GUI and SSH access from tagged VLAN / Guest network.

[Klavaro]

Hello everyone!

I have a RT-AX68U router, and I'd like to set up VLANs and subnets to have a proper DMZ and internal network to build a homelab.
I followed this guide https://wu.renjie.im/blog/network/ax88u-vlan/ which helped me set up the basic stuff.
Problem is I can't access the GUI nor SSH from the newly created VLAN. I disabled the firewall to check if that could be the reason after hours of playing around with Iptables, but it didn't help.
So I came up with an idea to try it with my phone on one of the built in guest networks. Same thing.

Is the built in webserver and SSH server only listen on the default LAN subnet/interface?

Or is there something else I'm missing?

Thanks in advance!

 

[drinkingbird]

Hello everyone!

I have a RT-AX68U router, and I'd like to set up VLANs and subnets to have a proper DMZ and internal network to build a homelab.
I followed this guide https://wu.renjie.im/blog/network/ax88u-vlan/ which helped me set up the basic stuff.
Problem is I can't access the GUI nor SSH from the newly created VLAN. I disabled the firewall to check if that could be the reason after hours of playing around with Iptables, but it didn't help.
So I came up with an idea to try it with my phone on one of the built in guest networks. Same thing.

Is the built in webserver and SSH server only listen on the default LAN subnet/interface?

Or is there something else I'm missing?

Thanks in advance!

Guest networks cannot access the router GUI by default (unless you have access intranet enabled, even then I'm not sure if they can).

If you want them to be able to (not sure why) you may have to look at ebtables and make sure it is not blocked there (since you've already looked at iptables).

Setting up VLANs on your HND based router is far more complex than the ones that support robocfg, but sounds like you have most of it working.

 

[Klavaro]

Guest networks cannot access the router GUI by default (unless you have access intranet enabled, even then I'm not sure if they can).

The guest network is a different VLAN and a different subnet by default, but if I enable the intranet access it doesn't create the VLAN at all. (not even a subnet iirc)

If you want them to be able to (not sure why) you may have to look at ebtables and make sure it is not blocked there (since you've already looked at iptables).

I'll check out ebtables now, I dumped the INPUT and FORWARD tables before, but those were empty. The goal is not to allow guest users to access the router, but to create a VLAN that can. Maybe I should just try to do it with br0, but I'm afraid that would cause even more problems to solve.
edit:
All I could find was the BROUTING chain in the broute table, all the other ones where empty with the accept policy. These are the rules for the guest networks:

-p IPv4 -i wl0.1 --ip-dst 192.168.101.1 --ip-proto icmp -j ACCEPT
-p IPv4 -i wl0.1 --ip-dst 192.168.101.0/24 --ip-proto icmp -j DROP
-p IPv4 -i wl0.1 --ip-dst 10.66.0.0/24 --ip-proto icmp -j DROP
-p IPv4 -i wl0.1 --ip-dst 192.168.101.0/24 --ip-proto tcp -j DROP
-p IPv4 -i wl0.1 --ip-dst 10.66.0.0/24 --ip-proto tcp -j DROP
-p IPv4 -i wl1.1 --ip-dst 192.168.102.1 --ip-proto icmp -j ACCEPT
-p IPv4 -i wl1.1 --ip-dst 192.168.102.0/24 --ip-proto icmp -j DROP
-p IPv4 -i wl1.1 --ip-dst 10.66.0.0/24 --ip-proto icmp -j DROP
-p IPv4 -i wl1.1 --ip-dst 192.168.102.0/24 --ip-proto tcp -j DROP
-p IPv4 -i wl1.1 --ip-dst 10.66.0.0/24 --ip-proto tcp -j DROP

I removed them to see if that would help but it didn't.

Setting up VLANs on your HND based router is far more complex than the ones that support robocfg, but sounds like you have most of it working.

Yeah, I spent days searching for information before I could start comfortably. I'm still not sure if I should be changing nvram or not.

These are my current scripts if anyone wondering.
services-start:

#!/bin/sh

# Make sure the script is indeed invoked
touch /tmp/000-services-start-2

# Physical port to interface map:
# eth0   WAN
# eth1   LAN 4
# eth2   LAN 3
# eth3   LAN 2
# eth4   LAN 1
# eth5   2.4 GHz Radio
# eth6   5 GHz Radio


# Delete those interfaces that we want to isolate from br0
logger -t "isolate_port" "services-start-2: deleting LAN 1 (eth4) from br0"
brctl delif br0 eth4
logger -t "isolate_port" "services-start-2: deleting LAN 2 (eth3) from br0"
brctl delif br0 eth3

#Adding VLAN 0 and 101 interfaces
logger -t "isolate_port" "services-start-2: creating vlan interfaces (0 and 101) for LAN 1 (eth4) and LAN 2 (eth3)"
vconfig set_name_type DEV_PLUS_VID_NO_PAD

vconfig add eth4 0
ifconfig eth4.0 up

vconfig add eth4 101
ifconfig eth4.101 up

vconfig add eth3 0
ifconfig eth3.0 up

vconfig add eth3 101
ifconfig eth3.101 up

# Create a new bridge br4 for our isolated interfaces
logger -t "isolate_port" "services-start-2: creating br4 for for LAN 1 (eth4) and LAN 2 (eth3)"
brctl addbr br4

brctl stp br4 on # STP to prevent bridge loops

brctl addif br4 eth4.101
brctl addif br4 eth3.101

# Set up the IPv4 address for br4 and bring it up
# Here we set the subnet to be 10.66.10.0/24
# IPv6 link local address will be assigned automatically
ifconfig br4 10.66.10.1 netmask 255.255.255.0
ifconfig br4 allmulti up

# So we have internet
brctl addif br4 eth4.0
brctl addif br4 eth3.0

logger -t "isolate_port" "services-start-2: all done"
date >> /tmp/000-services-start-2

firewall-start:

#!/bin/sh

# Make sure the script is indeed invoked
touch /tmp/000-firewall-start-2
logger -t "isolate_port" "firewall-start-2: applying INPUT rules for br4"

count=$(iptables -nL INPUT --line-numbers | grep "OVPNSI" | cut -d' ' -f1)

#$(iptables -I INPUT $count -i br4 -j DROP)
$(iptables -I INPUT $count -i br4 -p udp -m udp --dport 68 -j ACCEPT)
$(iptables -I INPUT $count -i br4 -p udp -m udp --dport 67 -j ACCEPT)
$(iptables -I INPUT $count -i br4 -p udp -m udp --dport 53 -j ACCEPT)
$(iptables -I INPUT $count -i br4 -p tcp -m tcp --dport 80 -j ACCEPT)
$(iptables -I INPUT $count -i br4 -p tcp -m tcp --dport 22 -j ACCEPT)

logger -t "isolate_port" "firewall-start-2: applying FORWARD rules for br4"

count=$(iptables -nL FORWARD --line-numbers | grep "other2wan" | cut -d' ' -f1)


# Forbid packets from br4 to be forwarded to other interfaces
# no need for this because:
# 18       0     0 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0
#$(iptables -I FORWARD $count -i br4 -j DROP)

# But allow packet forwarding inside br4
$(iptables -I FORWARD $count -i br4 -o br4 -j ACCEPT)

# Allow packet forwarding between br4 and eth0 (WAN)
$(iptables -I FORWARD $count -i br4 -o eth0 -j ACCEPT)

# Allow one-way traffic from br0 to br4
# no need for this because:
# 17     320 45243 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
#$(iptables -I FORWARD $count -i br0 -o br4 -j ACCEPT)

# no need for this because:
# 1      387 56676 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
# $(iptables -I FORWARD $count -i br4 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT)


logger -t "isolate_port" "firewall-start-2: all done for br4"
date >> /tmp/000-firewall-start-2

edit2:
dnsmasq.conf.add:

interface=br4
# DHCPv4 range: 10.66.10.2 - 10.66.10.254, netmask: 255.255.255.0
# DHCPv4 lease time: 86400s (1 day)
dhcp-range=br4,10.66.10.2,10.66.10.254,255.255.255.0,86400s
# DHCPv4 router (option 3): 10.66.10.1
dhcp-option=br4,3,10.66.10.1
dhcp-host=D0:50:99:36:E3:80,set:D0:50:99:36:E3:80,Klavaro,10.66.10.21

 

[Klavaro]

After couple of hours of suffering I restored the config where I gave up previously.
Out of curiosity I entered the link http://router.asus.com/ into my browser to see what was the error I saw originally. Lo and behold it loaded the GUI, but the DNS resolves to the default LAN subnet's router IP. That made me try the SSH on that IP and that worked too. Now the thing is, from my understanding this should not work. I didn't set up routes between the default LAN subnet and the newly created VLAN's subnet. Not even mentioning the VLAN tags.
Anyways, here's some screenshots of my settings:

This is what happens if I try to access the router from the proper IP:

And this magic happens if I use the default LAN IP:

Same with the UI.

Does anyone have any idea what the hell is happening?

 

[drinkingbird]

The guest network is a different VLAN and a different subnet by default, but if I enable the intranet access it doesn't create the VLAN at all. (not even a subnet iirc)


I'll check out ebtables now, I dumped the INPUT and FORWARD tables before, but those were empty. The goal is not to allow guest users to access the router, but to create a VLAN that can. Maybe I should just try to do it with br0, but I'm afraid that would cause even more problems to solve.
edit:
All I could find was the BROUTING chain in the broute table, all the other ones where empty with the accept policy. These are the rules for the guest networks:

-p IPv4 -i wl0.1 --ip-dst 192.168.101.1 --ip-proto icmp -j ACCEPT
-p IPv4 -i wl0.1 --ip-dst 192.168.101.0/24 --ip-proto icmp -j DROP
-p IPv4 -i wl0.1 --ip-dst 10.66.0.0/24 --ip-proto icmp -j DROP
-p IPv4 -i wl0.1 --ip-dst 192.168.101.0/24 --ip-proto tcp -j DROP
-p IPv4 -i wl0.1 --ip-dst 10.66.0.0/24 --ip-proto tcp -j DROP
-p IPv4 -i wl1.1 --ip-dst 192.168.102.1 --ip-proto icmp -j ACCEPT
-p IPv4 -i wl1.1 --ip-dst 192.168.102.0/24 --ip-proto icmp -j DROP
-p IPv4 -i wl1.1 --ip-dst 10.66.0.0/24 --ip-proto icmp -j DROP
-p IPv4 -i wl1.1 --ip-dst 192.168.102.0/24 --ip-proto tcp -j DROP
-p IPv4 -i wl1.1 --ip-dst 10.66.0.0/24 --ip-proto tcp -j DROP

I removed them to see if that would help but it didn't.


Yeah, I spent days searching for information before I could start comfortably. I'm still not sure if I should be changing nvram or not.

These are my current scripts if anyone wondering.
services-start:

#!/bin/sh

# Make sure the script is indeed invoked
touch /tmp/000-services-start-2

# Physical port to interface map:
# eth0   WAN
# eth1   LAN 4
# eth2   LAN 3
# eth3   LAN 2
# eth4   LAN 1
# eth5   2.4 GHz Radio
# eth6   5 GHz Radio


# Delete those interfaces that we want to isolate from br0
logger -t "isolate_port" "services-start-2: deleting LAN 1 (eth4) from br0"
brctl delif br0 eth4
logger -t "isolate_port" "services-start-2: deleting LAN 2 (eth3) from br0"
brctl delif br0 eth3

#Adding VLAN 0 and 101 interfaces
logger -t "isolate_port" "services-start-2: creating vlan interfaces (0 and 101) for LAN 1 (eth4) and LAN 2 (eth3)"
vconfig set_name_type DEV_PLUS_VID_NO_PAD

vconfig add eth4 0
ifconfig eth4.0 up

vconfig add eth4 101
ifconfig eth4.101 up

vconfig add eth3 0
ifconfig eth3.0 up

vconfig add eth3 101
ifconfig eth3.101 up

# Create a new bridge br4 for our isolated interfaces
logger -t "isolate_port" "services-start-2: creating br4 for for LAN 1 (eth4) and LAN 2 (eth3)"
brctl addbr br4

brctl stp br4 on # STP to prevent bridge loops

brctl addif br4 eth4.101
brctl addif br4 eth3.101

# Set up the IPv4 address for br4 and bring it up
# Here we set the subnet to be 10.66.10.0/24
# IPv6 link local address will be assigned automatically
ifconfig br4 10.66.10.1 netmask 255.255.255.0
ifconfig br4 allmulti up

# So we have internet
brctl addif br4 eth4.0
brctl addif br4 eth3.0

logger -t "isolate_port" "services-start-2: all done"
date >> /tmp/000-services-start-2

firewall-start:

#!/bin/sh

# Make sure the script is indeed invoked
touch /tmp/000-firewall-start-2
logger -t "isolate_port" "firewall-start-2: applying INPUT rules for br4"

count=$(iptables -nL INPUT --line-numbers | grep "OVPNSI" | cut -d' ' -f1)

#$(iptables -I INPUT $count -i br4 -j DROP)
$(iptables -I INPUT $count -i br4 -p udp -m udp --dport 68 -j ACCEPT)
$(iptables -I INPUT $count -i br4 -p udp -m udp --dport 67 -j ACCEPT)
$(iptables -I INPUT $count -i br4 -p udp -m udp --dport 53 -j ACCEPT)
$(iptables -I INPUT $count -i br4 -p tcp -m tcp --dport 80 -j ACCEPT)
$(iptables -I INPUT $count -i br4 -p tcp -m tcp --dport 22 -j ACCEPT)

logger -t "isolate_port" "firewall-start-2: applying FORWARD rules for br4"

count=$(iptables -nL FORWARD --line-numbers | grep "other2wan" | cut -d' ' -f1)


# Forbid packets from br4 to be forwarded to other interfaces
# no need for this because:
# 18       0     0 logdrop    all  --  *      *       0.0.0.0/0            0.0.0.0/0
#$(iptables -I FORWARD $count -i br4 -j DROP)

# But allow packet forwarding inside br4
$(iptables -I FORWARD $count -i br4 -o br4 -j ACCEPT)

# Allow packet forwarding between br4 and eth0 (WAN)
$(iptables -I FORWARD $count -i br4 -o eth0 -j ACCEPT)

# Allow one-way traffic from br0 to br4
# no need for this because:
# 17     320 45243 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
#$(iptables -I FORWARD $count -i br0 -o br4 -j ACCEPT)

# no need for this because:
# 1      387 56676 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
# $(iptables -I FORWARD $count -i br4 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT)


logger -t "isolate_port" "firewall-start-2: all done for br4"
date >> /tmp/000-firewall-start-2

edit2:
dnsmasq.conf.add:

interface=br4
# DHCPv4 range: 10.66.10.2 - 10.66.10.254, netmask: 255.255.255.0
# DHCPv4 lease time: 86400s (1 day)
dhcp-range=br4,10.66.10.2,10.66.10.254,255.255.255.0,86400s
# DHCPv4 router (option 3): 10.66.10.1
dhcp-option=br4,3,10.66.10.1
dhcp-host=D0:50:99:36:E3:80,set:D0:50:99:36:E3:80,Klavaro,10.66.10.21

Guest Wireless 1 is the only one that sets up a separate VLAN and subnet, the other two use your main VLAN/subnet but add filters to block access from clients on the guest interface to your LAN and the router. If this wasn't the case, DHCP, dns, etc would not work for guests (well DHCP probably would since it uses broadcast and helper addresses, but DNS wouldn't).

 

[drinkingbird]

After couple of hours of suffering I restored the config where I gave up previously.
Out of curiosity I entered the link http://router.asus.com/ into my browser to see what was the error I saw originally. Lo and behold it loaded the GUI, but the DNS resolves to the default LAN subnet's router IP. That made me try the SSH on that IP and that worked too. Now the thing is, from my understanding this should not work. I didn't set up routes between the default LAN subnet and the newly created VLAN's subnet. Not even mentioning the VLAN tags.
Anyways, here's some screenshots of my settings:



This is what happens if I try to access the router from the proper IP:

And this magic happens if I use the default LAN IP:

Same with the UI.

Does anyone have any idea what the hell is happening?

Every interface on the router is directly connected, thus it has a route to it and the router GUI would be accessible from every interface. The only way to filter out access is using iptables/ebtables which is what Asus does by default at least on my non-HND router. Perhaps when you restored it you somehow lost that filtering.

 

[Klavaro]

Guest Wireless 1 is the only one that sets up a separate VLAN and subnet, the other two use your main VLAN/subnet but add filters to block access from clients on the guest interface to your LAN and the router. If this wasn't the case, DHCP, dns, etc would not work for guests (well DHCP probably would since it uses broadcast and helper addresses, but DNS wouldn't).

As you can see the Guest Network index is 1 (for both 2.4GHz and 5GHz), I hope that's the one you mentioned.

Every interface on the router is directly connected, thus it has a route to it and the router GUI would be accessible from every interface. The only way to filter out access is using iptables/ebtables which is what Asus does by default at least on my non-HND router. Perhaps when you restored it you somehow lost that filtering.

Quite the opposite, right now I have the default rules the router created plus my own ones that I posted previously. You would think adding the right ones would allow me to access the router on the proper IP, (10.66.10.1) that's why I played around with unplugging the WAN cable and disabling firewall at all, but that did nothing.

Any ideas what should I try?
I tried to look up what's nvram and eapd for.
Someone asked it years before, but sadly no one answered: https://www.snbforums.com/threads/asuswrt-persistence-of-vlan-settings-role-of-eapd.56239/
According to this guys comments: https://gist.github.com/Jimmy-Z/6120988090b9696c420385e7e42c64c4 eapd reads values from the nvram, that's why everyone's using it.
So I googled eapd to find out what that is, with little to no result. All I could find was this: https://www.linksysinfo.org/index.p...pen-your-own-thread.74117/page-66#post-300961 this guy says it's for wifi authentication.
Besides that I found some source code: https://github.com/gygy/asuswrt/blob/master/release/src/router/eapd_arm_7/eapd.c and quickly scrolling and searching through it I believe it is indeed for wifi authentication.
So if I'm not mistaken the wired part should be working without touching nvram and eapd.

Can someone elaborate please?

 

[drinkingbird]

As you can see the Guest Network index is 1 (for both 2.4GHz and 5GHz), I hope that's the one you mentioned.



Quite the opposite, right now I have the default rules the router created plus my own ones that I posted previously. You would think adding the right ones would allow me to access the router on the proper IP, (10.66.10.1) that's why I played around with unplugging the WAN cable and disabling firewall at all, but that did nothing.

Any ideas what should I try?
I tried to look up what's nvram and eapd for.
Someone asked it years before, but sadly no one answered: https://www.snbforums.com/threads/asuswrt-persistence-of-vlan-settings-role-of-eapd.56239/
According to this guys comments: https://gist.github.com/Jimmy-Z/6120988090b9696c420385e7e42c64c4 eapd reads values from the nvram, that's why everyone's using it.
So I googled eapd to find out what that is, with little to no result. All I could find was this: https://www.linksysinfo.org/index.p...pen-your-own-thread.74117/page-66#post-300961 this guy says it's for wifi authentication.
Besides that I found some source code: https://github.com/gygy/asuswrt/blob/master/release/src/router/eapd_arm_7/eapd.c and quickly scrolling and searching through it I believe it is indeed for wifi authentication.
So if I'm not mistaken the wired part should be working without touching nvram and eapd.

Can someone elaborate please?

Yes Guest Wireless 1 is the one that creates separate VLANs and subnets (192.168.x.x subnet, you can't customize that). VLAN 501 for 2.4ghz, VLAN 502 for 5Ghz, and if you have a router with a second 5Ghz band, that's 503. With AIMESH backhaul those VLANs (along with VLAN 1 for your main traffic) are trunked to the nodes.

I notice you aren't propagating your Guest to the nodes (router only). Not sure if that is intentional, I guess it doesn't really have any bearing on what we're discussing here, other than the fact that it probably won't create those VLANs on the nodes if you aren't propagating the guest wireless to them.

With everything defaulted and a guest wireless 1 network set up, you can verify in the CLI that the router knows a route to every client connected, whether it is wired or wireless, guest or regular LAN, etc. The only thing preventing access to the router from guest networks should be some sort of filtering (MAC/ebtables or IP/IPtables, or both). I guess they could be hiding the filter for the GUI somewhere but at least on my router it is clearly in the normal rulesets.

I'm not sure on the eapd, I know in some VLAN threads it is mentioned to bounce it in your script after changing VLANs but when I was toying with it, it wasn't necessary.

I'm not sure what you mean about wired part should be working, if you toss a wired port into the guest VLAN, update ebtables/iptables as needed to allow that client to hit the router GUI, it should work. There may be a process you need to bounce to get the new ruleset loaded, not sure on that one, someone who does more with the firewall customization can hopefully confirm that.

 

[Klavaro]

Yes Guest Wireless 1 is the one that creates separate VLANs and subnets (192.168.x.x subnet, you can't customize that). VLAN 501 for 2.4ghz, VLAN 502 for 5Ghz, and if you have a router with a second 5Ghz band, that's 503. With AIMESH backhaul those VLANs (along with VLAN 1 for your main traffic) are trunked to the nodes.

Thank you for the information (Everything helps since this is my first time ever configuring something like this on a network device, I only had played around with an OpenWRT router, but that easy since I could just tick some checkboxes and put the VLAN ID's in the GUI.) Regarding customization, I believe YazFi exists for that exact reason. I even tried that with no avail, but there was an option to change the subnet.

I notice you aren't propagating your Guest to the nodes (router only). Not sure if that is intentional, I guess it doesn't really have any bearing on what we're discussing here, other than the fact that it probably won't create those VLANs on the nodes if you aren't propagating the guest wireless to them.

Well this is my single device only besides the ISP's modem, so I don't use the AiMesh. I bought this to see if I could use it as if it was an enterprise level WIFI router, mainly focusing on the DMZ part. Comparing the price range with MikroTik/Ubiquiti alternatives it seemed like the AX68U's WIFI parts are stronger/faster/better. (The goal was not to buy a router and an access point, to keep the costs down.)
Hopefully if I pay someone couple of bucks I'll have this problem figured out and I can continue configuring my hypervisor, and the firewall and NAS running on it.

With everything defaulted and a guest wireless 1 network set up, you can verify in the CLI that the router knows a route to every client connected, whether it is wired or wireless, guest or regular LAN, etc. The only thing preventing access to the router from guest networks should be some sort of filtering (MAC/ebtables or IP/IPtables, or both). I guess they could be hiding the filter for the GUI somewhere but at least on my router it is clearly in the normal rulesets.

Thank you for verifying that my concept about how networking works is somewhat is still correct. (It was back in highschool like 4 years ago when I learned about in a really basic CCNA course using Packet Tracer.. My problem was that they didn't really teach debugging different kind of problems, you had to memorize what step comes after what without really understanding how the system behaves. That's eastern Europe for you. Sorry for going off topic, I'd like to people to understand that I'm not really familiar with this kind of part of IT. I might be missing something very obvious.)

I used iptables-save to see all the tables, chains, rules the router use.

-A POSTROUTING -s 10.66.0.0/24 -d 10.66.0.0/24 -o br0 -j MASQUERADE
-I PREROUTING 1 ! -d 10.66.0.0/24 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.66.0.1:18017

These were the only rules that got me wondering, the INPUT and FORWARD chain is simple to understand. I might play with these two tonight.

Regarding ebtables, the router doesn't have the ebtables-save on it, (Should I try to install it from somewhere?) so I googled what kind of tables could it have, and only found the BROUTING chain non-empty.

I'm not sure on the eapd, I know in some VLAN threads it is mentioned to bounce it in your script after changing VLANs but when I was toying with it, it wasn't necessary.

What is your VLAN set up? Do you use it for wired or wireless stuff? To me it seems like only wireless related things require it.

I'm not sure what you mean about wired part should be working, if you toss a wired port into the guest VLAN, update ebtables/iptables as needed to allow that client to hit the router GUI, it should work. There may be a process you need to bounce to get the new ruleset loaded, not sure on that one, someone who does more with the firewall customization can hopefully confirm that.

I meant that nvram and eapd is for wireless. Right now my goal is to have VLAN work properly on wired LAN.


TLDR: I need ideas how to debug, or what info should I post to let experienced people be able to suggest what should I do. I'm literally willing to pay someone.

 

[Klavaro]

Seems like I was right from the beginning, according to netstat both of the services are listening on the br0 interface's subnet only:

adminuser@asusrouter:/tmp/home/root# netstat -lntup | grep ":22"
tcp        0      0 10.66.0.1:22            0.0.0.0:*               LISTEN      1361/dropbear
adminuser@asusrouter:/tmp/home/root# netstat -lntup | grep ":80"
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN      1251/httpd
tcp        0      0 10.66.0.1:80            0.0.0.0:*               LISTEN      1251/httpd

I came across this before even opening this thread, but seems like I should have just googled how can see what IP port combos the router listening on: https://www.snbforums.com/threads/asus-web-gui-conf-files.17597/ No configuration options are available for httpd, it gets values from the nvram. Httpd uses the 'lan_ipaddr=10.66.0.1' nvram variable, I searched for it in Notepad++ and it found 84 hits in the httpd source code, so changing that would be a possible solution. One possible ghetto way is using DNAT and SNAT with these commands:

iptables -t nat -I PREROUTING -d 10.66.10.1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.66.0.1:80
iptables -t nat -I POSTROUTING -p tcp -d 10.66.0.1 --dport 80 -j SNAT --to-source 10.66.10.21

I also looked through the source code, if I'm not mistaken I could launch another daemon with specifying the interface name, maybe that would help.

 

[drinkingbird]

Thank you for the information (Everything helps since this is my first time ever configuring something like this on a network device, I only had played around with an OpenWRT router, but that easy since I could just tick some checkboxes and put the VLAN ID's in the GUI.) Regarding customization, I believe YazFi exists for that exact reason. I even tried that with no avail, but there was an option to change the subnet.




Well this is my single device only besides the ISP's modem, so I don't use the AiMesh. I bought this to see if I could use it as if it was an enterprise level WIFI router, mainly focusing on the DMZ part. Comparing the price range with MikroTik/Ubiquiti alternatives it seemed like the AX68U's WIFI parts are stronger/faster/better. (The goal was not to buy a router and an access point, to keep the costs down.)
Hopefully if I pay someone couple of bucks I'll have this problem figured out and I can continue configuring my hypervisor, and the firewall and NAS running on it.




Thank you for verifying that my concept about how networking works is somewhat is still correct. (It was back in highschool like 4 years ago when I learned about in a really basic CCNA course using Packet Tracer.. My problem was that they didn't really teach debugging different kind of problems, you had to memorize what step comes after what without really understanding how the system behaves. That's eastern Europe for you. Sorry for going off topic, I'd like to people to understand that I'm not really familiar with this kind of part of IT. I might be missing something very obvious.)

I used iptables-save to see all the tables, chains, rules the router use.

-A POSTROUTING -s 10.66.0.0/24 -d 10.66.0.0/24 -o br0 -j MASQUERADE
-I PREROUTING 1 ! -d 10.66.0.0/24 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.66.0.1:18017

These were the only rules that got me wondering, the INPUT and FORWARD chain is simple to understand. I might play with these two tonight.

Regarding ebtables, the router doesn't have the ebtables-save on it, (Should I try to install it from somewhere?) so I googled what kind of tables could it have, and only found the BROUTING chain non-empty.




What is your VLAN set up? Do you use it for wired or wireless stuff? To me it seems like only wireless related things require it.




I meant that nvram and eapd is for wireless. Right now my goal is to have VLAN work properly on wired LAN.


TLDR: I need ideas how to debug, or what info should I post to let experienced people be able to suggest what should I do. I'm literally willing to pay someone.

Honestly I would go with a Ubiquiti Edgerouter and AP over the Asus any day, especially if you're looking for enterprise level (which it isn't, but far closer than Asus).

It looked like you had AiMesh enabled or I thought you had mentioned it, disregard that part then.

I use VLANs to trunk from my Asus to my outdoor Ubiquiti Access point (so I can have both regular and guest outside) as well as to put a wired port into the guest network so that I can use that when I am either fixing someone's PC or doing something on a spare desktop that I want isolated.

Originally I was using my own VLAN 999 but found it far easier to just take advantage of the VLAN 501 and 502 that are now built in when you enable GW1 since they already have everything you need set up including DHCP etc.

I moved to this Asus when I decided to downsize my home network (had a Cisco router, Juniper Firewall, HP Procurve switch, 3 Ubiquiti APs, couple servers, etc). I've tried to maintain some of the flexibility and isolation I had with that setup, but knew I would be sacrificing a lot of it. Especially since I know Cisco like the back of my hand whereas Busybox/linux definitely aren't my forte.

I was tempted to do edgerouter and keep my APs but I wanted to really downsize, once I got rid of my servers and the like, there just wasn't anything to really justify the extra cost. I got my RT-AC1900 for $25 on clearance at walmart and it still serves me perfectly well.

However VLAN stuff on my router is a lot easier than yours since it supports robocfg. It is doable on yours just more complex and makes less sense (though it is more powerful, being able to pop/strip tags etc).

 

[drinkingbird]

Seems like I was right from the beginning, according to netstat both of the services are listening on the br0 interface's subnet only:

adminuser@asusrouter:/tmp/home/root# netstat -lntup | grep ":22"
tcp        0      0 10.66.0.1:22            0.0.0.0:*               LISTEN      1361/dropbear
adminuser@asusrouter:/tmp/home/root# netstat -lntup | grep ":80"
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN      1251/httpd
tcp        0      0 10.66.0.1:80            0.0.0.0:*               LISTEN      1251/httpd

I came across this before even opening this thread, but seems like I should have just googled how can see what IP port combos the router listening on: https://www.snbforums.com/threads/asus-web-gui-conf-files.17597/ No configuration options are available for httpd, it gets values from the nvram. Httpd uses the 'lan_ipaddr=10.66.0.1' nvram variable, I searched for it in Notepad++ and it found 84 hits in the httpd source code, so changing that would be a possible solution. One possible ghetto way is using DNAT and SNAT with these commands:

iptables -t nat -I PREROUTING -d 10.66.10.1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.66.0.1:80
iptables -t nat -I POSTROUTING -p tcp -d 10.66.0.1 --dport 80 -j SNAT --to-source 10.66.10.21

I also looked through the source code, if I'm not mistaken I could launch another daemon with specifying the interface name, maybe that would help.

Yeah I was just speaking from a purely routing perspective. Didn't realize they would be binding the listener to specific interfaces. So even though there is a route, it is not listening on the interface the traffic is coming in from (for SSH at least). There should be a config file or maybe NVRAM variable somewhere that you can modify, unless they've buried it in the actual code.

However the HTTP listening on the loopback 127.0.0.1 should mean it is accessible from any interface in theory.

You should be able to play with routing and maybe get it so traffic from other interfaces can hit BR0 to access the GUI, not sure how flexible the static routing in these is, if you can do source routing etc. You also need to make sure that when you do add that route, you aren't opening your WAN or other parts of your network up that you don't want, double check the firewall rules etc.

However it is not uncommon to only have a single management VLAN. Even on enterprise class hardware. So it would make more sense to just associate whatever VLAN you want as your LAN VLAN to BR0 and make the rest not able to hit the management stuff.

In my case I'm just using the default VLAN 1 for LAN/Trusted and 501 and 502 from the guest networks for untrusted stuff. 501 and 502 can't hit the GUI or SSH and that's how I want it. The more default code you can use and the less tweaking/workarounds, the better, less risk of unintended consequences.

 

[Klavaro]

Honestly I would go with a Ubiquiti Edgerouter and AP over the Asus any day, especially if you're looking for enterprise level (which it isn't, but far closer than Asus).

It looked like you had AiMesh enabled or I thought you had mentioned it, disregard that part then.

I use VLANs to trunk from my Asus to my outdoor Ubiquiti Access point (so I can have both regular and guest outside) as well as to put a wired port into the guest network so that I can use that when I am either fixing someone's PC or doing something on a spare desktop that I want isolated.

Originally I was using my own VLAN 999 but found it far easier to just take advantage of the VLAN 501 and 502 that are now built in when you enable GW1 since they already have everything you need set up including DHCP etc.

I moved to this Asus when I decided to downsize my home network (had a Cisco router, Juniper Firewall, HP Procurve switch, 3 Ubiquiti APs, couple servers, etc). I've tried to maintain some of the flexibility and isolation I had with that setup, but knew I would be sacrificing a lot of it. Especially since I know Cisco like the back of my hand whereas Busybox/linux definitely aren't my forte.

I was tempted to do edgerouter and keep my APs but I wanted to really downsize, once I got rid of my servers and the like, there just wasn't anything to really justify the extra cost. I got my RT-AC1900 for $25 on clearance at walmart and it still serves me perfectly well.

However VLAN stuff on my router is a lot easier than yours since it supports robocfg. It is doable on yours just more complex and makes less sense (though it is more powerful, being able to pop/strip tags etc).

Thank you for taking the time to answer me, I appreciate it.

My buddy works for small company, (5-15 people in it) which does IT networking/system administration related work. They use MikroTik devices most of the time for their customers rather than Cisco's, according to my buddies knowledge those are about ~3 times cheaper. And he said basically they could do the same thing as they could with the Cisco ones. Is there any alternatives to Cisco that you would consider enterprise level? (Once again sorry everyone for going off topic)

Yeah I was just speaking from a purely routing perspective. Didn't realize they would be binding the listener to specific interfaces. So even though there is a route, it is not listening on the interface the traffic is coming in from (for SSH at least). There should be a config file or maybe NVRAM variable somewhere that you can modify, unless they've buried it in the actual code.

However the HTTP listening on the loopback 127.0.0.1 should mean it is accessible from any interface in theory.

You should be able to play with routing and maybe get it so traffic from other interfaces can hit BR0 to access the GUI, not sure how flexible the static routing in these is, if you can do source routing etc. You also need to make sure that when you do add that route, you aren't opening your WAN or other parts of your network up that you don't want, double check the firewall rules etc.

However it is not uncommon to only have a single management VLAN. Even on enterprise class hardware. So it would make more sense to just associate whatever VLAN you want as your LAN VLAN to BR0 and make the rest not able to hit the management stuff.

In my case I'm just using the default VLAN 1 for LAN/Trusted and 501 and 502 from the guest networks for untrusted stuff. 501 and 502 can't hit the GUI or SSH and that's how I want it. The more default code you can use and the less tweaking/workarounds, the better, less risk of unintended consequences.

Yeah my goal is to have a proper strict configuration, since my server will be accessible from the internet.

I'm just not 100 percent sure how will I do it, since I'd prefer to be able to use filesharing between my pc and one other computer, but without letting that computer access any management related stuff.
Also I'd like to use my laptop via WIFI for management in case my pc is down.
I already broadcast 4 SSID's, adding a 5th management one wouldn't be really good if the router doesn't support/can't work properly with virtual access points. I'll have to do some more research on that. According to this comment: https://www.snbforums.com/threads/ssid-to-vlan.24791/page-3#post-548097 The guy was able to get it to work on his router. (10 minutes of Googling 'asus router "virtual access point" site: snbforums.com' and 'asus router "virtual access point" site: reddit.com' didn't really yield enough results.)
And the last thing would be setting up the most strict part, which is for the server.

Also VPN server running on the server and on the router separately would be nice. (I'm thinking about using VPN all the time for managing the server, even from management VLAN, so I wouldn't have to set up routing between management VLAN and DMZ VLAN.

 

[drinkingbird]

Thank you for taking the time to answer me, I appreciate it.

My buddy works for small company, (5-15 people in it) which does IT networking/system administration related work. They use MikroTik devices most of the time for their customers rather than Cisco's, according to my buddies knowledge those are about ~3 times cheaper. And he said basically they could do the same thing as they could with the Cisco ones. Is there any alternatives to Cisco that you would consider enterprise level? (Once again sorry everyone for going off topic)

I don't have a lot of experience with Mikrotik but I know they are on par with Ubiquiti which I have used. Nothing will be on par with Cisco (your friend probably doesn't need to use a lot of the real advanced stuff they can do for smaller companies), and neither brand is going to be "enterprise". The closest you might come to Cisco at a lower cost is Juniper but that is going to still cost a lot more than the small business oriented stuff.

Unless you're running servers or other stuff that needs a lot of segmentation and protection etc, probably not necessary to run enterprise level stuff at home. The power cost alone adds up quickly. But if you wanted to you can get end of sale Cisco/Juniper/etc equipment off ebay for reasonable prices but you're still going to be in the hundreds if not thousands depending what kind of performance you want. Unless you have accounts with those companies you'll be stuck with whatever software comes on them (their software is not free or publicly available, though sometimes you can get lucky and find a site with the specific one you need). Both Ubitquiti and Mikrotik should give you the flexibility and features you want and they update their software free for the life of the unit. Again don't have experience with Mikrotik but Ubiquiti all operates through a single management station and all interoperates quite well. They have routers, firewalls, switches, and APs that will all be managed from one place.