1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Guest Network in Access Point Mode

Discussion in 'ASUS N Routers & Adapters' started by WJKramer, Apr 8, 2012.

  1. WJKramer

    WJKramer Occasional Visitor

    Joined:
    Apr 8, 2012
    Messages:
    15
    n00b! Hi all...love the site. Learning so much!

    Questions for the experts...I am not a forum n00b though....I did search first!

    I just purchased the ASUS RT-N66U "Dark Knight" but let me tell you about my set up first. I have 35/35Mbs Verizon FiOS fiber to the door. It runs Coaxial through my home to the crap Verizon Actiontech M1424WR Modem/WiFi Router. I have disabled the the wireless G function. I then bridge, up a floor in my home, via Belkin Powerline AV500s to my new ASUS Dark Knight (stupid name) router. I run a 2.4 and 5.0GHz network simultaneously. I need the FiOS modem on the bottom floor so I can hardwire my desktop computer but I wanted the WiFi access point on the middle floor for best penetration (that's what she said) after much testing.

    Question 1: When I run a 2.4GHz Guest network with no INTRANET access I can connect to it but get no INTERNET access. Does this have something to do with me running it as an access point and not in router mode?

    Question 2: Under advanced wireless settings and the professional tab is the Tx Power adjustment. The help says between 0-100mW but the note below says 500mW max. Also I can't seem to get the 5.0GHz up past 250mW. What are some recommended settings?

    I am running firmware version 3.0.0.3.108. Thanks in advance!
     
  2. overdrive31

    overdrive31 Senior Member

    Joined:
    Aug 21, 2008
    Messages:
    351
    In AP mode you lose all the bells and whistles that router mode provides, all you get is a single SSID per radio that functions correctly.
     
  3. WJKramer

    WJKramer Occasional Visitor

    Joined:
    Apr 8, 2012
    Messages:
    15
    So....is there any way to change my setup to allow this to work? Problem is it comes into my home via coax and the Verizon modem has to do the conversion work. Any ideas appreciated.
     
  4. overdrive31

    overdrive31 Senior Member

    Joined:
    Aug 21, 2008
    Messages:
    351
    Why is it so critical to have a guest SSID?

    1. You can use another old router as an AP to make another SSID available.

    2. You could move the Verizon router upstairs, bridge it(will lose FiOS TV media guide and other features if you have it) or deal with double NAT when using the ASUS as a router and plug in the desktop downstairs over the powerline network. That's if all devices need to be on the same subnet.

    3. You can use the ASUS as a router upstairs, it will be double NAT though. This will also put everything using the ASUS on a separate subnet, however.

    4. I don't normally recommend it, but since the router features you're wanting get disabled by simply turning off DHCP and you can feasibly run two DHCP servers on one network, I guess it can be an option. You will need to have each router serve a different pool of IP addresses within the subnet. For example:

    Verizon:
    LAN IP: 192.168.1.1
    DHCP pool: 192.168.1.155-192.168.1.254

    ASUS:
    LAN IP: 192.168.1.2
    DHCP pool: 192.168.1.55-192.168.1.154

    This setup would make use of the current wiring configuration(the connection to the ASUS should stay on a LAN port), all that should need changing is probably just settings on the ASUS, mainly turning DHCP back on and changing the DHCP pool to not overlap the Verizon DHCP pool.
     
    Last edited: Apr 9, 2012
  5. starfall

    starfall Occasional Visitor

    Joined:
    Nov 4, 2014
    Messages:
    19
    Actually you can make it work with Asuswrt-Merlin (I tested this on a RT-AC68U and RT-AC56U). As the guess access separation is handled by ebtables, you need to put the following ebtables config into your secondary AP -

    ebtables -I FORWARD 1 -d Broadcast -j ACCEPT
    ebtables -I FORWARD 1 -s xx:xx:xx:xx:xx:xx -j ACCEPT
    ebtables -I FORWARD 1 -d xx:xx:xx:xx:xx:xx -j ACCEPT

    Where xx:xx:xx:xx:xx:xx is the MAC address of the primary router's LAN interface (br0).

    In short, this will allow the secondary AP guest networks to send broadcast traffic to your LAN for ARP and DHCP, and it will allow your router's LAN interface to communicate with guest users on your AP. By inserting the rules at the front of the FORWARD chain, the traffic will be allowed before it hits the DROP rules that does the guest separation -

    -i wl0.1 -j DROP
    -o wl0.1 -j DROP
    -i wl1.1 -j DROP
    -o wl1.1 -j DROP
     
    Last edited: Nov 4, 2014
    DashonB likes this.
  6. DashonB

    DashonB New Around Here

    Joined:
    Apr 18, 2015
    Messages:
    1
    Location:
    Maryland
    --------------------
    I am trying to do the same thing. I have Verizon FiOS modem and 2 RT-N66U devices. I would like the FiOS Modem to handle DHCP yet have guest access on both RT-N66U devices. This is because I have am in a large building and need to extend wireless to the lower level and still have access to the resources on the top level.

    Would I enter the commands by SSH? I am not a networking guy so any help is great!!!
     
  7. P_R

    P_R New Around Here

    Joined:
    Dec 13, 2015
    Messages:
    4
    Hi,

    Was the secondary AP running in Router mode or AP mode out of interest? Reason I ask is that in AP mode, you seem to loose the separation functionality.

    P.

     
  8. argeri

    argeri Occasional Visitor

    Joined:
    Jan 17, 2017
    Messages:
    26
    Can anyone explain how to do this? Thanks in advance

     
  9. gpz1100

    gpz1100 Regular Contributor

    Joined:
    Aug 31, 2015
    Messages:
    81
    A bit late to this party but I too am having difficulty isolating the guest network hosts (wl0.1) from each other when used as an access point. From the instructions in post #5 and a few other threads I came up with the following:

    *Note* guest lan is on vlan4, not vlan1. Bridge br1 couples wl0.1 and vlan4.

    Code:
    ebtables -I FORWARD 1 -d Broadcast -j ACCEPT
    ebtables -I FORWARD 1 -s xx:xx:xx:xx:xx:xx -j ACCEPT
    ebtables -I FORWARD 1 -d xx:xx:xx:xx:xx:xx -j ACCEPT
    ebtables -I FORWARD 4 -i wl0.1 -j DROP
    ebtables -I FORWARD 5 -o wl0.1 -j DROP
    The xxx is replaced with the lan mac of the upstream firewall/router. It seems no blocking is taking place. Able to ping and view networks shares of wireless guests on the wl0.1 network.

    When used by themselves, the last 2 lines above do block all traffic on wl0.1, including traffic destined to the upstream firewall/router.

    I'm open to suggestions?
     
  10. gpz1100

    gpz1100 Regular Contributor

    Joined:
    Aug 31, 2015
    Messages:
    81
    I think I made some progress.

    Using the entries below, I now have guest isolation between wifi guests as well as lan clients who are on the guest vlan. Why would a wired client be on the guest vlan? So that they too could be isolated from the rest of the network.

    Code:
    #enable wifi guest isolation (for wifi clients only, not lan)
    wl -i wl0.1 ap_isolate 1
    
    #block lan access too
    ebtables -I FORWARD 1 -d Broadcast -j ACCEPT
    ebtables -I FORWARD 1 -s xx:xx:xx:xx:xx:xx -j ACCEPT
    ebtables -I FORWARD 1 -d xx:xx:xx:xx:xx:xx -j ACCEPT
    ebtables -I FORWARD 4 -i wl0.1 -j DROP
    ebtables -I FORWARD 4 -o wl0.1 -j DROP
    
    The key is the wl command. Found it in this post - https://www.snbforums.com/threads/guest-network-working.10913/#post-68570 . It seems setting nvram variables to do the same didn't work. This does. The 2nd set of entries blocks the lan access.

    I've tested this with several different wired and wireless clients as well as a combination. It would be great if someone else could confirm my results. Again keep in mind, the RT is only acting as an AP for an upstream firewall (utm). AND, the guest network is on vlan4. Something else I discovered, if there's multiple AP's (I have 2), this has to be run on each one otherwise isolation is broken.

    My goal in setting this was for several reasons - guest wifi access without any access to the local lan, IoT devices that should just have limited internet access (specific ports and/or destinations, nothing more, controlled by the firewall).
     
    burntoc likes this.
  11. burntoc

    burntoc Occasional Visitor

    Joined:
    Sep 20, 2015
    Messages:
    12
    This is great. I want to do something very similar on my 2 AC68Us. A few questions if you have a moment:

    • If I don't care about isolating the wireless clients from each other, just keep them from my intranet on the unit in AP mode, I just remove that wl line and use the rest?
    • How do I specify the guest wifi should use vlan4? My robocfg show indicates no vlan4 so I guess I need to define it but I'm unsure how and which ports to include and which if any are tagged
    • Do I just put this on the AP mode unit or do I use it on the router mode unit as well? I'm guessing doing it on both wouldn't hurt anything, but unsure.
    Thanks much!


     
  12. gpz1100

    gpz1100 Regular Contributor

    Joined:
    Aug 31, 2015
    Messages:
    81
    1) That is correct

    2) I posted this script in one of the vlan threads, but here's my services-start script again. Vlan definition occurs in the lines prior to nvram definitions. I have parts of vlan 5 defined but haven't started using it yet. Tagged or untagged is a topic for another thread. It really depends on what your goals are. It took lots of time to get my head wrapped around proper format of the robocfg lines. Of the 3 routers, 2 are in AP mode while the third has it's wifi turned off entirely. All 3 are used to carry various vlan traffic. My network is not a star configuration, but rather serial/daisy chained APs used as smart switches.

    Eventually I'll refine the robocfg lines to consolidate vlan traffic to fewer ports.

    3) Probably both if you want the isolations to remain regardless of which router the guest is connected to. Or you could just define the guest network on one AP only. In my case all are in AP mode because another piece of hardware handles the routing/firewall/dhcp/dns/etc functions.

    Code:
    [email protected]:/jffs/scripts# cat services-start
    #!/bin/sh
    
    #create vlan 1,3,4
    
    /usr/sbin/robocfg vlan 3 ports "0t 1t 2t 3t 4t 5t"
    /usr/sbin/robocfg vlan 1 ports "0 1 2 3 4 5t"
    /usr/sbin/robocfg vlan 4 ports "0t 1t 2t 3t 4t 5t"
    /usr/sbin/robocfg vlan 5 ports "0t 1t 2t 3t 4t 5t"
    
    #add vlan 3, 4,5 to eth0
    /sbin/vconfig add eth0 3
    /sbin/vconfig add eth0 4
    /sbin/vconfig add eth0 5
    
    #bring vlan 3 and 4 up
    /sbin/ifconfig vlan3 up
    /sbin/ifconfig vlan4 up
    /sbin/ifconfig vlan5 up
    
    brctl addbr br1
    brctl delif br0 wl0.1
    brctl addif br1 wl0.1
    #brctl delif br0 wl1.1
    #brctl addif br1 wl1.1
    brctl addif br1 vlan4
    ifconfig br1 up
    
    
    nvram set lan_ifnames="vlan1 eth1 eth2 wl0.2 wl1.2"
    nvram set lan_ifname="br0"
    
    nvram set lan1_ifnames="vlan4 wl0.1"
    nvram set lan1_ifname="br1"
    nvram set wl0.1_closed=1
    
    
    #nvram commit
    killall eapd
    eapd
    
    
    #enable wifi guest isolation (for wifi clients only, not lan)
    wl -i wl0.1 ap_isolate 1
    
    #block lan access to/from wifi guests
    ebtables -I FORWARD 1 -d Broadcast -j ACCEPT
    ebtables -I FORWARD 1 -s 00:50:56:2e:33:02 -j ACCEPT
    ebtables -I FORWARD 1 -d 00:50:56:2e:33:02 -j ACCEPT
    ebtables -I FORWARD 4 -i wl0.1 -j DROP
    ebtables -I FORWARD 4 -o wl0.1 -j DROP
    
    
    #start of entware loading
    RC='/opt/etc/init.d/rc.unslung'
    
    i=30
    until [ -x "$RC" ] ; do
      i=$(($i-1))
      if [ "$i" -lt 1 ] ; then
        logger "Could not start Entware"
        exit
      fi
      sleep 1
    done
    $RC start
    
     
  13. burntoc

    burntoc Occasional Visitor

    Joined:
    Sep 20, 2015
    Messages:
    12
    Thank you very much!
     
  14. VinnieT

    VinnieT New Around Here

    Joined:
    Dec 11, 2017
    Messages:
    5
    GPZ and others, thanks for the code! If I only had 2 routers in total (one router set up as an AP connected through it's WAN port to the main router) and I wanted to just use guest isolation would my services-start look like this?

    Code:
    #enable wifi guest isolation (for wifi clients only, not lan)
    wl -i wl0.1 ap_isolate 1
    
    #block lan access to/from wifi guests
    ebtables -I FORWARD 1 -d Broadcast -j ACCEPT
    ebtables -I FORWARD 1 -s 00:50:56:2e:33:02 -j ACCEPT
    ebtables -I FORWARD 1 -d 00:50:56:2e:33:02 -j ACCEPT
    ebtables -I FORWARD 4 -i wl0.1 -j DROP
    ebtables -I FORWARD 4 -o wl0.1 -j DROP
    
    I know your services-start file does more but I'm just looking to utilize the guest network isolation on the AP and I wanted to make sure I understood it correctly.

    Thanks!
     
  15. gpz1100

    gpz1100 Regular Contributor

    Joined:
    Aug 31, 2015
    Messages:
    81
    ^^You would need to update the mac addresses to reflect the lan mac of the upstream router. Aside from that I think that's all you'd need.

    I think you may need to restart the wifi security too. I can't remember if that was necessary because I moved wl0.1 from br0 to br1 (different vlan).

    Code:
    killall eapd
    eapd
    
    Keep in mind, with the code you posted, wl0.1 clients will be isolated from each other and from accessing the lan, but lan (wired) clients will still be able to see/access the guest clients. So it's not a total isolation from the wired perspective. That's why I think putting the guest network on a separate vlan results in complete isolation from wired clients [on default vlan (vlan1)].
     
    VinnieT likes this.
  16. VinnieT

    VinnieT New Around Here

    Joined:
    Dec 11, 2017
    Messages:
    5
    Thanks for the quick response GPZ! All the IoT devices I'm trying to isolate are wireless so I can't think of a case where I'd need to protect wired lan clients from seeing/accessing wireless guest network clients but if I did how would the code change?

    I'm trying to learn this as I haven't done much cli with routers. Should I create the guest network (GUI) on the AP before submitting the code?
     
  17. gpz1100

    gpz1100 Regular Contributor

    Joined:
    Aug 31, 2015
    Messages:
    81
    It might be possible to block access to wireless guests from wired using ebtables or iptables. Neither of which I'm versed in. Setting up vlans was the next best alternative. This was already a necessity for several wired IOT devices anyway. Sophos utm allow for really granular firewall control over much of the network. Implementing this on a vlan bases is much easier than specifying client specific rules. For example, the 2 obi devices are on their own vlan (vlan 3). That vlan only has internet access to ports needed for voip/google voice access, nothing else. Adding a future ata will just require placing it in the proper vlan.

    The guest wifi vlan only has access to http/https, nothing else.

    Post exactly what you're trying to accomplish. We can try to make suggestions. I chose using a separate firewall/router device because it allows much greater control over the network, better reporting, increased vpn speed, etc.

    Yes, guest network(s) are created within the GUI.
     
  18. Empassant18

    Empassant18 New Around Here

    Joined:
    Nov 13, 2018
    Messages:
    8
    Hello, All. I have been doing research and following this thread. Thanks for getting me most of the way to where I am trying to go:

    Block wireless guest access on my access point (I have two Asus routers - one in router mode and one in AP mode. I have guest access on each but the AP was allowing access to the LAN. I fixed that by implementing the following in my "services-start" script.

    However, I can still access the IP addresses of the router and the AP from the guest, but everything else on the LAN is blocked. Here is the code I am using in the script. Please tell me what I should add to block access to the router and access point:

    --------------
    #!/bin/sh
    #nvram commit
    killall eapd
    eapd
    #enable wifi guest isolation (for wifi clients only, not lan)
    wl -i wl0.1 ap_isolate 1
    #block lan access to/from wifi guests
    ebtables -I FORWARD 1 -d Broadcast -j ACCEPT
    ebtables -I FORWARD 1 -s XX:XX:XX:XX:XX:XX -j ACCEPT
    ebtables -I FORWARD 1 -d XX:XX:XX:XX:XX:XX -j ACCEPT
    ebtables -I FORWARD 4 -i wl0.1 -j DROP
    ebtables -I FORWARD 4 -o wl0.1 -j DROP
    #start of entware loading
    RC='/opt/etc/init.d/rc.unslung'
    i=30
    until [ -x "$RC" ] ; do
    i=$(($i-1))
    if [ "$i" -lt 1 ] ; then
    logger "Could not start Entware"
    exit
    fi
    sleep 1
    done
    $RC start
    ---------------

    Where XX:XX:XX:XX:XX:XX is the MAC of the main router's LAN bro.

    Please assist and thanks in advance.