Guest Network Pro using the same subnet - Replicating behavior from previous firmware

[FernandoF]

With the introduction of firmware 3006.102.x, many of us have been trying to understand what Guest Network Pro can and cannot do. In my particular case, the requirements for visitors using the guest network are the following:

• Devices must use the same subnet as the main network
• Devices must be able to access the internet
• Devices must not be able to access the intranet

The above was easily achievable with previous versions of the firmware (3004.388.x, 386.x, etc.), by configuring Guest Networks #2 or #3 with Access Intranet disabled. With 3006.102.x, however, that doesn’t seem to be possible.

Despite my inexperience, after lots of reading and experimentation, I believe I’ve finally succeeded to replicate that behavior with 3006.102.4, which I’d like to share in case anybody has a similar use case. The starting point is a Customized Guest Network Pro with Use same subnet as main network enabled. I also have Set AP isolated enabled, although I suspect that setting is not doing anything. Then I had to manually (or using a script) set 4 "ebtables" firewall rules:

ebtables -t broute -A BROUTING -p IPv4 -i wl0.1 --ip-dst 192.168.50.1 --ip-proto udp --ip-dport 53 -j ACCEPT     # Allows connections with udp protocol from the guest network to the router, via port 53, for DNS queries
ebtables -t broute -A BROUTING -p IPv4 -i wl0.1 --ip-dst 192.168.50.0/24 -j DROP                                 # Blocks connections with all other protocols from the guest network to the local network (intranet)
ebtables -A FORWARD -i wl0.1 -j DROP                                                                             # Blocks outgoing packets from the guest network
ebtables -A FORWARD -o wl0.1 -j DROP                                                                             # Blocks incoming packets to the guest network

service restart_firewall                                                                                         # Restarts the firewall

I hope this may help others (please adjust the subnet and guest network ID appropriately). I realize this approach may not be as tight as fully segregating the guest network with a different VLAN, but I still feel it's probably good enough.

Any comments or results will be greatly appreciated. Thanks in advance!

 

[bennor]

In my particular case, the requirements for visitors using the guest network are the following:

• Devices must use the same subnet as the main network
• Devices must be able to access the internet
• Devices must not be able to access the intranet

Guess I'll ask the question. What is the use case where Guest Network Pro clients "must" use same subnet as main network but not have access to that main network's subnet intranet?

The use of a firewall-start scripting file in the /jffs/scripts/ directory to hold the four etable rules (rebooting the router after creating the firewall-start file) is the common method to have the rules load each time the router is booted or rebooted/restarted. There may be a similar way using "iptables" to accomplish the same as is being done with etables. There are a number of discussions on using firewall-start iptables scripting to accomplish certain actions that used to be possible using YazFi on the non Asus-Merlin 3006 firmware. A few prior discussions (there are more) to help people out if they're interested.

Trying to understand Guest Network Pro limitations

Using an AX-86U Pro on FW 3006.102.4_beta1, I'm experimenting with Guest Network Pro and VLANs and I must be missing something. I've created a VLAN (tagged as 3) and set ethernet port 3 as an access port tagged with that VLAN. I've then created a new guest network with that same VLAN, turned on...

www.snbforums.com

Iptables functionality on 3006.102.4

Dirty upgrade from 3004 to 3006.102.4 on my AX88u-Pro a couple days ago. All looked good so far, except I have some iptables rules in firewall-start that do not seem to work anymore. One set of rules dnat'd any DNS other than those in the cleanbrowsing ranges. Ie, if a device used any...

www.snbforums.com

Allowing main network to access guest networks

Hi everyone, Running on the 3006 firmware version, I have 3 guest networks that are isolated from everything. I'd like to have the main network (192.168.0.0/24 on br0) be able to reach one-way to those 3 guest subnets. I currently achieve this with a firewall-start script that runs the...

www.snbforums.com

Setting up IoT networks using 3006 firmware?

If I understand the new 3006 IoT networks correctly: when using the same VLAN as the main network, devices on the main network (PCs, phones, tablets) can see IoT devices (and vice versa) when using a different VLAN than the main network, devices on the main network cannot see IoT devices (and...

www.snbforums.com

Edit to add: There have been other complaints about the 3006 firmware's Guest Network Pro Profile Access Intranet option not working as expected in certain use cases, both on stock Asus 3006 firmware and now Asus-Merlin firmware. Its one of the reasons why some view the Guest Network Pro feature as Beta and a work in progress that the end user is testing out for Asus.

 

[FernandoF]

Thanks for your feedback, @bennor. Let me try and provide responses to your questions and comments:

What is the use case where Guest Network Pro clients "must" use same subnet as main network but not have access to that main network's subnet intranet?

It's actually quite simple. Over the years, I've developed personal scripts to monitor my network usage, check and ensure full connectivity when one of the Dual WAN ISP's is down, etc. All of those assume the whole network is on the same subnet, with the guest network properly isolated from the main network, which was the standard behavior of all previous versions of the firmware (for non-AiMesh guest networks). I just don't have the time now to adjust all those scripts to consider different subnets.

There may be a similar way using "iptables" to accomplish the same as is being done with etables.

I did try, but could not achieve my goals with "iptables", maybe because of my inexperience. Is there any disadvantage to using "ebtables" instead?

There are a number of discussions on using firewall-start iptables scripting to accomplish certain actions that used to be possible using YazFi on the non Asus-Merlin 3006 firmware.

Thank you very much for listing those threads, which I did check during my investigation - all of them seem to indicate deficiencies of the Guest Network Pro. I couldn't find anyone with my particular use case though, so I decided to try and learn how to work around that myself. And as I seem to have succeeded, I thought I would share that with the community to potentially benefit others and also to get additional feedback.

There have been other complaints about the 3006 firmware's Guest Network Pro Profile Access Intranet option not working as expected in certain use cases, both on stock Asus 3006 firmware and now Asus-Merlin firmware.

I've checked several times, and I can't see the Access Intranet option with my Customized Guest Network Pro. I wonder if that setting is not available when Use same subnet as main network is enabled, which may reflect Asus' new approach to guest networks after the introduction of VLAN's.

Thanks again for your comments.

 

[rung]

Interesting approach. I've been toying with making a special gnp for just my wireless printer and then using scripts to add one way access from both main and the guest network. I might try this technique. Thanks.

 

[bennor]

I've checked several times, and I can't see the Access Intranet option with my Customized Guest Network Pro. I wonder if that setting is not available when Use same subnet as main network is enabled, which may reflect Asus' new approach to guest networks after the introduction of VLAN's.

Very possible. Attached is an example of the IoT Guest Network Pro Profile with Access Intranet option. When this profile was initially created Use same subnet as main network was disabled.