1. Post filters have been ramped up due to high spam activity. If your post is marked for moderation, be patient. A moderator will review and release it as soon as possible.
    Dismiss Notice
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

[help] guest wifi with LAN port 1 under same VLAN

Discussion in 'Asuswrt-Merlin' started by jeorainc, Aug 13, 2017.

  1. jeorainc

    jeorainc New Around Here

    Aug 13, 2017
    Hi All,

    I have a NVR with LAN interface, and 2 IP Cameras which uses WiFi. I don't want them to access my private network, so I used to create a VLAN with guest WiFi and a single LAN port under openwrt routers.
    Sadly the old router was dead so I bought a R7000 and flashed it with merlin.

    Can someone teach me how to do so? I tried it for a long time but no luck.. maybe I am too new to networking.

    Port 1 and wl0.1 under VLAN 10
    This VLAN 10 has its own DHCP server, gateway
    VLAN10's members can see each other but cannot access VLAN1 (my home LAN)

    I tried the below, can someone help to modify it..

    Do the below at startup
    WAN0_IFNAME=`nvram get wan0_ifname`
    # Add vlan 10 to WAN0
    vconfig add $WAN0_IFNAME 10
    # Assign port 1,8 to vlan10, with port 8 tagged
    robocfg vlan 1 ports "2 3 4 8t"
    robocfg vlan 10 ports "1 8t"
    ifconfig vlan10 up
    # Remove guest wlan from br0 and assign it to br1, assign gateway IP
    brctl delif br0 wl0.1
    brctl addbr br1
    brctl addif br1 vlan10 wl0.1
    ifconfig br1 netmask broadcast
    # Drop any new connections from guest wifi to the router
    iptables -I INPUT -i br1 -m state --state NEW -j DROP
    # Allow guest wifi to access DHCP
    iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
    # Allow guest wifi to access DNS
    iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
    iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
    # Set appropriate firewall rules for new br1
    iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
    iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
    iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
    nvram set lan_ifname="br0"
    nvram set lan_ifnames="vlan1 eth1 eth2"
    nvram set lan1_ifname="br1"
    nvram set lan_ifnames="wl0.1"
    killall eapd
    And use
    /jffs/scripts/dnsmasq.postconf to do the DHCP part..
    source /usr/sbin/helper.sh
    logger "dnsmasq-dhcp: Configure br1 to have special DHCP"
    #iptables -D INPUT -i br1 -j ACCEPT
    #iptables -I INPUT -i br1 -j ACCEPT
    ebtables -t broute -D BROUTING -i br1 -p ipv4 -j DROP
    ebtables -t broute -I BROUTING -i br1 -p ipv4 -j DROP
    pc_append "
    " /tmp/etc/dnsmasq.conf
  2. Jack Yaz

    Jack Yaz Very Senior Member

    Apr 20, 2017
    Isn't R7000 a Netgear router? Merlin is AsusWRT based...
  3. jeorainc

    jeorainc New Around Here

    Aug 13, 2017
    an R7000 with xwrt-vortex flashed.. based on asuswrt-merlin
  4. netwrks

    netwrks Senior Member

    Apr 2, 2015
  5. jeorainc

    jeorainc New Around Here

    Aug 13, 2017
    I saw lots of discussion here about scripting to do the trick but I didn't see a lot over the official xwrt-vortex forum.. so I tried to ask here.
    Can someone try to answer assuming I am running merlin on Asus router.. as I go through the commands it seems they're the same
  6. ColinTaylor

    ColinTaylor Part of the Furniture

    Mar 31, 2014
    It's impossible to properly debug issues with XVortex's firmware because he refuses to release the source code so we don't know what changes he has made. This is particularly true when manipulating low level hardware settings as you are. So people here (an Asus hardware forum) are reluctant to waste their time with it.

Share This Page