Menu
What's new
By:
Filters Better Search

Guest network with access to Chromecast?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

JoQ said:
@Martineau can you share the script you have made?
Click to expand...
JoQ said:
…... there isn't much documentation on this script as you haven't posted it officially?
Click to expand...
I write scripts for personal use - the amount of time and effort to 'publish it officially' and adapt it to accommodate every weird user environment :rolleyes: isn't something I need to expend, given the script provides ample help and examples for its intended original design usage.

The script probably won't fully address your non-standard requirements, but should show what commands are required to achieve your unique goal.
JoQ said:
So I created the file "BlockWiFiClient.sh" in /jffs/scripts/ and did the chmod a+rx on it.
Click to expand...
You should then be able to test the script interactively and also display its helpful syntax and examples.
JoQ said:
From what I understand I should create another script in the same folder called "firewall-start".

And in this I should include:
"/jffs/scripts/BlockWiFiClient.sh 192.168.1.51 192.168.1.23 accept"

Is that correct?
Click to expand...
Once you are satisfied with the interactive script testing, and have identified the appropriate parameters then yes you will need to use firewall-start to ensure your custom rules are applied during the boot process.
JoQ said:
How do I block a range of IP adresses (192.168.1.51-192.168.1.254) from accessing a range of other IP's? 192.168.1.1-192.168.1.50
Click to expand...
The script defaults to the following three psuedo rules (assuming .22 and .33 are the two LAN resources you wish to grant access to from the nominated client IP range)
Code: 
Rule1 - ALLOW access from 192.168.1.51-192.168.1-254 to 192.168.1.22   -j ACCEPT
Rule2 - ALLOW access from 192.168.1.51-192.168.1-254 to 192.168.1.33   -j ACCEPT

Rule3 - BLOCK access from 192.168.1.51-192.168.1-254 to 192.168.1.0/24 -j DROP
so clearly Rule3 will need to be altered to
Code: 
Rule3 - BLOCK access from 192.168.1.51-192.168.1-254 to 192.168.1.1-192.168.1.50 -j DROP
which unfortunately the script doesn't do.

Furthermore, as you require two non-contiguous CIDR IP ranges, Rules 1-3 will each need to be expanded into multiple CIDR rules.

EDIT: Having reviewed your unusual requirements, I suspect that a simplified bespoke BlockWiFiClient.sh script will be required.
 
Last edited:
Martineau said:
I write scripts for personal use - the amount of time and effort to 'publish it officially' and adapt it to accommodate every weird user environment :rolleyes: isn't something I need to expend, given the script provides ample help and examples for its intended original design usage.

The script probably won't fully address your non-standard requirements, but should show what commands are required to achieve your unique goal.

You should then be able to test the script interactively and also display its helpful syntax and examples.

Once you are satisfied with the interactive script testing, and have identified the appropriate parameters then yes you will need to use firewall-start to ensure your custom rules are applied during the boot process.

The script defaults to the following three psuedo rules (assuming .22 and .33 are the two LAN resources you wish to grant access to from the nominated client IP range)
Code: 
Rule1 - ALLOW access from 192.168.1.51-192.168.1-254 to 192.168.1.22   -j ACCEPT
Rule2 - ALLOW access from 192.168.1.51-192.168.1-254 to 192.168.1.33   -j ACCEPT
Rule3 - BLOCK access from 192.168.1.51-192.168.1-254 to 192.168.1.0/24 -j DROP
so clearly Rule3 will need to be altered to
Code: 
Rule3 - BLOCK access from 192.168.1.51-192.168.1-254 to 192.168.1.1-192.168.1.50 -j DROP
which unfortunately the script cannot do.

Furthermore, as you require two non-contiguous CIDR IP ranges, Rules 1-3 will each need to be expanded into multiple CIDR rules.

EDIT: Having reviewed your unusual requirements, I suspect that a simplified bespoke BlockWiFiClient.sh script will be required.
Click to expand...
But if I understand correctly:
Code: 
Rule1 - ALLOW access from 192.168.1.51-192.168.1-254 to 192.168.1.22   -j ACCEPT
Rule2 - ALLOW access from 192.168.1.51-192.168.1-254 to 192.168.1.33   -j ACCEPT
Rule3 - BLOCK access from 192.168.1.51-192.168.1-254 to 192.168.1.0/24 -j DROP
Using this would mean that All devices in the range 192.168.1.51-192.168.1-254 will have access to the two IP's 192.168.1.22 and 192.168.1.33.
And it will also block access to everything else in the LAN? This is what I am looking for, I may not have been clear. Why I said to block access to 192.168.1.1-192.168.1.50 is because in this range the important devices are. But it doesn't matter if everything is blocked instead.
 
JoQ said:
But if I understand correctly:
Code: 
Rule1 - ALLOW access from 192.168.1.51-192.168.1-254 to 192.168.1.22   -j ACCEPT
Rule2 - ALLOW access from 192.168.1.51-192.168.1-254 to 192.168.1.33   -j ACCEPT
Rule3 - BLOCK access from 192.168.1.51-192.168.1-254 to 192.168.1.0/24 -j DROP
Using this would mean that All devices in the range 192.168.1.51-192.168.1-254 will have access to the two IP's 192.168.1.22 and 192.168.1.33.
And it will also block access to everything else in the LAN? This is what I am looking for, I may not have been clear. Why I said to block access to 192.168.1.1-192.168.1.50 is because in this range the important devices are. But it doesn't matter if everything is blocked instead.
Click to expand...

So you need to test the script to see if a single IP in your nominated range can access one of the two LAN resources yet is completely BLOCKED from the rest of the LAN

e.g. Allow a nominated WiFi device access to only the (wired) NAS on the LAN
Code: 
cd /jffs/scripts/

./BlockWiFIClient.sh   Nexus-7   DS-416   accept

(BlockWiFiClient.sh): 10644 v1.04 WiFi Client LAN/WAN blocking.... [Nexus-7 DS-416 accept]

  hh:mm:ss  WiFi Client 10.88.8.155 (Nexus-7.Martineau.home) access to 10.88.8.197 (DS-416.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
 
JoQ said:
Using this would mean that All devices in the range 192.168.1.51-192.168.1-254 will have access to the two IP's 192.168.1.22 and 192.168.1.33.....And it will also block access to everything else in the LAN?

This is what I am looking for
Click to expand...
If it is now deemed acceptable to block the source IP range from ALL of the LAN (except for the two nominated LAN resources), then you will need to retrieve v1.05 of the script. (v1.04 doesn't support CIDR ranges)

i.e. IP Range 192.168.1.51-192.168.1.254 requires eleven discrete CIDR ranges
Code: 
CIDR_RANGE=".51/32,.52/30,.56/29,.64/26,.128/26,.192/27,.224/28,.240/29,.248/30,.252/31,.254/32"
So instead of having three rules, you will need thirty-three rules.
However, rather than enter the CIDR ranges explicitly on each command invocation, the script already supports a config file.

Issue the following to create a persistent IP Group lookup config file
Code: 
echo "RANGE51_254  192.168.1.51/32,192.168.1.52/30,192.168.1.56/29,192.168.1.64/26,192.168.1.128/26,192.168.1.192/27,192.168.1.224/28,192.168.1.240/29,192.168.1.248/30,192.168.1.252/31,192.168.1.254/32" >>/jffs/configs/IPGroups
Now if you run
Code: 
./BlockWiFiClient.sh   RANGE51_254   192.168.1.22,192.168.1.33   accept
the CIDR rules will be created for the two LAN resources....

Code: 
./BlockWiFiClient.sh   range51_254   10.88.8.131,10.88.8.132   accept

(BlockWiFiClient.sh): 8884 v1.05 WiFi Client LAN/WAN blocking.... [range51_254 10.88.8.131,10.88.8.132 accept]

  hh:mm:ss  WiFi Client 192.168.1.51 () access to 10.88.8.131 (CLP-680ND.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.51 () access to 10.88.8.132 (ML-3710N.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.52/30 (CIDR) access to 10.88.8.131 (CLP-680ND.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.52/30 (CIDR) access to 10.88.8.132 (ML-3710N.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.56/29 (CIDR) access to 10.88.8.131 (CLP-680ND.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.56/29 (CIDR) access to 10.88.8.132 (ML-3710N.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.64/26 (CIDR) access to 10.88.8.131 (CLP-680ND.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.64/26 (CIDR) access to 10.88.8.132 (ML-3710N.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.128/26 (CIDR) access to 10.88.8.131 (CLP-680ND.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.128/26 (CIDR) access to 10.88.8.132 (ML-3710N.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.192/27 (CIDR) access to 10.88.8.131 (CLP-680ND.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.192/27 (CIDR) access to 10.88.8.132 (ML-3710N.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.224/28 (CIDR) access to 10.88.8.131 (CLP-680ND.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.224/28 (CIDR) access to 10.88.8.132 (ML-3710N.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.240/29 (CIDR) access to 10.88.8.131 (CLP-680ND.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.240/29 (CIDR) access to 10.88.8.132 (ML-3710N.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.248/30 (CIDR) access to 10.88.8.131 (CLP-680ND.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.248/30 (CIDR) access to 10.88.8.132 (ML-3710N.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.252/31 (CIDR) access to 10.88.8.131 (CLP-680ND.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.252/31 (CIDR) access to 10.88.8.132 (ML-3710N.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.254 () access to 10.88.8.131 (CLP-680ND.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.254 () access to 10.88.8.132 (ML-3710N.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED

NOTE: If you can isolate the nominated source IP range to a single CIDR
e.g.
Code: 
# IP Range 192.168.1.128-192.168.1.255
CIDR_RANGE="192.168.1.128/25"
or
Code: 
# IP Range 192.168.1.64-192.168.1.127
CIDR_RANGE="192.168.1.64/26"
then you reduce the number of physical rules back to three.
e.g. 2 explicit LAN resource rules and the (hidden) default LAN BLOCK rule for the CIDR.
Code: 
./BlockWiFiClient.sh   192.168.1.128/25   10.88.8.131,10.88.8.132   accept

(BlockWiFiClient.sh): 7797 v1.05 WiFi Client LAN/WAN blocking.... [192.168.1.128/25 10.88.8.131,10.88.8.132 accept]

  hh:mm:ss  WiFi Client 192.168.1.128/25 (CIDR) access to 10.88.8.131 (CLP-680ND.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
  hh:mm:ss  WiFi Client 192.168.1.128/25 (CIDR) access to 10.88.8.132 (ML-3710N.Martineau.home) is now ALLOWED, all other LAN access is BLOCKED
 
You must log in or register to reply here.

Similar threads

S
Network printer no longer available after activating Guest networks
Replies
18
Views
517
Tech9
Tech9
J
Manually assigning Main Network IP address to Device connected to Guest Network?
Replies
4
Views
790
jksmurf
J
D
Guest network with intranet access v. using the main network
Replies
4
Views
521
ColinTaylor
C
R
Wireless MAC (Band filter filtering out Guest network)
Replies
2
Views
115
recharging
R
R
Guest network MAC address white listing limit
Replies
5
Views
274
Ryo
R
Similar threads
Thread starter Title Forum Replies Date
D Guest network with intranet access v. using the main network Asuswrt-Merlin 4
J Extend Guest Network to an AP Access Point Connected via Ethernet Cabling? Asuswrt-Merlin 3
P Guest network web access but main wifi Nada? Asuswrt-Merlin 5
H changed AC68U to AX86U Pro, same guest network setting but all devices gone? Asuswrt-Merlin 11
D Creating an ethernet guest network Asuswrt-Merlin 5
S Network printer no longer available after activating Guest networks Asuswrt-Merlin 18
R Wireless MAC (Band filter filtering out Guest network) Asuswrt-Merlin 2
R Guest network MAC address white listing limit Asuswrt-Merlin 5
B Single guest network where devices can interact Asuswrt-Merlin 6
J Change the name of the guest network in network map? Asuswrt-Merlin 1

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 605 (members: 18, guests: 587)
Top