Guest Network working?

[jobongo]

Yeah I should have said that the values for the nvram variable

wl0.1_closed

is either 1 or 0.

When I set it to 1, I have to manually enter the SSID in order to connect to the wireless network. 0 makes it visible.

 

[Trent Bates]

When I set it to 1, I have to manually enter the SSID in order to connect to the wireless network. 0 makes it visible.

That makes sense in accordance to what I read. This would be the same as hiding the SSID in the user interface.

For what it's worth, I went looking for a screenshot of the user interface where this setting is located, but got distracted and ended up with a related article instead. You might enjoy reading the first few paragraphs.

http://www.smallnetbuilder.com/wire...6-it-takes-a-neighborhood-to-fix-bad-wireless


Here's what I think is different between what I've been working with and what you are working with.

You are hiding the SSID which means that a generic user needs to know both the SSID and passkey to get connected.
(Someone else might end up telling you how insecure this is and that it's a waste of time, etc. but you've brought to light an nvram setting that I was unaware of so I'm glad.)

I'm working "further down the line" as I've already set up clients for my network, and will allow other clients as needed, but want to keep device A from directly interacting with device B, etc.
With the isolation setting "on", each client should have WAN (internet) access, but not be able to interact with other devices on that SSID. (intranet)

Part two seems to be that I also need to isolate one SSID from the other SSIDs. That's where ebtables seems to come in. (I haven't had time to really focus on it for a few days so I haven't gotten anywhere.)

Thanks jobongo!

 

[jobongo]

Oh. I am sorry. I was under the impression from the previous posts that you had actually isolated them from glancing over the previous posts. I thought you only wanted the variable to hide the SSID.

Yes. You do need to configure ebtables. I use merlin's firmware and I wouldn't say that the ebtables are a very secure way to block intranet access but they work. The commands to allow access only to the wan interface and no other device on the same guest network are these:

ebtables -I FORWARD -i wl0.1 -o ! [wan interface] -j DROP
ebtables -I FORWARD ! -i [wan interface] -o wl0.1 -j DROP

Just replace the interfaces with those that correspond to your router. This says to drop layer 2 frames in the wl0.1 interface that are not destined for the wan interface and the same vice versa. I hope this helps and works. Good luck.

 

[Trent Bates]

Yes. You do need to configure ebtables. I use merlin's firmware and I wouldn't say that the ebtables are a very secure way to block intranet access but they work. The commands to allow access only to the wan interface and no other device on the same guest network are these:

ebtables -I FORWARD -i wl0.1 -o ! [wan interface] -j DROP
ebtables -I FORWARD ! -i [wan interface] -o wl0.1 -j DROP

Just replace the interfaces with those that correspond to your router. This says to drop layer 2 frames in the wl0.1 interface that are not destined for the wan interface and the same vice versa. I hope this helps and works. Good luck.

Thanks for your reply!
Maybe you can help me understand this better!

So, I have a guest interface on wl0.3 that I want to isolate from wl0.2, wl0.1, eth1 and eth2.
I have already activated isolation on wl0.3 via "wl -i wl0.3 ap_isolate 1".

Now I want to make sure that wl0.3 only transfers data to WAN so I add these ebtables entries. Right? (vlan1 is my WAN interface. It used to be vlan2, but I swapped them.)

ebtables -I FORWARD -i wl0.3 -o ! vlan1 -j DROP
ebtables -I FORWARD ! -i vlan1 -o wl0.3 -j DROP

What I've been trying to figure out (because I'm running Tomato now and I have only the one RT-N66u and it's in use and I've been busy with other stuff) is how the ASUS firmware changes everything in the background as the guest isolation mode is enabled.
In other words, when I had previously chosen [Intranet Access] {off} in the GUI (while running ASUS firmware),
I believe that the "wl -i wl0.3 ap_isolate 1" command was made in some form, and then a couple of ebtables rules were set. Is there anything else?

What I'm really trying to do is replicate ASUS's isolation method in Tomato. The best of both worlds.
I finally settled on Tomato for my RT-N66u because it allows more options and seems to handle my 26+ devices a bit better. I'm getting faster speeds on some devices than I could with stock firmware.
It allows more control over bandwidth (individual limits) and seems to be more reliable in the "parental control" functionality.
(I think there's a complete shutoff of data to a child's device at the end of a day if that's what you want. Or you can filter out certain websites during those hours, etc.)

One thing it's missing right now is device isolation. It works on the main interfaces as long as all the devices are on that interface, but doesn't work across interfaces.
With ap_isolation active on both eth1 and eth2 for example, eth2 can't see other eth2 devices but can still interact with eth1's devices or wl0.2's devices, etc.

Any advice or guidance is greatly appreciated!

 

[jobongo]

Those commands should work to limit the talking between the guest network and the other networks. I think I have a better understanding of what it is you are trying to do. When you set

wl0.3_ap_isolated

to one you are making it to where the devices are not able to see each other on the same wireless network. This is different than the access intranet option. The variable that I found in nvram for that is

wl0.3_lanaccess

This is set to 0 when the when it iis disabled and 1 when enables. I am not sure if the coding for the variable is in the tomato firmware. I know that tomato and asus's firmwares are very similar so you can try.

The ebtables commands that I gave you are the ones that are setup when you select access intranet option to off. Using both of these (the ap_isolated and the access intranet) should limit device-to-device communication on the same interface and across different interfaces. I did a quick test and was not able to ping any devices on separate radios or the physical switch itself.

 

[Trent Bates]

Okay, that new (to me) variable of wl0.3_lanaccess is something I'll have to try as well.

I have also been testing, and this is what I've put in my firewall script. It gets run everytime an interface is modified in some way. (as I understand it)

wl -i wl0.1 ap_isolate 1
wl -i wl0.2 ap_isolate 0
wl -i wl0.3 ap_isolate 1

ebtables -I FORWARD -i wl0.1 -o ! vlan1 -j DROP
ebtables -I FORWARD ! -i vlan1 -o wl0.1 -j DROP

ebtables -I FORWARD -i wl0.3 -o ! vlan1 -j DROP
ebtables -I FORWARD ! -i vlan1 -o wl0.3 -j DROP

This works really well it seems. I can't ping, access a webpage or see a network share on wl0.2 or eth1 from either wl0.1 or wl0.3.

If I'm understanding you correctly, ASUS firmware might write this script (for wl0.3) as:

wl -i wl0.3_lanaccess 1

ebtables -I FORWARD -i wl0.3 -o ! vlan1 -j DROP
ebtables -I FORWARD ! -i vlan1 -o wl0.3 -j DROP

Does that look right?

It's too bad that there doesn't seem to be a way to "comment" within the firewall script or ebtables. I've seen that it can be done in iptables, but the option doesn't seem to be in the -man page for ebtables.

I'll have to try out the "wl0.3_lanaccess" variable next!

 

[jobongo]

Actually the wl0.3_lanaccess is an nvram variable, not a driver setting like ap_isolate so

wl -i wl0.3_lanaccess 1

would not work as "lanaccess" is not a driver setting.

Try running this and see if the variable exists in nvram.

nvram show | grep lanaccess

If it is there you should see the all of the wireless interfaces with this variable. Even without this you can do the same thing by adding these rules

ebtables -I FORWARD -i wl0.1 -o ! vlan1 -j DROP
ebtables -I FORWARD ! -i vlan1 -o wl0.1 -j DROP

to ebtables as that is what is done when the nvram variable is set to 1. The code just tells it to add the lines to ebtables.

So. Your setup should look like your first code block in your previous post.

Code:
wl -i wl0.1 ap_isolate 1
wl -i wl0.2 ap_isolate 0
wl -i wl0.3 ap_isolate 1

ebtables -I FORWARD -i wl0.1 -o ! vlan1 -j DROP
ebtables -I FORWARD ! -i vlan1 -o wl0.1 -j DROP

ebtables -I FORWARD -i wl0.3 -o ! vlan1 -j DROP
ebtables -I FORWARD ! -i vlan1 -o wl0.3 -j DROP
This works really well it seems. I can't ping, access a webpage or see a network share on wl0.2 or eth1 from either wl0.1 or wl0.3.

This is exactly what I was saying in my previous post and I apologize if it was hard to understand me. This setup should work to block clients from communicating with other clients and traffic from crossing wireless networks. I hope this helps. Good luck.

 

[Trent Bates]

Try running this and see if the variable exists in nvram.

nvram show | grep lanaccess

It does not return anything.

This is exactly what I was saying in my previous post and I apologize if it was hard to understand me. This setup should work to block clients from communicating with other clients and traffic from crossing wireless networks. I hope this helps. Good luck.

I have revised my script after noticing that I had 25 entries in ebtables instead of 5. I needed to "flush" first. This is what I've settled on for the moment:

wl -i wl0.1 ap_isolate 1
wl -i wl0.2 ap_isolate 0
wl -i wl0.3 ap_isolate 1

wl -i wl1.1 ap_isolate 1
wl -i wl1.2 ap_isolate 1
wl -i wl1.3 ap_isolate 1

ebtables -F

ebtables -I FORWARD -i wl0.1 -o ! vlan1 -j DROP
ebtables -I FORWARD ! -i vlan1 -o wl0.1 -j DROP


ebtables -I FORWARD -i wl0.3 -o ! vlan1 -j DROP
ebtables -I FORWARD ! -i vlan1 -o wl0.3 -j DROP


ebtables -I FORWARD -i wl1.1 -o ! vlan1 -j DROP
ebtables -I FORWARD ! -i vlan1 -o wl1.1 -j DROP

ebtables -I FORWARD -i wl1.2 -o ! vlan1 -j DROP
ebtables -I FORWARD ! -i vlan1 -o wl1.2 -j DROP

ebtables -I FORWARD -i wl1.3 -o ! vlan1 -j DROP
ebtables -I FORWARD ! -i vlan1 -o wl1.3 -j DROP

It seems to work well, now I can have all my Guest SSIDs on the same class c network and the same bridge!

Thanks a bunch to you jobongo as well as everyone else here for the helpful discussion!
If anyone has any further comments or suggestions, I'm all ears!

 

[Trent Bates]

I use merlin's firmware and I wouldn't say that the ebtables are a very secure way to block intranet access but they work.

Now that I've gotten this far and can relax a little and contemplate new things, can any of you tell me more about the potential insecurity of these methods I've chosen to employ?

How would one attack with these ebtables and SSID isolation set? Is there more that can be done?

 

[bird333]

Now that I've gotten this far and can relax a little and contemplate new things, can any of you tell me more about the potential insecurity of these methods I've chosen to employ?

How would one attack with these ebtables and SSID isolation set? Is there more that can be done?

The only thing I can think of is have a good password to your router. Do those ebtables rules keep clients from accessing the router? If not you might want to created rules that block that but still allow what is necessary for internet access.

EDIT: Keep in mind I never really use ebtables however you will probably need some INPUT rules to block access to the router.

 

[jobongo]

You can use ebtables to block access by mac addresses. It could go something like this:

ebtables -I FORWARD -i wl0.1 -o br0 ! AA:BB:CC:DD:EE:FF -j DROP

This is saying that anything connecting to the wl0.1 network that doesn't have a mac address of AA:BB:CC... dropped if it is destined for the br0 interface.

And if you are really paranoid, you can setup antispoofing rules so that someone can't spoof the mac. It should look something like this:

ebtables -I FORWARD -i wl0.2 -s ! AA:BB:CC:DD:EE:FF -p ipv4 --ip-source 10.1.1.1  -j DROP

This pairs a mac to an IP so that if a mac for an IP is not what you have in your rules it does not allow traffic to be forwarded. The only thing with this is you will need to set DHCP reservations or static IP's so that the IP for the devices don't change.

Hope this helps.