Guest Network Question

[bisk]

I have an RT-AC66U and I would like to setup two separate Guest Networks. One will be for my kids and their friends and it will not have access to the local intranet so that anything malicious that may be on one of their devices won't be able to infect my stuff. The second will be for my wireless printer (HP Color LaserJet Pro MFP M277dw). I would like to be able to print from both my kids' guest network as well as the local intranet. Is there a way that I can setup the guest network for the printer to allow this?

 

[sfx2000]

If wishes were fishes, we'd all cast nets, eh?

Perhaps you want too much from a consumer BHR - can be done, but it's complicated, and you won't remember 6 months from now how you did it.

Perhaps reconsider your needs - is your printer so private/security concern? If so, find another printer...

 

[bisk]

The issue is not security with my printer, but keeping my kids' stuff separate in the event that they get a virus, malware or ransomeware on one of their devices. Perhaps there's another way to accomplish what I'm looking to do?

I've been looking at other printers in the same price range and it seems that all will disable their WiFi as soon as an Ethernet cable is plugged in. So my plan to use Ethernet for the Intranet and WiFi to connect to their Guest Network doesn't appear to be an option. Is there another way that I can make the printer available to the Intranet as well as a Guest Network with no access to the Intranet?

 

[bbunge]

My Epson printer is connected to a desktop via USB and the WIFI. Both work. So, in theory, you may be able to connect the printer to a desktop via USB and share the printer through the desktop on the main LAN and then connect the printer WIFI to the guest WIFI. However, this could be moot if the guest network isolates the clients. Some routers do this but not sure about Asus.
If you are worried about your kids getting malware switch their PC's to Linux. You do have the right to control where they surf.

 

[sfx2000]

With the Kids - set up the secondary (Guest) SSID with a good passphrase and AP Isolation - between the VLAN that is created by the guest network and isolating the clients - access to the internet is there, and even if one of their friends is on the Guest WLAN, they're sandboxed because of the AP isolation - so that takes care of that...

What printer (vendor/model) - you might have some options there using Cloud options (HP ePrint or Google Cloud Print as an example) - Airprint wouldn't be an option likely, as the printer would have to be on the same subnet and AP isolation would also break things there...

(simpler option maybe is pick up a cheap printer for them and connect it via USB when they need to print)

 

[Martineau]

The issue is not security with my printer, but keeping my kids' stuff separate in the event that they get a virus, malware or ransomeware on one of their devices. Perhaps there's another way to accomplish what I'm looking to do?

I've been looking at other printers in the same price range and it seems that all will disable their WiFi as soon as an Ethernet cable is plugged in. So my plan to use Ethernet for the Intranet and WiFi to connect to their Guest Network doesn't appear to be an option. Is there another way that I can make the printer available to the Intranet as well as a Guest Network with no access to the Intranet?

I use a GuestPrinter.sh script to add/remove printers to be shared by Guest WiFi clients.

#!/bin/sh

#====================================================================================================
#
# Add / remove LAN printer access to Guest WiFi
#
#   e.g.    GuestPrinter.sh     [help| wifi_interface | ssid ] [printer IP1 [printer IP2] | remove ] [ remove ]
#
#           GuestPrinter.sh     wl1.1 10.88.8.131
#                               Add printer 10.88.8.131 to 5GHz Wifi Guest #1
#           GuestPrinter.sh     br2g24 10.88.8.131
#                               Add printer 10.88.8.131 to SSID BR2G24 (could be 2.4GHz Wifi Guest #2! )
#           GuestPrinter.sh     wl1.1 10.88.8.131 remove
#                               Remove printer 10.88.8.131 from 5GHz Wifi Guest #1
#           GuestPrinter.sh     wl0.3 10.88.8.131 10.88.8.132
#                               Add printers 10.88.8.131 and 10.88.8.132 to 2.4GHz Wifi Guest #3
   
#
# Print between line beginning with'#==' to first blank line inclusive
ShowHelp() {
    awk '/^#==/{f=1} f{print; if (!NF) exit}' $0
}

logger -st "($(basename $0))" $$ "Martineau Guest WiFi Printer configuration Starting." [$@]

# Help request ?
if [ "$1" == "help" ] || [ "$1" == "-h" ];then        # Show help
   ShowHelp
   exit 0
fi


# Set default LAN printer list
if [ -z $2 ] || [ "$2" = "remove" ]; then
    PRINTERS="10.88.8.131 10.88.8.132"        # <<=== Set DEFAULT!!!!!!
else
    PRINTERS=$2
fi

if [ -z $1 ]; then
    logger -st "($(basename $0))" $$ " **ERROR** Missing arg e.g. wl0.2 or SSID"
    echo -e "\a "
    exit 99
else
    WIFI_IF=$1
    WIFI_PREFIX=${WIFI_IF:0:4}
    if [ "$WIFI_PREFIX" = "wl0." ] || [ "$WIFI_PREFIX" = "wl1." ];then  
        SSID=$(nvram get $WIFI_IF"_ssid")
        WIFI_DEFINED=`ifconfig  | grep $WIFI_IF`
        if [ -z $SSID ]; then
            echo -e " "
            logger -st "($(basename $0))" $$ " **ERROR** Guest WiFi" $1 " interface doesn't have a SSID?" $SSID
            echo -e "\a"
            exit 99
        else
            WIFI_IF=$1
            WIFI_DEFINED=`ifconfig  | grep $WIFI_IF`
            if [ "$WIFI_DEFINED" == "" ]; then
                echo -e "\a "
                logger -st "($(basename $0))" $$ "**ERROR** Guest WiFi SSID:" $SSID "("$WIFI_IF") not ENABLED!!"
                echo -e " "
                exit 98
            else
                # Check if 'Access Intranet' is currently blocked i.e there are usually 2 rules if LAN (intranet) is blocked!
                RULE_CNT=`ebtables -t filter -L FORWARD | grep "$WIFI_IF -j DROP" -c`
                #logger -st "($(basename $0))" $$ "**DEBUG** intranet ebtables rule count:" $RULE_CNT
                if [ "$RULE_CNT" != 2 ]; then
                    echo -e "\a"
                    logger -st "($(basename $0))" $$ "**ERROR** Guest WiFi SSID:" $SSID "("$WIFI_IF") already has intranet access!"
                    exit 97
                fi
            fi
        fi
    else
        # Check if a Guest WiFi SSID was specified (rather than the actual Guest WiFi interface)
        WIFI_VAR=`nvram show 2> /dev/null | grep "_ssid" | grep -e "wl[0-1]\." | grep -i $1`
        #logger -st "($(basename $0))" $$ "**DEBUG**" $WIFI_VAR
        if [ -z $WIFI_VAR ]; then
            echo -e "\a"
            logger -st "($(basename $0))" $$ "**ERROR** Guest WiFi SSID" $1 " not found"
            echo -e " "
            exit 95
        else
            WIFI_IF=${WIFI_VAR:0:5}
            #logger -st "($(basename $0))" $$ "**DEBUG**" $WIFI_IF
        fi
    fi
fi  


# Allow the Guest WiFi to access the LAN printers...

# e.g. 2.4GHz Wifi Guest #2 is given access to the printer on 10.88.8.131
#
#        ebtables -I FORWARD -p IPv4 -i wl0.2 --ip-dst 10.88.8.131 --ip-proto tcp -j ACCEPT
#        ebtables -I FORWARD -p IPv4 -o wl0.2 --ip-src 10.88.8.131 --ip-proto tcp -j ACCEPT

if [ ! -z "$PRINTERS" ];then
    for PRINTER in $PRINTERS
    do
        ebtables -D FORWARD -p IPv4 -o $WIFI_IF --ip-src $PRINTER --ip-proto tcp -j ACCEPT 2> /dev/null > /dev/null
        ebtables -D FORWARD -p IPv4 -i $WIFI_IF --ip-dst $PRINTER --ip-proto tcp -j ACCEPT 2> /dev/null > /dev/null
        if [ "$2" = "remove" ] || [ "$3" = "remove" ]; then
            echo -e " "
            logger -st "($(basename $0))" $$ "Martineau Guest WiFi SSID:" $SSID "("$WIFI_IF") Printer" $PRINTER "access removed..."
        else
            ebtables -I FORWARD -p IPv4 -o $WIFI_IF --ip-src $PRINTER --ip-proto tcp -j ACCEPT
            ebtables -I FORWARD -p IPv4 -i $WIFI_IF --ip-dst $PRINTER --ip-proto tcp -j ACCEPT
            echo -e "  "
            logger -st "($(basename $0))" $$ "Martineau Guest WiFi SSID:" $SSID "("$WIFI_IF") Printer" $PRINTER "access allowed..."
        fi
    done
else
    logger -st "($(basename $0))" $$ "**ERROR** Missing list of Printers"
    echo -e "\a"
fi

echo -e " "
logger -st "($(basename $0))" $$ "Martineau Guest WiFi Printer configuration Complete."

 

[paulbates]

While my kids are grown, I have considerable HA/IoT in the house along with a NAS. I put guests, our phones, tablets and my kids devices on the guest vlan. The house PCs, NAS, IoT and my tablet have access to the internal LAN.

To support shared printing on HP, I use their cloud print.
http://support.hp.com/us-en/document/c02817255

My HP Printer is plugged in to a router port.

Paul

 

[danofun]

I use a GuestPrinter.sh script to add/remove printers to be shared by Guest WiFi clients.

#!/bin/sh

#====================================================================================================
#
# Add / remove LAN printer access to Guest WiFi
#
#   e.g.    GuestPrinter.sh     [help| wifi_interface | ssid ] [printer IP1 [printer IP2] | remove ] [ remove ]
#
#           GuestPrinter.sh     wl1.1 10.88.8.131
#                               Add printer 10.88.8.131 to 5GHz Wifi Guest #1
#           GuestPrinter.sh     br2g24 10.88.8.131
#                               Add printer 10.88.8.131 to SSID BR2G24 (could be 2.4GHz Wifi Guest #2! )
#           GuestPrinter.sh     wl1.1 10.88.8.131 remove
#                               Remove printer 10.88.8.131 from 5GHz Wifi Guest #1
#           GuestPrinter.sh     wl0.3 10.88.8.131 10.88.8.132
#                               Add printers 10.88.8.131 and 10.88.8.132 to 2.4GHz Wifi Guest #3
 
#
# Print between line beginning with'#==' to first blank line inclusive
ShowHelp() {
    awk '/^#==/{f=1} f{print; if (!NF) exit}' $0
}

logger -st "($(basename $0))" $$ "Martineau Guest WiFi Printer configuration Starting." [$@]

# Help request ?
if [ "$1" == "help" ] || [ "$1" == "-h" ];then        # Show help
   ShowHelp
   exit 0
fi


# Set default LAN printer list
if [ -z $2 ] || [ "$2" = "remove" ]; then
    PRINTERS="10.88.8.131 10.88.8.132"        # <<=== Set DEFAULT!!!!!!
else
    PRINTERS=$2
fi

if [ -z $1 ]; then
    logger -st "($(basename $0))" $$ " **ERROR** Missing arg e.g. wl0.2 or SSID"
    echo -e "\a "
    exit 99
else
    WIFI_IF=$1
    WIFI_PREFIX=${WIFI_IF:0:4}
    if [ "$WIFI_PREFIX" = "wl0." ] || [ "$WIFI_PREFIX" = "wl1." ];then
        SSID=$(nvram get $WIFI_IF"_ssid")
        WIFI_DEFINED=`ifconfig  | grep $WIFI_IF`
        if [ -z $SSID ]; then
            echo -e " "
            logger -st "($(basename $0))" $$ " **ERROR** Guest WiFi" $1 " interface doesn't have a SSID?" $SSID
            echo -e "\a"
            exit 99
        else
            WIFI_IF=$1
            WIFI_DEFINED=`ifconfig  | grep $WIFI_IF`
            if [ "$WIFI_DEFINED" == "" ]; then
                echo -e "\a "
                logger -st "($(basename $0))" $$ "**ERROR** Guest WiFi SSID:" $SSID "("$WIFI_IF") not ENABLED!!"
                echo -e " "
                exit 98
            else
                # Check if 'Access Intranet' is currently blocked i.e there are usually 2 rules if LAN (intranet) is blocked!
                RULE_CNT=`ebtables -t filter -L FORWARD | grep "$WIFI_IF -j DROP" -c`
                #logger -st "($(basename $0))" $$ "**DEBUG** intranet ebtables rule count:" $RULE_CNT
                if [ "$RULE_CNT" != 2 ]; then
                    echo -e "\a"
                    logger -st "($(basename $0))" $$ "**ERROR** Guest WiFi SSID:" $SSID "("$WIFI_IF") already has intranet access!"
                    exit 97
                fi
            fi
        fi
    else
        # Check if a Guest WiFi SSID was specified (rather than the actual Guest WiFi interface)
        WIFI_VAR=`nvram show 2> /dev/null | grep "_ssid" | grep -e "wl[0-1]\." | grep -i $1`
        #logger -st "($(basename $0))" $$ "**DEBUG**" $WIFI_VAR
        if [ -z $WIFI_VAR ]; then
            echo -e "\a"
            logger -st "($(basename $0))" $$ "**ERROR** Guest WiFi SSID" $1 " not found"
            echo -e " "
            exit 95
        else
            WIFI_IF=${WIFI_VAR:0:5}
            #logger -st "($(basename $0))" $$ "**DEBUG**" $WIFI_IF
        fi
    fi
fi


# Allow the Guest WiFi to access the LAN printers...

# e.g. 2.4GHz Wifi Guest #2 is given access to the printer on 10.88.8.131
#
#        ebtables -I FORWARD -p IPv4 -i wl0.2 --ip-dst 10.88.8.131 --ip-proto tcp -j ACCEPT
#        ebtables -I FORWARD -p IPv4 -o wl0.2 --ip-src 10.88.8.131 --ip-proto tcp -j ACCEPT

if [ ! -z "$PRINTERS" ];then
    for PRINTER in $PRINTERS
    do
        ebtables -D FORWARD -p IPv4 -o $WIFI_IF --ip-src $PRINTER --ip-proto tcp -j ACCEPT 2> /dev/null > /dev/null
        ebtables -D FORWARD -p IPv4 -i $WIFI_IF --ip-dst $PRINTER --ip-proto tcp -j ACCEPT 2> /dev/null > /dev/null
        if [ "$2" = "remove" ] || [ "$3" = "remove" ]; then
            echo -e " "
            logger -st "($(basename $0))" $$ "Martineau Guest WiFi SSID:" $SSID "("$WIFI_IF") Printer" $PRINTER "access removed..."
        else
            ebtables -I FORWARD -p IPv4 -o $WIFI_IF --ip-src $PRINTER --ip-proto tcp -j ACCEPT
            ebtables -I FORWARD -p IPv4 -i $WIFI_IF --ip-dst $PRINTER --ip-proto tcp -j ACCEPT
            echo -e "  "
            logger -st "($(basename $0))" $$ "Martineau Guest WiFi SSID:" $SSID "("$WIFI_IF") Printer" $PRINTER "access allowed..."
        fi
    done
else
    logger -st "($(basename $0))" $$ "**ERROR** Missing list of Printers"
    echo -e "\a"
fi

echo -e " "
logger -st "($(basename $0))" $$ "Martineau Guest WiFi Printer configuration Complete."

@Martineau Thank you for sharing this script! It this posted script the most recent version? I'm receiving a

./GuestPrinter.sh: line 65: syntax error: unexpected word (expecting "fi")

error when I run

 ./GuestPrinter.sh wl0.1 10.0.24.200

Any guidance would be greatly appreciated!

 

[Martineau]

@Martineau Thank you for sharing this script! It this posted script the most recent version? I'm receiving a

./GuestPrinter.sh: line 65: syntax error: unexpected word (expecting "fi")

error when I run

 ./GuestPrinter.sh wl0.1 192.168.8.200

Any guidance would be greatly appreciated!

Did you create/save the script with the correct End of Line (EOL) characters i.e. Unix LF rather than the Windows CRLF?

Try

dos2unix /jffs/scripts/GuestPrinter.sh

P.S. I think I did tweak v1.02 to add a 'status' command...but never published it.

 

[danofun]

Did you create/save the script with the correct End of Line (EOL) characters i.e. Unix LF rather than the Windows CRLF?

Try

dos2unix /jffs/scripts/GuestPrinter.sh

@Martineau Thank you for the reply! I ssh-ed into the router and created the script using nano. A copy and paste of your posted script above is all that was done. That resulted in the error posted above. For future readers, I had success creating the file locally and copying it to the router.

scp GuestPrinter.sh danofun@10.0.24.1:/jffs/scripts/

login via ssh then:

dos2unix /jffs/scripts/GuestPrinter.sh
chmod +x /jffs/scripts/*

Thanks again for the script! If you wouldn't mind updating the above to v1.02 to include the 'status' code that would be appreciated.

 

[danofun]

@Martineau I fear this script is obsolete. I've successfully run the script with guest lan wl0.1 and IP 10.0.24.200 and the ebtables seem to be added correctly

danofun@RT-AC56U-DA08:/tmp/home/root# ebtables --list
Bridge table: filter
Bridge chain: INPUT, entries: 0, policy: ACCEPT
Bridge chain: FORWARD, entries: 4, policy: ACCEPT
-p IPv4 -i wl0.1 --ip-dst 10.0.24.200 --ip-proto tcp -j ACCEPT
-p IPv4 -o wl0.1 --ip-src 10.0.24.200 --ip-proto tcp -j ACCEPT
-i wl0.1 -j DROP
-o wl0.1 -j DROP

However, 10.0.24.200 remains unreachable from the guest network. Do these entries appear to be correct? If successful access from a single Guest Network to a single IP simply requires a few table entries I don't require a script. I'm just not sure what those entries are in the current firmware.. In October 2017, @ColinTaylor seemed to have similar results with GuestPrinter.sh and you suggested using your GuestSubnet.sh script. Is this still a working script and if so is there any chance you can share your latest version? I appreciate the guidance!

 

[coxhaus]

If you have a router which supports VLANs then just create a network VLAN and call it guess. Then control the routing between the VLANs.

 

[Martineau]

@Martineau I fear this script is obsolete. I've successfully run the script with guest lan wl0.1 and IP 10.0.24.200 and the ebtables seem to be added correctly

danofun@RT-AC56U-DA08:/tmp/home/root# ebtables --list
Bridge table: filter
Bridge chain: INPUT, entries: 0, policy: ACCEPT
Bridge chain: FORWARD, entries: 4, policy: ACCEPT
-p IPv4 -i wl0.1 --ip-dst 10.0.24.200 --ip-proto tcp -j ACCEPT
-p IPv4 -o wl0.1 --ip-src 10.0.24.200 --ip-proto tcp -j ACCEPT
-i wl0.1 -j DROP
-o wl0.1 -j DROP

However, 10.0.24.200 remains unreachable from the guest network. Do these entries appear to be correct? If successful access from a single Guest Network to a single IP simply requires a few table entries I don't require a script. I'm just not sure what those entries are in the current firmware.. In October 2017, @ColinTaylor seemed to have similar results with GuestPrinter.sh and you suggested using your GuestSubnet.sh script. Is this still a working script and if so is there any chance you can share your latest version? I appreciate the guidance!

By unreachable do you mean because PING fails?

GuestSubnet.sh v1.02 - similarly uses ebtables to unbridge the Guest interface from br0, to allow iptables to implement the appropriate ACL rules from the unbridged Guest interface to the LAN resource, but has now been superseded by my script WiFiVPN.sh v1.09 (which creates new Guest VLAN bridges which are easier to manage and can be concurrently mapped to router switch ports).