Block Guest Wifi(RT-N56U) from all LAN(RT-AC68U) clients [Solved]

[Sir_Luddite]

Hello SNB,

I’ve just signed up after reading through many threads but still couldn’t find my specific situation. Hopefully I provide all the required information for someone to help!

My scenario is hopefully straightforward. I want a Guest Wifi on the second router that has no access to anything apart from the internet.

I activated the Guest wifi on RT-N56U and selected the “No access to intranet” and it successfully blocked access to its 192.168.1.X network but failed to limit access to the RT-AC68U network 192.168.0.X. This may require EBTABLES editing?

Internet -> RT-AC68U -> RT-N56U

RT-AC68U:

• Location: Ground Floor
• Firmware: Merlin 380.62_1
• PPPoE Internet in WAN Port
• Mode: Router Mode
• IP: 192.168.0.1
• LAN Ports 1 and 2 have NAS(192.168.0.6) and NUC(192.168.0.7) servers
• LAN Port 3(192.168.0.5) has Siemens Gigaset Voip on it
• LAN Port 4 runs up to the 4th floor and connects to the RT-N56U
• 2.4/5 Ghz Private wifi

RT-N56U:

• Location: 4th Floor
• Firmware: Currently stock ASUS firmware 3.0.0.4.378.4850 but happy to upgrade to
  • https://wiki.openwrt.org/toh/asus/rt-n56u#download or
  • https://bitbucket.org/padavan/rt-n56u/downloads
• Internet via Ethernet from the RT-AC68U into WAN Port (192.168.0.230 via DHCP from RT-AC68U)
• Mode: Router Mode
• IP: 192.168.1.1
• 2.4 Ghz Guest wifi <- Block all 192.168.0.x and 192.168.1.x access
• 5 Ghz Private wifi

Thanks,
Sir_Luddite

 

[L&LD]

Try using a 10.x.x.x subnet for the RT-N56U instead.

 

[RMerlin]

The only way to achieve this is to modify the firewall on the first router. Have it only allow WAN and the first router's own IP to the IP subnet of your second router.

It might be configurable through the Network Services Firewall, otherwise you will need a third party firmware and to implement it through iptables (no need for ebtables, since you're dealing with two different subnets).

 

[Sir_Luddite]

Try using a 10.x.x.x subnet for the RT-N56U instead.

That is a great suggestion. I'll try that tonight and let you know how I go!

The only way to achieve this is to modify the firewall on the first router. Have it only allow WAN and the first router's own IP to the IP subnet of your second router.

It might be configurable through the Network Services Firewall, otherwise you will need a third party firmware and to implement it through iptables (no need for ebtables, since you're dealing with two different subnets).

Good suggestion. I'll try L&LD's suggestion first and then failing that I'll try your suggestion. Can I please clarify what you mean by third party firmware? I have Merlin installed already so is that considered third party?

Iptables will be much easier as there are likely to be tons of examples on the net to help me solve that part of the equation I hope!

 

[RMerlin]

I have Merlin installed already so is that considered third party?

Yes.

 

[L&LD]

Sir_Luddite, another thing you can try is having the 'secure' network be higher than the unsecured network.

For example, if you use the 192.168.1.xxx IP range for the RT-AC68U and use the 192.168.0.xxx IP range for the RT-N56U, the latter won't be able to see the 192.168.1.xxx IP range.

You don't need to stick with xxx.xxx.1.xxx and xxx.xxx.0.xxx though; as long as the IP range is higher for the router/subnet you want more secure, it will block the lower subnet from accessing it. Note that the 192.168.1.xxx devices can see the 192.168.0.xxx devices (but that is okay in most of my setups).

This is something I've discovered works mostly (only) with Asus routers. Let us know if it continues to work like this.

 

[Sir_Luddite]

Thank-you all so much. My question has now been solved and I put it down to several factors. Third party firmware has now been installed on my routers and I had some human error involved also ;-) where I plugged the Master LAN into the Slave WAN instead of the Slave LAN port...

Solution below:
RT-AC68U (Master):

• Location: Ground Floor
• Firmware: Merlin 380.62_1
• PPPoE Internet in WAN Port
• Mode: Router Mode
• IP: 192.168.0.1
• LAN Ports 1 and 2 have NAS(192.168.0.6) and NUC(192.168.0.7) servers
• LAN Port 3(192.168.0.5) has Siemens Gigaset Voip on it
• LAN Port 4 runs up to the 4th floor and connects to the RT-N56U
• 2.4/5 Ghz Private wifi

RT-N56U (Slave):

• Location: 4th Floor
• Firmware: https://wiki.openwrt.org/toh/asus/rt-n56u#download
• Internet via Ethernet from the RT-AC68U into ̶W̶A̶N̶ LAN Port (192.168.0.230 via DHCP from RT-AC68U)
• Mode: Router Mode, DHCP turned OFF.
• IP: 192.168.0.2
• 2.4 Ghz Guest wifi <- Block all 192.168.0.x access via simply selecting the "Itranet Off" drop down which actually worked after applying the DD-WRT firmware
• 5 Ghz Private wifi
  

I now have some issues with NAT which is resulting in wifi clients on the RT-N56U Slave having perfect download speed but no upload speed via speedtest.net.

I googled this and basically I have a NAT issue that Im trying to work out. Ill reset the Slave and start again as it won't take long. Hopefully this solves it for me.

Thank-you everyone, I was provided sound advice and I felt very welcomed.
Sir_Luddite