How to restrict guest network intranet to SSH & http only?

BaronVonchesto

Occasional Visitor
So some background first on what I'm doing. I have an Asus AC66U running ASUSWRT-merlin (380.70).

My main home network is running on 192.168.1.xxx/24

I'm planning to engage a freelance dev on fiverr to do some dev work for me, to interface with an industrial device using my raspberry pi. To that end I need to give WAN SSH access to my pi so the dev can work remotely. However I'm concerned about the security of giving access to my home network to some unknown guy on the internet, so want to restrict access as much as possible.

So what I had in mind was to put the raspberry pi onto a guest wifi network where I can assign a "static" DHCP IP to the raspberry pi (say 192.168.2.2). I will port forward ports 80, 443 and (some other port translated to 22) to the raspberry pi so that the dev can ssh to the pi and the web server is accessible from WAN.

However I also want to be able to SSH/SFTP to the pi from my main LAN, and also access the web server, while blocking all access to my LAN from the pi (so allow initiation of traffic from 192.168.1.x -> 192.168.2.x but not the other way round), other than that I need the pi to have access to the internet as usual. I also want to make sure the pi cannot SSH to the router or access the web admin interface of the router.

Is this doable with Merlin? I have a basic idea of how IPTABLES work, but not enough knowledge to create the rules myself.
Or else I'm not averse to switching from Merlin to FreshTomato, though I'd like to avoid this if I can since it would mean downtime of internet access for my family who are online 24/7

Here's an image my my proposed network topology and what i'd like to acheive:
network map.jpg

PS: once the dev is done with his work I will revoke the SSH key i give him and remove the port forwarding set in the router.
 
Last edited:

ColinTaylor

Part of the Furniture
Don't bump. Your original post was less than 24 hours old.
 

Jack Yaz

Part of the Furniture
So some background first on what I'm doing. I have an Asus AC66U running ASUSWRT-merlin (380.70).

My main home network is running on 192.168.1.xxx/24

I'm planning to engage a freelance dev on fiverr to do some dev work for me, to interface with an industrial device using my raspberry pi. To that end I need to give WAN SSH access to my pi so the dev can work remotely. However I'm concerned about the security of giving access to my home network to some unknown guy on the internet, so want to restrict access as much as possible.

So what I had in mind was to put the raspberry pi onto a guest wifi network where I can assign a "static" DHCP IP to the raspberry pi (say 192.168.2.2). I will port forward ports 80, 443 and (some other port translated to 22) to the raspberry pi so that the dev can ssh to the pi and the web server is accessible from WAN.

However I also want to be able to SSH/SFTP to the pi from my main LAN, and also access the web server, while blocking all access to my LAN from the pi (so allow initiation of traffic from 192.168.1.x -> 192.168.2.x but not the other way round), other than that I need the pi to have access to the internet as usual. I also want to make sure the pi cannot SSH to the router or access the web admin interface of the router.

Is this doable with Merlin? I have a basic idea of how IPTABLES work, but not enough knowledge to create the rules myself.
Or else I'm not averse to switching from Merlin to FreshTomato, though I'd like to avoid this if I can since it would mean downtime of internet access for my family who are online 24/7

Here's an image my my proposed network topology and what i'd like to acheive:
View attachment 36262
PS: once the dev is done with his work I will revoke the SSH key i give him and remove the port forwarding set in the router.
YazFi will do the bulk of this. The cross network communication of SSH and HTTPS can be achieved using a YazFi user script to add pinhole iptables rules for those ports
 

BaronVonchesto

Occasional Visitor
YazFi will do the bulk of this. The cross network communication of SSH and HTTPS can be achieved using a YazFi user script to add pinhole iptables rules for those ports
yea YazFi was the first thing I looked into. unfortunately the AC66U is not supported by YazFi even though it is in the supported list as the final merlin firmware available is older than the minimum firmware needed for YazFi
 

Jack Yaz

Part of the Furniture
yea YazFi was the first thing I looked into. unfortunately the AC66U is not supported by YazFi even though it is in the supported list as the final merlin firmware available is older than the minimum firmware needed for YazFi
Are you not able to install John's fork? 380.70 is riddled with security flaws
 

BaronVonchesto

Occasional Visitor
Are you not able to install John's fork? 380.70 is riddled with security flaws
but why would I want to do that? I'm not familiar with john's fork but I know it is based on an older 374 release. What possible reason would i want to go through the hassle of going back to an older firmware base?

Surely at this point I'd be better off moving to something like Tomato instead?
 

ColinTaylor

Part of the Furniture
but why would I want to do that? I'm not familiar with john's fork but I know it is based on an older 374 release. What possible reason would i want to go through the hassle of going back to an older firmware base?

Surely at this point I'd be better off moving to something like Tomato instead?
374 was the release that it was originally forked from. Since then it has been continuously updated with security fixes and features, a lot of which are back ported from the current Merlin release. So just because it says "374" in the name doesn't mean it's old or out of date.
 

BaronVonchesto

Occasional Visitor
okay I guess it couldn't hurt to try installing the latest john's fork
Though from what I've read I have to do a factory reset and won't be able to restore settings from a saved config file, but rather reconfigure everything right? As im coming from 380 merlin
 

L&LD

Part of the Furniture
Correct. Full reset to factory defaults. Minimal and Manual configuration to secure the router and connect to your ISP.
 

BaronVonchesto

Occasional Visitor
well I switched my router firmware to the latest john's fork, did a full factory reset before and after the flash, then reformatted jffs2 partition and reconfigured the bare minimum.

However I notice that the 5GHz wifi stays on 20MHz channel width no matter what I change the setting to. This is reported by InSSIDer, whereas previously I had it fixed to 40MHz width. The wifi performance is also worse then what it used to be when I was running Merlin 380.

My laptop shows the link rate as 242Mbps on 802.11ac, and running jPerf the best I can get is around 110Mbps after multiple tests. Previously i could push around 180-200Mbps on wireless.

I know there are a lot of things that affects wifi performance so should I open a separate thread for this? For the record there are 0 other 5GHz wifi networks detected in the vicinity as shown by inSSIDER so I should have the best possible SNR when im just 30 feet away from the router within line of sight.
 

ColinTaylor

Part of the Furniture
Report the problem in the dedicated thread for the release of John's fork that you're using. That way John and other users of the fork will see it.

Bear in mind that transmit power will vary on the 5GHz band depending on which channels you are using. So for example, my UK router has significantly less power on channels 36-64 compared to 100-144. YMMV
 

BaronVonchesto

Occasional Visitor
Report the problem in the dedicated thread for the release of John's fork that you're using. That way John and other users of the fork will see it.

Bear in mind that transmit power will vary on the 5GHz band depending on which channels you are using. So for example, my UK router has significantly less power on channels 36-64 compared to 100-144. YMMV
Thanks I shall do just that.

What mattes more in wireless communication is not the transmit power but rather the Signal to Noise Ratio. As I said i was some 30 feet away from the router in line of sight, and there are no 5GHz networks on or adjacent to the channel my SSID is on. So unless there is some non wifi noise in the spectrum, I should have the best theoretically possible SNR, and the detected RF strength was around -60dB, which is pretty strong
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top