Force LAN port 4 to use the Guest network for Asus/merlin RT-AC68U

[Reala]

Hi,

I've been using the script in this thread for my AC66U for quite a while now but upgraded to 380.65 this morning and it quit working. I was using the script below:

#!/bin/sh
# force LAN port 4 to use the Guest Network for RT-AC66U
robocfg vlan 1 ports "1 2 3 8t"
robocfg vlan 10 ports "4 8t"
vconfig add eth0 10
ifconfig vlan10 up
brctl addif br0 vlan10
ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst 192.168.2.0/24 --ip-proto tcp -j DROP
ebtables -t filter -I FORWARD -i vlan10 -o ! eth0 -j DROP
ebtables -t filter -I FORWARD -i ! eth0 -o vlan10 -j DROP

It seems once that script executes, I lose connectivity on my wired clients (desktop PC). I see the following error messages in the system log (from a wireless client):

kernel: vlan10 adding interface with same address as a received packet

I checked, and it looks like LAN port 4 is on the vlan10, which should be correct, but I can't access the router/internet from my desktop PC, which is still on vlan1, LAN port 1.

I'm also getting a bunch of messages flooding the system log:

kernel: printk: 10 messages suppressed.

and so on.

I'm kind of stumped here. It used to work and now it doesn't. My router IP is 192.168.2.1.

Any ideas? Tried disabling CTF, nothing. I can't ping the router from my wired PC nor can the router ping the PC. Yet for some reason I can see it's getting an IP, though I'm not sure how true that is. Right now, the only way I get connectivity is omitting the script entirely, leaving each port on the same vlan1.

 

[truglodite]

Reala, I know it has been a while, and you probably have it sorted. I'm also far from being the expert on these matters... have you tried erasing NVRAM (save settings first) and rebooting?

Here's an example of my patched Ebtables BROUTING chain to block all IPv4 protocols between devices on the 2.4GHz Guest Network.

Fitz, I am interested in doing the same 'complete guest isolation' on my n66u. Did it work as expected (no issues with wifi auth)?

Kev

 

[Fitz Mutch]

Fitz, I am interested in doing the same 'complete guest isolation' on my n66u. Did it work as expected (no issues with wifi auth)?

My Wi-Fi guest network authentication works as expected. I still need to dig into it, to find out exactly which protocols I would not want blocked. I found that Ethertype 0x886c (ETHER_TYPE_BRCM) must stay bridged (br0) or else the Guest Wi-Fi does not authenticate.
https://en.wikipedia.org/wiki/EtherType#Examples AND https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol

Here's what I use at the moment and seems to work well. It's nice because the managed switch enforces device isolation for my wired guest network. I can turn off my Asus router and everything runs just fine.

/jffs/scripts/configure-guest-network.sh

#!/bin/sh
WANIF="$1"
IPADDR=$(/usr/sbin/nvram get lan_ipaddr)
HWADDR="$(nvram get lan_hwaddr)"

#########################################################################################################
# LAN port 4 on the RT-AC68U is a trunk port for a 24-port managed gigabit Ethernet switch
# that has 12 guest Ethernet ports (vlan14), 11 full access Ethernet ports (vlan1),
# and 1 uplink Ethernet port (vlan1 + vlan14)

/usr/sbin/robocfg show | /bin/grep -qF "vlan14:"
if [ $? -ne 0 ]; then
  /usr/sbin/robocfg vlan 1 ports "1 2 3 4 5t" # port 4 is tagged vlan1 by the switch
  /usr/sbin/robocfg vlan 14 ports "4t 5t"      # port 4 is tagged vlan14 by the switch
#  /usr/sbin/robocfg vlan 1 ports "1 2 3 5t"    # Asus router leaves ports 1-3 untagged
#  /usr/sbin/robocfg vlan 14 ports "4t 5t"       # Asus router tags port 4 with vlan14
  /sbin/vconfig add eth0 14
  /sbin/ifconfig vlan14 up
  /usr/sbin/brctl addif br0 vlan14
fi

#########################################################################################################
# Re-implementation of device isolation for AsusWRT Guest Network

# ebtables with feature to remove duplicates
ebtables() {
  local cmdline="$@"
  local deleteline="$(/bin/echo $cmdline | /bin/sed -r 's/(\s*-)(I|A)(\s+[a-zA-Z]\w*)(\s+[0-9]*\s+|\s+)(.*)/\1D\3 \5/')"
  # if the rule is Insert or Add, then remove all duplicates
  if [ "$deleteline" != "$cmdline" ]; then
    local N=10
    /usr/sbin/ebtables $deleteline > /dev/null 2>&1
    while [ $? -eq 0 ] && [ $N -gt 0 ]; do
      let local N--
      /usr/sbin/ebtables $deleteline > /dev/null 2>&1
    done
  fi
  # apply the rule
  /usr/sbin/ebtables $cmdline
}

# converts IPv4 address and Subnet mask to CIDR
ip2cidr() {
  awk '
  BEGIN {
    len = ARGC - 1;
    if (len != 2) {
      print "ip2cidr {ip} {netmask}";
      exit 1;
    }
    ipaddr = ARGV[1];
    netmask = ARGV[2];

    ipaddr_num = ip2num(ipaddr);
    netmask_num = ip2num(netmask);
    netaddr = num2ip(and(ipaddr_num, netmask_num));
    numhosts = xor(0xffffffff, netmask_num);
    hostbits = 0;
    while (numhosts > 0) {
      hostbits++;
      numhosts = int(numhosts / 2);
    }
    maskbits = 32 - hostbits;

    printf("%s/%d\n", netaddr, maskbits);
  }
  function ip2num( ip,
                   num, len, array, i ) {
    num = 0;
    len = split(ip, array, ".");
    for (i = 1; i <= 4; i++) {
      num *= 256;
      if (i <= len) {
        num += array[i];
      }
    }
    return num;
  }
  function num2ip( n,
                   ip, m ) {
    ip = "";
    for (i = 1; i <= 4; i++) {
      m = n % 256;
      n = int(n / 256);
      ip = (ip == "") ? m : m "." ip;
    }
    return ip;
  }
  ' $@
}

NETADDR=$(ip2cidr $(nvram get lan_ipaddr) $(nvram get lan_netmask))

for IF_GUEST in wl0.1 wl1.1 vlan14 ; do

  # Remove the AsusWRT guest network rules, if any
  ebtables -t broute -D BROUTING -p IPv4 -i $IF_GUEST --ip-dst $NETADDR --ip-proto tcp -j DROP

  # For each guest network physical interface, un-bridge all frames entering the
  # bridge interface (br0) that are destined for the local network,
  # for protocols IPv4 and ARP
  ebtables -t broute -I BROUTING -p IPv4 -i $IF_GUEST --ip-dst $NETADDR -j DROP
  ebtables -t broute -I BROUTING -p ARP  -i $IF_GUEST --arp-ip-dst $NETADDR -j DROP
  #ebtables -t broute -I BROUTING -p IPv6 -i $IF_GUEST --ip6-dst $NETADDR -j DROP

  # Stay bridged (br0): ARP broadcasts
  ebtables -t broute -I BROUTING -p ARP -i $IF_GUEST -d ff:ff:ff:ff:ff:ff -j ACCEPT

  # Stay bridged (br0): ARP reply from/to router
  ebtables -t broute -I BROUTING -p ARP -i $IF_GUEST --arp-ip-src $IPADDR -j ACCEPT
  ebtables -t broute -I BROUTING -p ARP -i $IF_GUEST --arp-ip-dst $IPADDR -j ACCEPT

  # Stay bridged (br0): DHCP client: Discover, Request
  ebtables -t broute -I BROUTING -p IPv4 -i $IF_GUEST --ip-src 0.0.0.0 --ip-dst 255.255.255.255 --ip-proto udp --ip-sport 68 --ip-dport 67 -j ACCEPT

  # Stay bridged (br0): DHCP client: Release
  ebtables -t broute -I BROUTING -p IPv4 -i $IF_GUEST --ip-src $NETADDR --ip-dst $IPADDR --ip-proto udp --ip-sport 68 --ip-dport 67 -j ACCEPT

  # Stay bridged (br0): DHCP server: Offer, ACK
  ebtables -t broute -I BROUTING -p IPv4 -i $IF_GUEST --ip-src $IPADDR --ip-dst $NETADDR --ip-proto udp --ip-sport 67 --ip-dport 68 -j ACCEPT

  # Stay bridged (br0): DNS
  ebtables -t broute -I BROUTING -p IPv4 -i $IF_GUEST --ip-src $NETADDR --ip-dst $IPADDR --ip-proto udp --ip-dport 53 -j ACCEPT

  # Stay bridged (br0): NTP
  ebtables -t broute -I BROUTING -p IPv4 -i $IF_GUEST --ip-src $NETADDR --ip-dst $IPADDR --ip-proto udp --ip-dport 123 -j ACCEPT

  # Stay bridged (br0): MiniDLNA
  ebtables -t broute -I BROUTING -p IPv4 -i $IF_GUEST --ip-dst $IPADDR --ip-proto tcp --ip-dport 8200 -j ACCEPT

  # Stay bridged (br0): HP printer
  ebtables -t broute -I BROUTING -p IPv4 -i $IF_GUEST -s xx:xx:xx:xx:xx:xx --ip-proto tcp --ip-sport 9100 -j ACCEPT

  # Drop all un-bridged frames for this physical interface (device isolation happens here)
  ebtables -I FORWARD -o $IF_GUEST -j DROP
  ebtables -I FORWARD -i $IF_GUEST -j DROP

  # Allow SSDP multicast to discover MiniDLNA
  ebtables -I FORWARD -i $IF_GUEST -p IPv4 --ip-proto udp -d 01:00:5e:7f:ff:fa --ip-dport 1900 -j ACCEPT

done

 

[Jack Yaz]

Quick question, looking through this to improve my guest wifi script.

NETADDR=$(/usr/sbin/ip route|/bin/grep br0|/usr/bin/cut -d' ' -f1)

returns 2 entries

169.254.39.0/24
10.14.16.0/24

Is that right?

 

[truglodite]

It's nice because the managed switch enforces device isolation for my wired guest network.

Interesting... are you using your asus as a router (w/ dhcp, dns, etc), or do you have something else going on?

I was also planning on trunking to a managed switch (hp 1910) from my n66u (router mode). I thought with this topology if the asus was off, the gateway & essential services (dhcp, dns, ntp...) would be lost. I know my particular switch has some L3 features (handful of static routes, dhcp, dns relay, etc), but even with that I figured with the asus off, the asus's internal switch would be dead.

I wish I could help you with your routing question, but I lack the skills. Just looks like link local and LAN subnets to me.

Kev

 

[Fitz Mutch]

Quick question, looking through this to improve my guest wifi script.

NETADDR=$(/usr/sbin/ip route|/bin/grep br0|/usr/bin/cut -d' ' -f1)

returns 2 entries

169.254.39.0/24
10.14.16.0/24

Is that right?

I updated the script to fix that. Now the network address gets calculated properly.

 

[Fitz Mutch]

Interesting... are you using your asus as a router (w/ dhcp, dns, etc)?

Yes, it's just a router with DHCP, DNS, NTP. The manged switch is Enterasys 24-port.

 

[truglodite]

Thanks for the feedback... I still don't understand how this works though:

I can turn off my Asus router and everything runs just fine.

Also, I am interpereting this:

/usr/sbin/robocfg vlan 1 ports "1 2 3 4 5t" # port 4 is tagged vlan1 by the switch /usr/sbin/robocfg vlan 14 ports "4t 5t" # port 4 is tagged vlan14 by the switch

...to mean "ports 1-4 untagged vlan1", and "port 4 tagged vlan14", which makes port 4 a trunk port and 1-3 vlan1 access port. The comments say "port 4 is tagged vlan1". How so? If it is just a type, is the untagged vlan1 on port 4 acting as a native vlan? What would happen if it was like this?

robocfg vlan 1 ports "1 2 3 4t 5t"

Thanks in advance,
Kev

 

[Fitz Mutch]

Thanks for the feedback... I still don't understand how this works though

Sorry, I meant to say that my wired network is not interrupted when I turn off my Asus router because of the switch.

According to the robocfg usage, the CPU port default is "t" and the other ports default is "u". Robocfg uses the default letter when the port number is specified without the suffix "t" or "u". In my example, port 5 is the CPU and ports 1,2,3,4 are the "other ports". I recommend buying a managed switch. You have to play with it to know, then you will understand. I got my Enterasys 24-port switch in a "used" condition on eBay for $50.

Usage: robocfg <op> ... <op>
Operations are as below:
        show -- show current config
        showmacs -- show known MAC addresses
        showports -- show only port config
        switch <enable|disable>
        port <port_number> [state <enabled|rx_disabled|tx_disabled|disabled>]
                [stp none|disable|block|listen|learn|forward] [tag <vlan_tag>]
                [media auto|10HD|10FD|100HD|100FD|1000HD|1000FD]
                [mdi-x auto|on|off] [jumbo off|on]
        vlan <vlan_number> [ports <ports_list>]
        vlans <enable|disable|reset>

        ports_list should be one argument, space separated, quoted if needed,
        port number could be followed by 't' to leave packet vlan tagged (CPU
        port default) or by 'u' to untag packet (other ports default) before
        bringing it to the port, '*' is ignored

 

[truglodite]

I think my post lead to some confusion; I understand the basics when it comes to vlans. My questions were regarding your comment about vlan1 being tagged. In your script vlan1 appears to be untagged (perhaps what is referred to in Cisco land as a 'native vlan', where all untagged will packets end up). I am trying to wrap my head around the specific usage with respect to asus routers (specifically roboconfig), and your example doesn't fit my concept of it all I guess.

On a side note, I paid a bunch more for a managed poe switch ($135 used 24 port), but I needed poe for my setup. I was going to get an unmanaged poe switch until I learned a little about how vlans work, and that they can be done in merlin.

Kev

 

[gpz1100]

Could someone in the know explain what these other commands do?

vconfig add eth0 10
ifconfig vlan10 up
brctl addif br0 vlan10

I understand robocfg defines the vlan and tagged/untagged status. What if another bridge needs to be established on a different subnet?

Thanks

 

[Arnie Singh]

sorry guys, newbie question. I'm trying to setup a vlan for my CCTV network and this post seems to be very similar to what i'm trying to achieve.

I'm trying to get the following:
# Force LAN port 4 to use the CCTV vlan for RT-AC68U - (Connected to unmanaged poe switch)
# Set firewall rule(s) that blocks CCTV vlan from accessing the home lan and blocks it connecting to the internet
# Set firewall rule that allows homeLan (ports 1, 2, 3 and wireless) to access Cam lan (and internet) allows people on the home lan to access the cams.
# Setup openVPN that enables you to connect into homelan from the internet so you can access the cams as if you were at home.

So far i've written up this script:

#!/bin/sh
# Force LAN port 4 to use the CCTV vlan for RT-AC68U - (Connected to unmanaged poe switch)
# Set firewall rule(s) that blocks CCTV vlan from accessing the home lan and blocks it connecting to the internet
# Set firewall rule that allows homeLan (ports 1, 2, 3 and wireless) to access Cam lan (and internet) allows people on the home lan to access the cams.
# Setup openVPN that enables you to connect into homelan from the internet so you can access the cams as if you were at home.

#Get router's LAN IP Address
local IPADDR=$(/usr/sbin/nvram get lan_ipaddr)

#vlan1 is standard ASUS network
#vlan10 is network for CCTV cameras

#Make vlan10 and bring it up - No internet access on this vlan
robocfg vlan 1 ports "1 2 3 5t"
robocfg vlan 10 ports "4 5t"
vconfig add eth0 10
ifconfig vlan10 up

#No connections to router
ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst ${IPADDR} --ip-proto tcp -j DROP

#Drop all connections for vlan10
ebtables -t filter -I FORWARD -i vlan10 -o ! eth0 -j DROP
ebtables -t filter -I FORWARD -i ! eth0 -o vlan10 -j DROP
ebtables -t filter -I FORWARD -i ! br0 -o vlan10 -j DROP

#Allow packets from wireless and homelan to vlan10
ebtables -t filter -I FORWARD -i wl0.1 -o vlan10 -j ACCEPT
ebtables -t filter -I FORWARD -i vlan1 -o vlan10 -j ACCEPT

Does this look right or am i missing some fundamental bits in it?

 

[RussellInCincinnati]

I needed to restrict LAN port#4 for Internet only use, just like the Wireless Guest Network access. Then I plug an 8-port Ethernet switch into LAN port 4 of the RT-AC68U router, to expand the number of Internet-only wired connections. It is for attaching wired network devices that have no business on my local area network, but need to access the Internet.]

It is also true that could buy a $20 U.S. dollar Tenda F3 N300 bridge (unless you need throughput of more than 100 megabits per second to the internet), and configure that bridge to latch onto one of your existing guest wifi networks, and plug your wired-guest users into the new bridge.

This of course would have the added advantage of letting you attach more than one ethernet cable to the bridge for more than one wired-guest network user. And the bridge need not be exactly where the Merlin router is, it could be closer to the wired-guest users for example. A 5 gigahertz bridge might set you back $40 dollars.

 

[Denna]

sorry guys, newbie question. I'm trying to setup a vlan for my CCTV network and this post seems to be very similar to what i'm trying to achieve.
...
#Drop all connections for vlan10
ebtables -t filter -I FORWARD -i vlan10 -o ! eth0 -j DROP
ebtables -t filter -I FORWARD -i ! eth0 -o vlan10 -j DROP
ebtables -t filter -I FORWARD -i ! br0 -o vlan10 -j DROP

@Arnie Singh,

Isn't "ebtables -t filter -I FORWARD -i ! br0 -o vlan10 -j DROP" redundant due to the second rule ?​

 

[ppaull]

And again, the first time I run this manually, it works fine. Reboot and run the script again and the router gets stuck.

I was having this problem but I think that what fixed it was taking it from nat-startand putting it in firewall-start. I noticed yours is in services-start. You might try changing that.

This is sort of an old thread, but just wanted to share a solution to those who wanted to tie in the guest wireless with a new wired vlan. There are only a few lines added to the original script.

Thanks for this, this was helpful!

 

[KroetKroet]

sorry guys, newbie question. I'm trying to setup a vlan for my CCTV network and this post seems to be very similar to what i'm trying to achieve.


Does this look right or am i missing some fundamental bits in it?

Hello There!
I'm trying to reproduce what you are doing here, but on an AC87U.
Only things I changed from an original robocfg looking like this:

VLANs: BCM5301x enabled mac_check mac_hash
1: vlan1: 2 3 5 7t
2: vlan2: 0 1 7

on which I wanted to pick port 3 (LAN2 on AC87U) in vlan101.
Running your script already changed the port 5 settings:

VLANs: BCM5301x enabled mac_check mac_hash
1: vlan1: 2 5t 7t
2: vlan2: 0 1 7
101: vlan101: 3 7t

Even when adding a "robocfg vlans reset" before the assignment, is not resolving the issue.

Bottomline: my LAN & wifi devices cannot connect to vlan 101 or vice versa, but my vlan 101 can connect to the internet.
Did it work on your setup or not?
Thanks!

Full script:

#Make vlan101 and bring it up - No internet access on this vlan
robocfg vlans reset
robocfg vlan 1 ports "2 5 7t"
robocfg vlan 2 ports "0 1 7"
robocfg vlan 101 ports "3 7t"
vconfig add eth0 101
ifconfig vlan101 up

#No connections to router
ebtables -t broute -I BROUTING -p IPv4 -i vlan101 --ip-dst 192.168.222.1 --ip-proto tcp -j DROP

#Drop all connections for vlan101
ebtables -t filter -I FORWARD -i vlan101 -o ! eth0 -j DROP
ebtables -t filter -I FORWARD -i ! eth0 -o vlan101 -j DROP
ebtables -t filter -I FORWARD -i ! br0 -o vlan101 -j DROP

#Allow packets from wireless and homelan to vlan10
ebtables -t filter -I FORWARD -i wl0.1 -o vlan101 -j ACCEPT
ebtables -t filter -I FORWARD -i wl1.1 -o vlan101 -j ACCEPT
ebtables -t filter -I FORWARD -i vlan1 -o vlan101 -j ACCEPT

 

[nekosama]

Ran into some issues with the original script on my AC3100. After changing the ports on vlan1, 2.4GHz clients stopped working, while 2.4GHz guests and 5GHz clients are fine. Took me about an hour to notice that the vlan command also somehow changed port 5 (I assume it's the 2.4GHz WiFi) to 5t, which caused this issue.

#robocfg show
Switch: enabled
...
VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 1 2 3 5t 7 8t
   2: vlan2: 4 8u
   9: vlan9: 0 8t

The resolution is to explicit define port 5 as untagged - and I actually did it for all ports: why not ¯\_(ツ)_/¯
Now everything works using the following script:

#!/bin/sh
# force LAN port 4 to use its own vlan

# in firewall-start, WAN interface name is passed as an argument
WAN0_IFNAME = $1

robocfg vlan 1 ports "1u 2u 3u 5u 7u 8t"
robocfg vlan 9 ports "0u 8t"
vconfig add $WAN0_IFNAME 9
ifconfig vlan9 up
brctl addif br0 vlan9
ebtables -t broute -I BROUTING -p IPv4 -i vlan9 --ip-dst 192.168.1.1/24 --ip-proto tcp -j DROP
ebtables -t filter -I FORWARD  -i vlan9 -o ! $WAN0_IFNAME -j DROP
ebtables -t filter -I FORWARD  -i ! $WAN0_IFNAME -o vlan9 -j DROP

Note that instead of using "1 2 3 5 7 8t", I used "1u 2u 3u 5u 7u 8t".
Hope it helps if someone ran into the same issue.

 

[pendetim]

Hi, I am going to be trying to add a VLAN to port 4 on my RT-AC68 with Merlin firmware and am a COMPLETE noob.
I think I understand how to putty into router ( converted it from a T-Moble version ) but a few questions about the instructions in this thread.

1. Is there any specific naming convention/specific names for the scripts I will be adding to the jffs/scripts directory? (I assume I will be adding a new script and not modifying an existing one.)
2. If I use notepad++ as an editor, how do I make the script executable?
3. Could I use something like WinSCP and drag/drop a file I created with Notepad++ into the jffs/scripts directory? If so, how do I make it executable?
4. Lastly, There seems to be a lot of "evolution" on the original script. All I want to do is make LAN4 a VLAN. I do not need to access any specific IP addresses on the VLAN side and the VLAN clients only need access to the Internet through the WAN port. HAving said that, which script(s) shoud I be using?

As I said, I am a noob, and heed a lot of help!
Thanks in advance.

Tim

 

[octopus]

( converted it from a T-Moble version )

https://www.snbforums.com/threads/the-tm-ac1900-is-not-supported.48056/

 

[pendetim]

https://www.snbforums.com/threads/the-tm-ac1900-is-not-supported.48056/

Thanks for the heads up. I have 2 other "true" Asus RT68 routers that I can use for establishing a VLAN. Still looking for guidance.