "isolate_port" "firewall-start: applying INPUT rules for br1"

# Allow new incoming connections from br1
iptables -I INPUT -i br1 -m state --state NEW -j ACCEPT

# Only forbid br1 access the web UI and SSH of the main router
iptables -I INPUT -i br1 -p tcp --dport 80 -j DROP
iptables -I INPUT -i br1 -p tcp --dport 22 -j DROP

logger -t "isolate_port" "firewall-start: applying FORWARD rules for br1"

# Forbid packets from br1 to be forwarded to other interfaces
iptables -I FORWARD -i br1 -j DROP

# Allow packet forwarding inside br1
iptables -I FORWARD -i br1 -o br1 -j ACCEPT

# Allow packet forwarding between br1 and vlan100 (WAN)
iptables -I FORWARD -i br1 -o vlan100 -j ACCEPT

# Allow one-way traffic from br0 to br1
iptables -I FORWARD -i br0 -o br1 -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -m state \
  --state RELATED,ESTABLISHED -j ACCEPT

logger -t "isolate_port" "firewall-start: all done"
date >> /tmp/000-firewall-start

"/jffs/scripts/dnsmasq.conf.add"

Code:
interface=br1
# DHCPv4 range: 192.168.2.100 - 192.168.2.254, netmask: 255.255.255.0
# DHCPv4 lease time: 86400s (1 day)
dhcp-range=br1,192.168.2.100,192.168.2.254,255.255.255.0,86400s
# DHCPv4 router (option 3): 192.168.2.1
dhcp-option=br1,3,192.168.2.1

The Problem is i don´t have a working DHCP and no Internet Connection.

What am I missing?

Thanks
 

eibgrad

Part of the Furniture
If you configure the client *manually* instead of relying on DHCP, does it work?

IOW, you need to determine if indeed it's DHCP or something else that's the culprit.

And make sure you ping an explicit IP (e.g., 8.8.8.8) initially to eliminate DNS as an issue.
 

Jeffrey Young

Very Senior Member
Check your current firewall settings as well to see if if traffic on ports 67/68 is only being allowed on br0 (or it's CIDR address). I think think the current rules don't care where port 67 or 68 come from, but check anyway.

Also, you are missing DHCP option 6 (DNS Servers) in your dnsmasq.conf.add file. I got stung on this one a little while ago while setting up a Ubuntu Router. Took me an hour to figure out I was not instructing the DHCP server to send DNS info.

dhcp-option=br1,6,8.8.8.8,4.4.1.1 or what ever you want (or your router if you want your clients to use the router DNS)
 

Ricardo Carreira

New Around Here
If you configure the client *manually* instead of relying on DHCP, does it work?

IOW, you need to determine if indeed it's DHCP or something else that's the culprit.

And make sure you ping an explicit IP (e.g., 8.8.8.8) initially to eliminate DNS as an issue.
I think It´s both, configured manually 192.168.2.10, and PING 8.8.8.8 got no luck.
 

Ricardo Carreira

New Around Here
Check your current firewall settings as well to see if if traffic on ports 67/68 is only being allowed on br0 (or it's CIDR address). I think think the current rules don't care where port 67 or 68 come from, but check anyway.

Also, you are missing DHCP option 6 (DNS Servers) in your dnsmasq.conf.add file. I got stung on this one a little while ago while setting up a Ubuntu Router. Took me an hour to figure out I was not instructing the DHCP server to send DNS info.

dhcp-option=br1,6,8.8.8.8,4.4.1.1 or what ever you want (or your router if you want your clients to use the router DNS)
Added that to dnsmasq.conf.add and nothing.
 

Jeffrey Young

Very Senior Member
Added that to dnsmasq.conf.add and nothing.

Yeah, I see you can't even ping a DNS server by it's address as @eibgrad suggested, so something else is going on. You will still need that DNS option in dnsmasq to inform your clients of which DNS servers to use, but we have to figure out why you are not getting any traffic through to the WAN first. I am not familiar with the internal port mapping of the AC88U, so I am of no help. Your Iptables look OK though.

Only other comment, and it is unrelated to your DNS issue, is that for forward delay on any new bridge is defaulted to 15 seconds. You may want to add brctl setfd br1 2 to match the delay of br0.
 

Ricardo Carreira

New Around Here
Yeah, I see you can't even ping a DNS server by it's address as @eibgrad suggested, so something else is going on. You will still need that DNS option in dnsmasq to inform your clients of which DNS servers to use, but we have to figure out why you are not getting any traffic through to the WAN first. I am not familiar with the internal port mapping of the AC88U, so I am of no help. Your Iptables look OK though.

Only other comment, and it is unrelated to your DNS issue, is that for forward delay on any new bridge is defaulted to 15 seconds. You may want to add brctl setfd br1 2 to match the delay of br0.
The Internal Port Mapping is correct.

I found the problem, the file /jffs/scripts/dnsmasq.conf.add was not working, copied the /tmp/etc/dnsmasq.conf to /jffs/configs/dnsmasq.conf and made my changes.
why is this happening?


Thank you fot the hint about forward delay...

Code:
[email protected]:/tmp/home/root# brctl showstp br0
br0
 bridge id              8000.3c7c3f09cb98
 designated root        8000.2cfda13da4c0
 root port                 1                    path cost                100
 max age                  20.00                 bridge max age            20.00
 hello time                2.00                 bridge hello time          2.00
 forward delay             0.00                 bridge forward delay       0.00
 ageing time             300.00
 hello timer               0.00                 tcn timer                  0.00
 topology change timer     0.00                 gc timer                   8.85
 flags


vlan1 (1)
 port id                8001                    state                forwarding
 designated root        8000.2cfda13da4c0       path cost                100
 designated bridge      8000.2cfda13da4c0       message age timer         20.01
 designated port        8001                    forward delay timer        0.00
 designated cost           0                    hold timer                 0.00
 flags

eth1 (2)
 port id                8002                    state                forwarding
 designated root        8000.2cfda13da4c0       path cost                100
 designated bridge      8000.3c7c3f09cb98       message age timer          0.00
 designated port        8002                    forward delay timer        0.00
 designated cost         100                    hold timer                 0.00
 flags

[email protected]:/tmp/home/root# brctl showstp br1
br1
 bridge id              8000.3c7c3f09cb9a
 designated root        8000.3c7c3f09cb9a
 root port                 0                    path cost                  0
 max age                  20.00                 bridge max age            20.00
 hello time                2.00                 bridge hello time          2.00
 forward delay            15.00                 bridge forward delay      15.00
 ageing time             300.00
 hello timer               1.52                 tcn timer                  0.00
 topology change timer     0.00                 gc timer                  67.67
 flags


wl0.2 (1)
 port id                8001                    state                forwarding
 designated root        8000.3c7c3f09cb9a       path cost                100
 designated bridge      8000.3c7c3f09cb9a       message age timer          0.00
 designated port        8001                    forward delay timer        0.00
 designated cost           0                    hold timer                 0.52
 flags

wl1.2 (2)
 port id                8002                    state                forwarding
 designated root        8000.3c7c3f09cb9a       path cost                100
 designated bridge      8000.3c7c3f09cb9a       message age timer          0.00
 designated port        8002                    forward delay timer        0.00
 designated cost           0                    hold timer                 0.52
 flags

... but is there a problem if i put:

Code:
brctl setfd br1 0

There are some other values that differ.. gc timer.. hold timer.. hello timer..

Thanks
 

Jeffrey Young

Very Senior Member
I found the problem, the file /jffs/scripts/dnsmasq.conf.add was not working, copied the /tmp/etc/dnsmasq.conf to /jffs/configs/dnsmasq.conf and made my changes.
why is this happening?

Missed that one all together, you need to put the postconf dnsmasq.conf.add script in /jffs/configs

If I remember correctly, the minimum value for the forward delay is 2 seconds. The delay only occurs when the bridge/port is first added or brought up. I believe it is meant to not overwhelm a busy network. It's a minor issue, but when testing, boy, that 15 or 30 second initial delay (I forget the default - some say 15s, other sources say 30s) before the bridge will forward traffic is like an eternity.

EDIT: From what I am reading on an old WRT site, the forward delay setting inside STP is a different delay. The basic guidance is not to play with the specific settings for STP
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top