Force LAN port 4 to use the Guest network for Asus/merlin RT-AC68U

[M@rco]

Hi, I am going to be trying to add a VLAN to port 4 on my RT-AC68 with Merlin firmware and am a COMPLETE noob.

1. Is there any specific naming convention/specific names for the scripts I will be adding to the jffs/scripts directory? (I assume I will be adding a new script and not modifying an existing one.)
2. If I use notepad++ as an editor, how do I make the script executable?
3. Could I use something like WinSCP and drag/drop a file I created with Notepad++ into the jffs/scripts directory? If so, how do I make it executable?

I can't help you in regards to your VLAN questions, as I don't have enough knowledge of it, but will do an attempt to answer your other questions:

1. You can find all you need about the user scripts here: https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts
2. If you use Notepad++, make sure you set the file format to Unix (LF) before saving it. You can right click the file format the status bar at the bottom, which by default says Windows (CR LF). Just right click and select Unix (LF).

Your file is now ready for upload. If you edit an existing script, for example by opening it in WinSCP, it'll automatically switch to the correct mode. It's usefull (at least, I think so) to set Notepad++ as default editor in WinSCP.
3. WinSCP can be used perfectly to edit, download and upload files. You can also change permissions using WinSCP, to make a script executable for example. Just right click the file, choose Properties and tick the box(es) under 'X' (for executable).

The same thing can be easily achieved by starting an SSH session and executing

chmod u+x /pathtofile/script.sh

One last remark: placing your router on such short distance of your television will most likely cause a lot of interference. If you have any issues with WiFi or issues with the TV, I'd suggest you try placing your router elsewhere.

Edit: The screenshots above are in Dutch, sorry for that, but I couldn't figure out quickly how to change the language in Notepad++. The layout in English is exactly the same though.

 

[pendetim]

I can't help you in regards to your VLAN questions, as I don't have enough knowledge of it, but will do an attempt to answer your other questions:

1. You can find all you need about the user scripts here: https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts
2. If you use Notepad++, make sure you set the file format to Unix (LF) before saving it. You can right click the file format the status bar at the bottom, which by default says Windows (CR LF). Just right click and select Unix (LF).

Your file is now ready for upload. If you edit an existing script, for example by opening it in WinSCP, it'll automatically switch to the correct mode. It's usefull (at least, I think so) to set Notepad++ as default editor in WinSCP.
3. WinSCP can be used perfectly to edit, download and upload files. You can also change permissions using WinSCP, to make a script executable for example. Just right click the file, choose Properties and tick the box(es) under 'X' (for executable).

The same thing can be easily achieved by starting an SSH session and executing

chmod u+x /pathtofile/script.sh

One last remark: placing your router on such short distance of your television will most likely cause a lot of interference. If you have any issues with WiFi or issues with the TV, I'd suggest you try placing your router elsewhere.

Edit: The screenshots above are in Dutch, sorry for that, but I couldn't figure out quickly how to change the language in Notepad++. The layout in English is exactly the same though.

Thanks. I am getting my confidence up!

Can I name the new script anything that makes sense to me or are only certain file names permitted?

 

[M@rco]

Can I name the new script anything that makes sense to me or are only certain file names permitted?

You can name the script anything that makes sense to you, but you'll have to launch it from the appropriate user script (see the previous link to the wiki). These script have their own 'launch' triggers, explained in the wiki. And make sure the script is in /jffs/scripts, otherwise it'll be gone after a reboot. Start the script with a shebang and make sure it's executable. More pointers in the wiki, for example how to check whether it actually ran during boot.

 

[Srecko]

#!/bin/sh
robocfg vlan 1 ports "1 2 3 5t"
robocfg vlan 10 ports "4 5"
vconfig add eth0 10
ifconfig vlan10 up
brctl addif br0 vlan10
ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
ebtables -t filter -I FORWARD -i vlan10 -o ! eth0 -j DROP
ebtables -t filter -I FORWARD -i ! eth0 -o vlan10 -j DROP

I use above code from first post in topic inside wan-start script. It works fine.
How would ebtables command to add exception for specific device on guest port switch look like?
I would like to give access to specific mac to have access to 192.168.1.0/24.

 

[B1ack_Mi16]

Got this working perfectly on my ASUS RT-AC66U.

However I would also like to set a bandwidth limit on this port. Can someone provide me with a codeline that will do this?
I'm using it for a rental apartment in my basement and I suppose they can connect port 4 to the WAN port on their own router. At least that's my plan, but the internet bandwidth must be limited.

Any help appreciated.

 

[mc88]

I am a complete noob, and would like physical Port4 to be tied to guess network. I am trying to get this to work on a ASUS RT-N66U.

--------------------------
--robocfg show info --
--------------------------
Switch: enabled gigabit
Port 0: 1000FD enabled stp: none vlan: 2 jumbo: off mac: 1c:xx:xx:xx:xx:xx
Port 1: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 2: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 4: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 78:xx:xx:xx:xx:xx
VLANs: BCM53115 enabled mac_check mac_hash
1: vlan1: 1 2 3 4 8t
2: vlan2: 0 8u

--------------------------
I have tried to follow the code and this what I have so far ...
--------------------------
#!/bin/sh

robocfg vlan 1 ports "1 2 3 8t"
robocfg vlan 10 ports "4 8t"
vconfig add eth0 10
ifconfig vlan10 up
brctl addif br0 vlan10
ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst 192.168.1.0/24 --ip-prebtables -t filter -I FORWARD -i vlan10 -o ! eth0 -j DROP
ebtables -t filter -I FORWARD -i ! eth0 -o vlan10 -j DROP


--------------------------
Final concern??
--------------------------
I am putting in /jffs/script/ as services-start and chmod it as a+rx.
For the script to run, only a reboot is required?


Any help will be greatly appreciated. And thanks in advance

 

[mattmcquiff]

Hi Did you have any further success?

I followed it but I'm not sure its a guest network?

I was expecting the guest network not to be able to access the router page,

How can I test the guest network to be separate from the network?

I am a complete noob, and would like physical Port4 to be tied to guess network. I am trying to get this to work on a ASUS RT-N66U.

--------------------------
--robocfg show info --
--------------------------
Switch: enabled gigabit
Port 0: 1000FD enabled stp: none vlan: 2 jumbo: off mac: 1c:xx:xx:xx:xx:xx
Port 1: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 2: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 4: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 78:xx:xx:xx:xx:xx
VLANs: BCM53115 enabled mac_check mac_hash
1: vlan1: 1 2 3 4 8t
2: vlan2: 0 8u

--------------------------
I have tried to follow the code and this what I have so far ...
--------------------------
#!/bin/sh

robocfg vlan 1 ports "1 2 3 8t"
robocfg vlan 10 ports "4 8t"
vconfig add eth0 10
ifconfig vlan10 up
brctl addif br0 vlan10
ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst 192.168.1.0/24 --ip-prebtables -t filter -I FORWARD -i vlan10 -o ! eth0 -j DROP
ebtables -t filter -I FORWARD -i ! eth0 -o vlan10 -j DROP


--------------------------
Final concern??
--------------------------
I am putting in /jffs/script/ as services-start and chmod it as a+rx.
For the script to run, only a reboot is required?


Any help will be greatly appreciated. And thanks in advance

I am a complete noob, and would like physical Port4 to be tied to guess network. I am trying to get this to work on a ASUS RT-N66U.

--------------------------
--robocfg show info --
--------------------------
Switch: enabled gigabit
Port 0: 1000FD enabled stp: none vlan: 2 jumbo: off mac: 1c:xx:xx:xx:xx:xx
Port 1: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 2: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 4: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 78:xx:xx:xx:xx:xx
VLANs: BCM53115 enabled mac_check mac_hash
1: vlan1: 1 2 3 4 8t
2: vlan2: 0 8u

--------------------------
I have tried to follow the code and this what I have so far ...
--------------------------
#!/bin/sh

robocfg vlan 1 ports "1 2 3 8t"
robocfg vlan 10 ports "4 8t"
vconfig add eth0 10
ifconfig vlan10 up
brctl addif br0 vlan10
ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst 192.168.1.0/24 --ip-prebtables -t filter -I FORWARD -i vlan10 -o ! eth0 -j DROP
ebtables -t filter -I FORWARD -i ! eth0 -o vlan10 -j DROP


--------------------------
Final concern??
--------------------------
I am putting in /jffs/script/ as services-start and chmod it as a+rx.
For the script to run, only a reboot is required?


Any help will be greatly appreciated. And thanks in advance

 

[thekfeeeeee]

Since the new release 384.13 now officially added AiMesh functionality, I was wondering what exactly would happen if we use this script to isolate a specific LAN-Port.
E.g., when two routers are in the mesh (say ac68u) and I want to isolate LAN-Port 4 using your method, will this actually cause the isolation of LAN-Port 4 on both routers?

 

[Nedyalko]

Just updating this thread with the working version of my script. I've also had success with using the Virtual Server / Port Forwarding feature, in the Asuswrt-Merlin GUI, to port forward to a computer on my Ethernet/LAN Port#4 Guest Network. To test it locally, you must use a Tor Browser or VPN, to come in from the Internet. Otherwise, the router seems to recognize the local interface and block access, as designed.

/jffs/scripts/firewall-start

# force LAN port 4 to use the Guest Network for RT-AC68U
robocfg vlan 1 ports "1 2 3 5t"
robocfg vlan 10 ports "4 5t"
vconfig add eth0 10
ifconfig vlan10 up
brctl addif br0 vlan10
ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP
ebtables -t filter -I FORWARD -i vlan10 -o ! eth0 -j DROP
ebtables -t filter -I FORWARD -i ! eth0 -o vlan10 -j DROP

Thank you very much for the script. It works fine. The device which is on LAN4 does not see the other PCs, MiniDLNA and Samba on the router.

Unfortunately, I noticed that I do not see the device on LAN4 anywhere in the ASUS webpage - it is missing in the clients list, Bandwidth Monitor, etc.

Can someone help me to adjust the script - I want the devices on LAN4 not to see only MiniDLNA, Samba on the router(192.168.10.1) and other PCs in the network. But I want to have access Devices on LAN4 from the devices on Wireless, LAN 1-3. Is it possible ?

In DDWRT I achieved this result with the following script:

iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i vlan3 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i vlan3 -o br0 -m state --state NEW -j DROP
iptables -I INPUT -i vlan3 -m state --state NEW -j DROP
iptables -I INPUT -i vlan3 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i vlan3 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i vlan3 -p tcp --dport 53 -j ACCEPT

 

[amplatfus]

Hi,

Please share, did you solve it?
I do not know if it is a current problem but I think you have to comment first this line:

ebtables -t filter -I FORWARD -i vlan10 -o ! eth0 -j DROP

Thank you,
amplatfus

 

[amplatfus]

Hi all,

I am trying for days to block SAMBA connections, but only initiated from one port to all IP's from entire network.
Could you please provide some help?

Thanks,
amplatfus

 

[amplatfus]

Hi all,

Please, how can I permit only one IIP to de a valid destination from VLAN10?
I think it is something like this, but ths is not working

ebtables -t filter -I FORWARD -i vlan10 -o 192.168.0.240 -j ACCEPT

only this is working, but I do not want to link vlan10 to entire network

ebtables -t filter -I FORWARD -i vlan10 -o vlan1 -j ACCEPT

Thank you very much. Any Idea is welcomed.
amplatfus

 

[TetterkeT]

ebtables -t broute -I BROUTING -p IPv4 -i vlan10 --ip-dst 192.168.1.0/24 --ip-proto tcp -j DROP

I am curious as to what this IP address (192.168.1.0/24) refers to. Is the internal network IP address of your router or just an arbitrary value?

My set up is slightly more complicated as I have 2 guest networks (one for guests and one for IoT devices). How do I identify which is which in my robocfg show? Is there any clear way to determine which vlan is associated with which network?

 

[amplatfus]

Hi,

In my case 192.168.1.0/24 is the internal network IP of my router.
I ended by doing somehow different, without custom vlan (because RT-AC88U is loosing connecteion to some LAN because have two switches and one of them doesn't allow edit vlan.

#for blocking port 21
ebtables -D INPUT -p ip4 --ip-protocol tcp --ip-source 192.168.1.240 --ip-destination 192.168.1.0/24 --ip-destination-port 21 -j DROP

But in my case is not working 100% because I have RT-AC88U with GMAC3 and because of it this rule is not working for some eth.

Good luck,
amplatfus

 

[amplatfus]

How do I identify which is which in my robocfg show? Is there any clear way to determine which vlan is associated with which network?

I think in this case you have search for something related to wl interface. Or I would connect to guest networks one by one and I would check the IP.
As far as I know in robocfg show you would obtain only LAN ports, not wlan. For interfaces you could do brctl show but you should see only wifi guest interface name, not the IP:

rootAC88U-9900:/tmp/home/root# brctl show
bridge name    bridge id        STP enabled    interfaces
br0        8000.3497f6229900    yes        vlan1
                            eth1

rootAC88U-9900:/tmp/home/root# robocfg show
Switch: enabled 
...
VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 0 1 2 3 5 7 8t
   2: vlan2: 4 8u

Good luck!

 

[maghuro]

@Jack Yaz ~suggestion:

On YazFi, you can give an option to redirect one or many ethernet ports to be used as one of the guest networks (1-6).

let's say i'd want to use eth 1 and 2 with guest 1, and eth 3 with guest 4, for example.

 

[Lord Lovaduck]

I second the motion. If anybody has a hack script for this purpose, please share...
I have downloaded Yazfi's code and started looking at the output from ifconfig, iptables -S and -L to see how are things configured but haven't made much progress so far...

@Jack Yaz ~suggestion:

On YazFi, you can give an option to redirect one or many ethernet ports to be used as one of the guest networks (1-6).

let's say i'd want to use eth 1 and 2 with guest 1, and eth 3 with guest 4, for example.

 

[dbqandersons]

I realize this is an old thread, but I wanted to thank everyone who has contributed (especially @hardtotell who first opened it); I learned a lot about how to adapt what others have done to my own network needs This is what I put together for my firewall scripts to isolate my IoT devices that are on two netgear APs.

Cheers!

Bill Anderson

#!/bin/sh

# Isolate physical ports 1 and 2 (Negear 6120s configured as APs) to their own vlan (vlan12)
robocfg vlan 1 ports "3 4 5t"
robocfg vlan 12 ports "1 2 5t"
vconfig add eth0 12
ifconfig vlan12 up
brctl addif br0 vlan12

# Disallow anything from IoT vlan to main vlan
ebtables -t broute -I BROUTING -p IPv4 -i vlan12 --ip-dst 10.xx.xx.0/24 -j DROP

# Poke holes for DHCP and DNS
ebtables -t broute -I BROUTING -p IPv4 -i vlan12 --ip-proto udp --ip-dport 67:68 --ip-sport 67:68 -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 -i vlan12 --ip-proto udp --ip-dport 53 -j ACCEPT

# Allow anything from wawanakwa (windows PC that happens to live on the IoT network)
ebtables -t broute -I BROUTING -p IPv4 --ip-src 10.xx.xx.12 -j ACCEPT

# Poke holes for Passive FTP and RTSP from camera to my web server for my webcam site
ebtables -t broute -I BROUTING -p IPv4 --ip-proto tcp --ip-dst 10.xx.xx.10 --ip-src 10.xx.xx.107 --ip-dport 21  -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 --ip-proto tcp --ip-dst 10.xx.xx.10 --ip-src 10.xx.xx.107 --ip-dport 6666  -j ACCEPT
ebtables -t broute -I BROUTING -p IPv4 --ip-proto tcp --ip-dst 10.xx.xx.10 --ip-src 10.xx.xx.107 --ip-sport 554  -j ACCEPT

 

[silicon101]

Big Thank You to everyone from this old thread, especially hardtotell. On my AC66u, I was able to create private and guest vlan which work exactly as intended. Is there anyway for this to survive a router reboot or do you need to do anything to save the settings after you issue cmds in Putty?

 

[drinkingbird]

Big Thank You to everyone from this old thread, especially hardtotell. On my AC66u, I was able to create private and guest vlan which work exactly as intended. Is there anyway for this to survive a router reboot or do you need to do anything to save the settings after you issue cmds in Putty?

You will need to add your commands to a startup script or they will not survive a reboot.

Note this is a very old thread, since this time the newer firmware (386.x) actually creates separate VLANs and subnets for you if you use Guest Wireless 1, so it is pretty easy to just add a LAN port into one of the ones it creates (501, 502, and on some routers, 503). Personally I'm using 501 (2.4ghz guest) trunked out along with VLAN 1 to my outdoor 2.4ghz access point to extend both out to that (it supports VLANs by default). And using 502 for a wired guest port off the router for fixing peoples PCs or plugging in a box that I want to tinker with but block from my LAN.

On your router you should just be able to do something like (after enabling GW1 and rebooting):
robocfg vlan 1 ports "1 2 3 5t" - remove VLAN 1 from port 4
robocfg vlan 501 ports "4 5t" - add it to port 4 (note by default it is on all ports tagged, I think related to aimesh wired backhaul, if you aren't using that, removing it from the other ports, which this command will do, won't hurt anything). This also removes it from the WAN port 0 which causes issues with some ISPs.
killall eapd
eapd

Not sure if those last 2 lines are needed but have seen it in other configs. It seems to work without it but left it to be safe.
You can substitute 502 for 501 if you want to use the 5ghz guest range, doesn't matter. Or use both on two different ports to have two isolated networks.
The only catch with these VLANs is you can't pick the subnet that it uses, that seems to be hardcoded in. Well you could change it, but via script, not via GUI. I'm also not sure if these two subnets work with DHCP reservations as I have none on mine. Haven't tried it.

The above will move port 4 into the guest network and use the already configured subnet and DHCP for VLAN 501, already has ebtables/iptables rules in place, etc. The "access intranet" setting should apply automatically to your wired port too.

This is my setup on AC1900 (Same as AC68U and similar to 66U)
robocfg vlan 1 ports "1 2 3 5t" - Remove VLAN 1 from port 4
robocfg vlan 501 ports "1t 5t" - Trunk 2.4ghz guest to my AP via port 1 (along with untagged VLAN 1 above) and remove it from other ports. Actually I could skip this line since it is already tagged on all ports, but nice to not have it on the ports where it isn't needed. And I need to remove it from the WAN port 0 as my ISP is one of the ones that has a problem with this, so this accomplishes that too.
robocfg vlan 502 ports "4 5t" - Put 5ghz guest on port 4 for wired guest
killall eapd
eapd

Note port 5 is the CPU and all VLANs have to be tagged to that except WAN VLAN 2