Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Force LAN port 4 to use the Guest network for Asus/merlin RT-AC68U

Discussion in 'Asuswrt-Merlin' started by hardtotell, Aug 18, 2014.

  1. hardtotell

    hardtotell Regular Contributor

    Joined:
    Aug 17, 2014
    Messages:
    58
    I needed to restrict LAN port#4 for Internet only use, just like the Wireless Guest Network access. Then I plug an 8-port Ethernet switch into LAN port 4 of the RT-AC68U router, to expand the number of Internet-only wired connections. It is for attaching wired network devices that have no business on my local area network, but need to access the Internet.

    After a couple hours of research I got it working. Here it is. It should restrict LAN port#4 to the Internet only, exactly like the Wireless Guest Network access built into the router. Anyone see a hole? Suggestions? Thank you.


    /jffs/scripts/services-start

    Code:
    #!/bin/sh
    
    # force LAN port 4 to use the Guest network
    robocfg vlan 1 ports "1 2 3 5t"
    robocfg vlan 10 ports "4 5t"
    vconfig add eth0 10
    ifconfig vlan10 up
    brctl addif br0 vlan10
    ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
    ebtables -t filter -I FORWARD  -i vlan10 -o ! vlan2 -j DROP
    ebtables -t filter -I FORWARD  -i ! vlan2 -o vlan10 -j DROP
    
    
     
    Wutikorn, TeHashX, Cake and 2 others like this.
  2. sinshiva

    sinshiva Very Senior Member

    Joined:
    Nov 8, 2013
    Messages:
    1,030
    Location:
    FL
    vlan2 works? the interface is named eth0 as opposed to the way tomato does things
     
  3. hardtotell

    hardtotell Regular Contributor

    Joined:
    Aug 17, 2014
    Messages:
    58
    Yes, the vlan2 works. Apparently it's not an interface because it's not listed by 'ifconfig'? I got it from 'robocfg show'. The eth0 works too. Here are the corrected scripts:

    /jffs/scripts/services-start

    Code:
    #!/bin/sh
    
    # force LAN port 4 to use the Guest network
    robocfg vlan 1 ports "1 2 3 5t"
    robocfg vlan 10 ports "4 5t"
    vconfig add eth0 10
    ifconfig vlan10 up
    brctl addif br0 vlan10
    

    /jffs/scripts/firewall-start

    Code:
    #!/bin/sh
    
    if [ "$1" = "eth0" ]; then
    
    # force LAN port 4 to use the Guest network
    ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
    ebtables -t filter -I FORWARD  -i vlan10 -o ! eth0 -j DROP
    ebtables -t filter -I FORWARD  -i ! eth0 -o vlan10 -j DROP
    
    fi
    
     
  4. sinshiva

    sinshiva Very Senior Member

    Joined:
    Nov 8, 2013
    Messages:
    1,030
    Location:
    FL
    you might want to replace eth0 with `nvram get wan0_ifname` - (including backticks) this should change eth0 to ppp0 for PPPoE users to make the script more universal. sorry, should have thought of it earlier

    and replace the lan ip/net with `nvram get lan_ipaddr`
     
    Last edited: Aug 18, 2014
  5. hardtotell

    hardtotell Regular Contributor

    Joined:
    Aug 17, 2014
    Messages:
    58
    Since the firewall-start script gets passed the name of the WAN interface, as $1, I put everything in the firewall-start script. Unfortunately I'm not on site to test, but it probably work.


    /jffs/scripts/firewall-start

    Code:
    #!/bin/sh
    
    # RT-AC68U force LAN port 4 to use the Internet-only Guest network
    WAN0_IFNAME = $1
    robocfg vlan 1 ports "1 2 3 5t"
    robocfg vlan 10 ports "4 5t"
    vconfig add $WAN0_IFNAME 10
    ifconfig vlan10 up
    brctl addif br0 vlan10
    ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
    ebtables -t filter -I FORWARD -i vlan10 -o ! $WAN0_IFNAME -j DROP
    ebtables -t filter -I FORWARD -i ! $WAN0_IFNAME -o vlan10 -j DROP
    
    fi
    
     
    Jonas Green likes this.
  6. cyliyu

    cyliyu New Around Here

    Joined:
    Sep 27, 2014
    Messages:
    2
    I need some advise similar to port 4.
    I have recently purchased Asus AC router and due to ISP subscribed, I selected the profile the port 4 with IPTV enabled. but I'm not using IPTV.
    Is there a way command to enable and disable the NVRam to make it work? Thanks.
     
    Last edited: Sep 27, 2014
  7. hardtotell

    hardtotell Regular Contributor

    Joined:
    Aug 17, 2014
    Messages:
    58
    Just updating this thread with the working version of my script. I've also had success with using the Virtual Server / Port Forwarding feature, in the Asuswrt-Merlin GUI, to port forward to a computer on my Ethernet/LAN Port#4 Guest Network. To test it locally, you must use a Tor Browser or VPN, to come in from the Internet. Otherwise, the router seems to recognize the local interface and block access, as designed.

    /jffs/scripts/firewall-start
    Code:
    # force LAN port 4 to use the Guest Network for RT-AC68U
    robocfg vlan 1 ports "1 2 3 5t"
    robocfg vlan 10 ports "4 5t"
    vconfig add eth0 10
    ifconfig vlan10 up
    brctl addif br0 vlan10
    ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
    ebtables -t filter -I FORWARD -i vlan10 -o ! eth0 -j DROP
    ebtables -t filter -I FORWARD -i ! eth0 -o vlan10 -j DROP
    
     
    Cake and CiscoX like this.
  8. hardtotell

    hardtotell Regular Contributor

    Joined:
    Aug 17, 2014
    Messages:
    58
    I added all my Smart TVs to the guest network since they have no business on my local area network. However, now the MiniDLNA cannot be seen by the Smart TVs. Here's the fix:

    An extra Ethernet Bridge rule is needed for each Smart TV to discover and access the media server. The MAC address of each Smart TV must be specified to accept port 8200 (Minidlna), as follows.

    /jffs/scripts/firewall-start
    Code:
    #!/bin/sh
    # force LAN port 4 to use the Internet-only Guest Network
    # AND allow wired Ethernet Smart TVs on the Guest Network to access the media server
    robocfg vlan 1 ports "1 2 3 5t"
    robocfg vlan 14 ports "4 5t"
    vconfig add eth0 14
    ifconfig vlan14 up
    brctl addif br0 vlan14
    ebtables -t broute -I BROUTING -p IPv4 -i vlan14 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
    ebtables -t broute -I BROUTING -p IPv4 -i vlan14 --src 00:aa:bb:cc:dd:ee --ip-dst 192.168.1.1 --ip-proto tcp --ip-dport 8200 -j ACCEPT
    ebtables -t broute -I BROUTING -p IPv4 -i vlan14 --src 00:aa:bb:cc:dd:ef --ip-dst 192.168.1.1 --ip-proto tcp --ip-dport 8200 -j ACCEPT
    ebtables -t filter -I FORWARD -i vlan14 -o ! eth0 -j DROP
    ebtables -t filter -I FORWARD -i ! eth0 -o vlan14 -j DROP
    
    I'm a bit unclear as to what those ACCEPT rules actually mean. However, it seems to work just fine.
     
    Jonas Green likes this.
  9. Jonas Green

    Jonas Green New Around Here

    Joined:
    Mar 22, 2015
    Messages:
    1
    I added all my Smart TVs to the guest network since they have no business on my local area network. However, now the MiniDLNA cannot be seen by the Smart TVs. Here's the fix: An extra Ethernet Bridge rule is needed for each Smart TV to discover and access the media server
    First - A BIG thank you for figuring this out, and posting it. -- I've been using a Netgear HomePlug Powerline adapter, and only recently started playing with alternate firmwares. One port from the router plugs into the wall, and my SmartTV picks up the signal wired - instead of Wireless. By doing that the TV can act as an Wireless Access Point. Trouble is that AP is on the main LAN. - And there's no option to make it a Guest LAN. (At least w/ the TV).

    Following your lead - I put my port2 on a Guest VLAN - so electrical outlets & spare HomePlugs are on Guest. Trouble is so is the SmartTV, and it can't see the WDMyCloud on the main LAN. -- What I'd like is to somehow let only select devices through to connect to the Printer, or WDMyCloud. -- From your description, I think the difference is you are using the Router as a DLNA server, while mine is on another device.
     
  10. @hardtotell

    If I read your config correct, you create a new vlan with id 14, untag it to port 4 and drop all traffic to your internal IP range. So this is not really the same VLAN as the Wireless Guest network?

    How can I 'bridge' the Wireless Guest Network with a newly created VLAN and use the 'guest' function of the router without adding a rule to drop traffic? I'm asking this because I would like to connect two routers (one in AP mode) and make them share a guest SSID on the same VLAN.

    I cannot seem to find any other VLAN's. I do see wl0.1 when I configure a Guest SSID. So I guess we could bind it to a vlan. Some info to get me started would be nice :)
     
  11. hardtotell

    hardtotell Regular Contributor

    Joined:
    Aug 17, 2014
    Messages:
    58
    It is not the same VLAN as the Wireless Guest Network. The idea was to isolate devices on the same subnet, when plugged into LAN port#4. The goal is to protect the computers on the network from the unknown intentions of multiple smart TVs and appliances also on the same subnet. Sorry, I am not the forum expert on VLANs and bridging.
     
  12. RoutNew36

    RoutNew36 Occasional Visitor

    Joined:
    Jan 22, 2015
    Messages:
    22
    This is exactly what I need but for AC56U.
    Should this script run on AC56U or are there any changes needed?
     
  13. hardtotell

    hardtotell Regular Contributor

    Joined:
    Aug 17, 2014
    Messages:
    58
    This two (2) lines might be different. I think the RT-AC56U numbers differently the ports:
    robocfg vlan 1 ports "1 2 3 5t"
    robocfg vlan 14 ports "4 5t"
    ...

    Type 'robocfg show' to see the port numbers of your specific router.
     
    RoutNew36 likes this.
  14. RoutNew36

    RoutNew36 Occasional Visitor

    Joined:
    Jan 22, 2015
    Messages:
    22
    Great, thanks for the information.
     
  15. TravisV

    TravisV New Around Here

    Joined:
    May 24, 2015
    Messages:
    1
    Thanks for this write up... FYI

    If you're using a AC66U, it uses port 8t instead of 5t.

    /jffs/scripts/firewall-start
    Code:
    #!/bin/sh
    # force LAN port 4 to use the Guest Network for RT-AC66U
    robocfg vlan 1 ports "1 2 3 8t"
    robocfg vlan 10 ports "4 8t"
    vconfig add eth0 10
    ifconfig vlan10 up
    brctl addif br0 vlan10
    ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
    ebtables -t filter -I FORWARD -i vlan10 -o ! eth0 -j DROP
    ebtables -t filter -I FORWARD -i ! eth0 -o vlan10 -j DROP
    
     
  16. Znitz

    Znitz New Around Here

    Joined:
    Jun 2, 2015
    Messages:
    6
    First of all, A big thank you! This is extactly what I was looking for.

    I have a network of UniFi wireless APs (from Ubiquti) that can handle guest networks
    So I intend to create a guest network on a vlan, my switch (Cisco SG-300 handles this vlan and can then connect this vlan to my router). The reason of this is simple: Concrete walls and the router is located in the basement...

    Now I have bought a AC87U installed merlin version, after running "robocfg show", I get this list:
    Code:
    Switch: enabled
    Port 0: 1000FD enabled stp: none vlan: 2 jumbo: on mac: 54:75:d0:a6:3f:00
    Port 1: 1000FD enabled stp: none vlan: 3 jumbo: on mac: 10:bd:18:82:63:53
    Port 2:  DOWN enabled stp: none vlan: 1 jumbo: on mac: 00:00:00:00:00:00
    Port 3: 1000FD enabled stp: none vlan: 1 jumbo: on mac: 50:1a:c5:e5:4d:ed
    Port 4:  DOWN enabled stp: none vlan: 1 jumbo: on mac: 00:00:00:00:00:00
    Port 8:  DOWN enabled stp: none vlan: 1 jumbo: on mac: 00:00:00:00:00:00
    VLANs: BCM5301x enabled mac_check mac_hash
      1: vlan1: 2 3 5 7t
      2: vlan2: 0 7t
      3: vlan3: 1 7t
    1045: vlan1045: 1 5t 7t 8t
    1046: vlan1046: 2t 3t
    1047: vlan1047: 0 1t 4t 5 7t
    1099: vlan1099: 1t 2t 3
    1100: vlan1100: 0t 1t 4
    1101: vlan1101: 0t 3t 7t 8u
    1102: vlan1102: 4t
    1103: vlan1103: 0 1t 4t
    
    And according to previous posts I guess that I need to change these lines in the script
    robocfg vlan 1 ports "1 2 3 8t"
    robocfg vlan 10 ports "4 8t"

    to something like this
    robocfg vlan 1 ports "2 3 7t"
    robocfg vlan 10 ports "4 7t"

    Am I on the right track?


    EDIT: vlan 3 is my second WAN.. so port 1 should not be there either.
     
    Last edited: Jun 2, 2015
  17. hardtotell

    hardtotell Regular Contributor

    Joined:
    Aug 17, 2014
    Messages:
    58
    I'm not the forum expert on vlans and bridging. That said, I would probably have to guess at it. For your RT-AC87U will it work?

    Type 'brctl show'
    Pick a vlan in the list you want to modify. For you it's probably vlan1.
    Type 'robocfg show' to see the ports for the vlan1. For you this ports is "2 3 5 7t".
    Pick a port in this list that you want to move to the new vlan. For you it is the port number "5" that you will move to a new vlan?
    So you will use robocfg to change the vlan1 to "2 3 7t", and add a new vlan10 with the ports "5 7t".
    Which actual Ethernet port# got affected by this change? It is trial and error.
     
    Last edited: Jun 2, 2015
  18. Znitz

    Znitz New Around Here

    Joined:
    Jun 2, 2015
    Messages:
    6
    :) Yes I guess trial'n'error is the way forward
    But you suggest port 5, this may be the port on the back named "1", and in the list from robocfg "4"?

    I will test when I get home tonight.
     
    Last edited: Jun 2, 2015
  19. Znitz

    Znitz New Around Here

    Joined:
    Jun 2, 2015
    Messages:
    6
    How is DHCP handled in this scenario, are you using the ASUS router for this?
    And the network? are the networks using same network, ie 192.168.1.x?
     
  20. Znitz

    Znitz New Around Here

    Joined:
    Jun 2, 2015
    Messages:
    6
    At home, testing and finds out that I had problem with port 4 (or 1 or 5 depending where I look), so I decided to use port 3 (and move my internal to port 2)
    Network is now up. And I can see my router in the guest network. Now I understand that a DHCP server is needed.. (that part I will ask in a new thread)

    Here is my settings that seems to work for a RT-AC87U router

    Code:
    #!/bin/sh
    # force LAN port 3 to use the Guest Network for RT-AC87U
    robocfg vlan 1 ports "2 5 7t"
    robocfg vlan 10 ports "3 7t"
    vconfig add eth0 10
    ifconfig vlan10 up
    brctl addif br0 vlan10
    ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
    ebtables -t filter -I FORWARD -i vlan10 -o ! eth0 -j DROP
    ebtables -t filter -I FORWARD -i ! eth0 -o vlan10 -j DROP
    The result is:
    Code:
    # robocfg show
    Switch: enabled
    Port 0: 1000FD enabled stp: none vlan: 2 jumbo: on mac: 54:75:d0:a6:3f:00
    Port 1:    100FD enabled stp: none vlan: 3 jumbo: on mac: 00:12:f2:33:fb:60
    Port 2: 1000FD enabled stp: none vlan: 1 jumbo: on mac: 00:0d:4b:04:2e:ae
    Port 3: 1000FD enabled stp: none vlan: 10 jumbo: on mac: 90:94:e4:fc:7f:b5
    Port 4:  DOWN enabled stp: none vlan: 1 jumbo: on mac: 00:00:00:00:00:00
    Port 8:  DOWN enabled stp: none vlan: 1 jumbo: on mac: 00:00:00:00:00:00
    VLANs: BCM5301x enabled mac_check mac_hash
      1: vlan1: 2 5t 7t
      2: vlan2: 0 7t
      3: vlan3: 1 7t
      10: vlan10: 3 7t
    1045: vlan1045: 1 5t 7t 8t
    1046: vlan1046: 2t 3t
    1047: vlan1047: 0 1t 4t 5 7t
    1099: vlan1099: 1t 2t 3
    1100: vlan1100: 0t 1t 4
    1101: vlan1101: 0t 3t 7t 8u
    1102: vlan1102: 4t
    1103: vlan1103: 0 1t 4t
    
    # brctl show
    bridge name  bridge id                       STP enabled  interfaces
    br0                  8000.ac9e17961f18    yes                   vlan1
                                                                                            eth1
                                                                                            vlan10
    

    Again, thank you all for this!!
     

Share This Page