Guest SSIDs and VLAN tagging

[mooky1977]

I have this router: RT-AC66U_B1 (base model: RT-AC68U)
BCM470x - Cortex A7 ARMv7 revision 0 - Rev. c0 (Cores: 2)
Currently running: Merlin firmware 386.10

in AP mode, all SSID's seem to share my default LAN subnet as doled out by my pfSense router's DHCP server, 192.168.3.100+ and there seems to be no way to isolate the guest SSID's from my trusted WiFi SSID. Simply, I want cell phones, tablets, TV's, and other IoT devices to have no access to my network but still have internet access.

Right now in AP mode, when they are on the Guest SSID's they can still access the network resources (SMB shares, etc) and there doesn't seem to be any to change this. I read that if I change the Asus router back to Router mode, there are more functions available, and that is true. In guest SSID's in Router mode there is a selection to "Allow Intranet Access" with enable and disable as the options. Great! If I "enable" then devices on the Guest SSID continue to share the "192.168.3.x" domain as DHCP assigned buy my pfSense box. Works as expected.

But if I set "Allow Intranet access" to disable, the guest SSID's start assigning devices as follows:

• First guest SSID: 192.168.101.x
• Second guest SSID: 192.168.102.x
• etc.

Now, I haven't set that anywhere, and the DHCP server on the Asus Router is off, and I have no record of these IP's or settings on my pfSense router to accomplish this numbering currently. Is this some internal coding in the Asus Merlin firmware? How is it accomplished, and is it already VLAN tagged? It is half-way to accomplishing what I want, sort of. Currently these "Intranet disabled" Guest SSID's can't access the rest of my network, but they also can't see the Internet via my pfSense gateway at 192.168.3.1. That's the problem, currently they are black-holed to nowhere.

Hopefully someone can help, I'd really appreciate it, and hopefully I don't have to buy a higher priced device. I'd love to re-use my existing hardware as its more than what I really need for wireless connections at the moment.

Let me know if you need any more details. Thanks in advance.

 

[drinkingbird]

You need to run it in router mode to get guest isolation, or use scripts to extend your pfsense vlans to the AP and segment the SSIDs. Been discussed here a number of times.

 

[mooky1977]

You need to run it in router mode to get guest isolation, or use scripts to extend your pfsense vlans to the AP and segment the SSIDs. Been discussed here a number of times.

Any chance you could point me in the right direction? I already said I put the router in router mode and I'm half-way there, but I'm trying to understand why it assigns the IP's it does when I isolate the guest SSID's from my intranet. Like what is going on behind the scenes on the Asus router? Currently when it I disable intranet access to the guest SSID's it assigns (seemingly randomly) 192.168.101.x / 192.168.102.x IPs when I have the Asus DHCP router turned off. That's fine and all, but is that just internal logic of the Asus Merlin firmware? Is it VLAN tagged? How is it segregated? Internal iproute tables? Right now I can't get it out via my gateway and I'm trying to figure out why.

 

[drinkingbird]

Any chance you could point me in the right direction? I already said I put the router in router mode and I'm half-way there, but I'm trying to understand why it assigns the IP's it does when I isolate the guest SSID's from my intranet. Like what is going on behind the scenes on the Asus router? Currently when it I disable intranet access to the guest SSID's it assigns (seemingly randomly) 192.168.101.x / 192.168.102.x IPs when I have the Asus DHCP router turned off. That's fine and all, but is that just internal logic of the Asus Merlin firmware? Is it VLAN tagged? How is it segregated? Internal iproute tables? Right now I can't get it out via my gateway and I'm trying to figure out why.

Nothing to do with Merlin, that is how Asus has designed Guest Wireless 1 starting with the 386 code base - it uses VLANs and separate subnets when you have guest isolation enabled (VLAN 501 and 192.168.101.x for 2.4ghz and 502/192.168.102.x for 5ghz) so that they can be extended out to nodes when running AIMesh. If you don't want that behavior, use Guest Wireless 2 and/or 3, it will use the main LAN subnet but firewall rules will block traffic between them.

It is also possible to just extend your PFSENSE vlans out to the asus running in AP mode but it requires scripting and robocfg/brctl etc.

If you have NAT disabled on the Asus, your PFSENSE will need a static route for 192.168.101 and 192.168.102 pointing to the WAN IP of the Asus, plus a route for your main LAN network too. Asus needs a default route pointing to PFSENSE.

 

[mooky1977]

Nothing to do with Merlin, that is how Asus has designed Guest Wireless 1 starting with the 386 code base - it uses VLANs and separate subnets when you have guest isolation enabled (VLAN 501 and 192.168.101.x for 2.4ghz and 502/192.168.102.x for 5ghz) so that they can be extended out to nodes when running AIMesh. If you don't want that behavior, use Guest Wireless 2 and/or 3, it will use the main LAN subnet but firewall rules will block traffic between them.

It is also possible to just extend your PFSENSE vlans out to the asus running in AP mode but it requires scripting and robocfg/brctl etc.

Option 1 seems more easy to accomplish, but option 2 seems more elegant and correct in the long run.

For option 1, are you able to tell me how it decides on the IP's it hands out to devices that connect to them?

EDIT: (ie, the last part of the 192.168.x.x) I assume the 101 and 102 are hardcoded. Is there an internal DHCP that works no matter on guest networks in 'Router mode'?


I might still go option 2 route, just not sure yet. I also have a managed switch (Dell PowerConnect 5424), but I don't think that plays into it unless I'm able to turn the LAN ports on the Asus Router into separate VLANS as well, because currently running one cable to the Asus router from the switch the network cable and switch would have to pass on all data packets anyways. But if its possible to get the LAN ports on the Asus router to be assigned certain VLAN traffic then I could do that with multiple cables to the Asus Router, right?

If you have NAT disabled on the Asus, your PFSENSE will need a static route for 192.168.101 and 192.168.102 pointing to the WAN IP of the Asus, plus a route for your main LAN network too. Asus needs a default route pointing to PFSENSE.

Pardon? I'm pretty sure I have NAT turned off. I think. Should I have the cat5e plugged to the WAN port? Currently it's plugged into LAN #1

This is good. I'm a VLAN newbie, but at least I now know it does handle VLANs. That's a starting point.

 

[drinkingbird]

Option 1 seems more easy to accomplish, but option 2 seems more elegant and correct in the long run.

For option 1, are you able to tell me how it decides on the IP's it hands out to devices that connect to them?


I might still go option 2 route, just not sure yet. I also have a managed switch (Dell PowerConnect 5424), but I don't think that plays into it unless I'm able to turn the LAN ports on the Asus Router into separate VLANS as well, because currently running one cable to the Asus router from the switch the network cable and switch would have to pass on all data packets anyways. But if its possible to get the LAN ports on the Asus router to be assigned certain VLAN traffic then I could do that with multiple cables to the Asus Router, right?

The asus has hardcoded those two subnets. 2.4Ghz Guest Wireless 1 uses 192.168.101.0/24 and 5Ghz guest wireless 1 uses 192.168.102.0/24. IP assignment is random within those ranges (that's the way DNSMasq works). You can't change those settings without a script.

Main LAN and Guest Wireless 2 and 3 use whatever subnet/DHCP range you've assigned in the GUI.

Assigning VLANs to switch ports on the asus is relatively easy via scripts, and you can use trunking/tagging so you can send several VLANs over a single cable. That's the preferable approach as if you mis-configure something and have multiple cables you will cause a spanning tree loop and crash your network.

One option you have is to just run it in router mode, but use it like an AP. That will create the VLANs for you then you can use a pretty simple script to assign the VLAN 501 and 502 (plus the default VLAN 1 for non-guests) to a port which trunks back to your pfsense. In that case you'd just connect a cable to the LAN and leave the WAN empty. The only reason I say to do this in router mode is that in AP mode it won't create those VLANs and do most of the work for you, though with a bit of extra work you can do it yourself in AP mode and that is a cleaner setup.

Pardon? I'm pretty sure I have NAT turned off. I think. Should I have the cat5e plugged to the WAN port? Currently it's plugged into LAN #1

This is good. I'm a VLAN newbie, but at least I now know it does handle VLANs. That's a starting point.

If you're running it in router mode, you need the WAN connected to the PFSENSE LAN. If you have NAT enabled on the Asus, routing should work automatically. If you disable it, you'll need to add some static routes.

Just to be clear, in AP mode there is NO segmentation of guest VLANs - the setting to isolate guests from the main LAN does not function in AP mode unless it is part of an AIMesh setup with a master router in front of it. The only way to segment using AP is to have your own VLAN aware router and scripts on the Asus to segment the traffic.

Check and see if your model supports FreshTomato - that has VLAN support built in and may be the simplest solution for you.

 

[mooky1977]

Thank you for the answers @drinkingbird .. I really appreciate the help. I should be able to figure it out knowing those things, but I do have two last questions.

1) Is there a tutorial guide on ASUS router scripting, or some basic templates, to get started if I go this route?

2) It looks like FreshTomato does support my router, which is great (I used an earlier version of tomatoUSB on an old Linksys WRT54G router way way back), but my question is this, is FreshTomato, generally considered safe by the members of this community? You look to be around these parts for a spell, I'll trust your answer as a good starting point. I mean, the point of this whole endeavor is to make my network more secure, not less by introducing potentially unchecked malicious code onto my network via my Asus AP

 

[drinkingbird]

Thank you for the answers @drinkingbird .. I really appreciate the help. I should be able to figure it out knowing those things, but I do have two last questions.

1) Is there a tutorial guide on ASUS router scripting, or some basic templates, to get started if I go this route?

2) It looks like FreshTomato does support my router, which is great (I used an earlier version of tomatoUSB on an old Linksys WRT54G router way way back), but my question is this, is FreshTomato, generally considered safe by the members of this community? You look to be around these parts for a spell, I'll trust your answer as a good starting point. I mean, the point of this whole endeavor is to make my network more secure, not less by introducing potentially unchecked malicious code onto my network via my Asus AP

I used regular Tomato on I believe an Asus N router many years ago. I do not have experience with FT but I do see it recommended here a lot. Since it will be sitting behind your firewall, not a ton of risk, and definitely no reports of it being malicious etc that I've ever seen.

Guide on scripting is at https://github.com/RMerl/asuswrt-merlin.ng/wiki/User-scripts - that's just general stuff, as far as setting up VLANs etc a lot of the info can be found in here. On my AC68U I'm using scripts just to send the built in 501 and 502 out to certain physical ports, which is very easy, prior to that I had played around with creating the VLANs and bridges and that was relatively straightforward too, I have some notes but I don't remember if they're complete. FT is probably the way to go if it works well for you, should (as far as I know) be able to assign VLANs to each WIFI then trunk/tag those VLANs back to your PFSense, using the Asus as strictly an AP.

I use the services-start script just because it was easiest. In reality it would be better to use service-event start and trigger on certain events, so if you make a change in the GUI that overwrites your configs, they get reapplied. But honestly it hasn't been an issue for me, the only thing that would seem to overwrite it is making changes to guest wireless, LAN, etc and even some of that stuff doesn't seem to affect it, and if it does, just reboot.

 

[mooky1977]

Cool! Thanks again. Your AC68U is basically the same as my AC66U_B1, the only difference is apparently the Wireless Chipset.

Mine: AC1750
Yours: AC1900

Other than that update, I believe the hardware is identical, right down to USB (1xUSB2, 1xUSB3) the dual-core ARM processor chip, etc. If I have any questions in the future, the script should be (almost) identical, but I'm going to try FreshTomato first, just to make my life easier

Thanks again!

 

[drinkingbird]

Cool! Thanks again. Your AC68U is basically the same as my AC66U_B1, the only difference is apparently the Wireless Chipset.

Mine: AC1750
Yours: AC1900

Other than that update, I believe the hardware is identical, right down to USB (1xUSB2, 1xUSB3) the dual-core ARM processor chip, etc. If I have any questions in the future, the script should be (almost) identical, but I'm going to try FreshTomato first, just to make my life easier

Thanks again!

Yeah mine is a RT-AC1900 but it is identical to the AC68U (rev C and up I believe) with exception of the model number. As long as the 66 isn't an HND chipset which I don't believe it is, the VLAN scripts are relatively easy, depending on how much you want to accomplish.

In my case the asus is my main router and I'm trunking guest wifi to an AP (which is vlan aware so easy on that side) as well as assigning the guest VLAN to a physical port for repairing people's PCs which I wouldn't want to plug into my main LAN.