Iptables functionality on 3006.102.4

[RandomUser777]

Dirty upgrade from 3004 to 3006.102.4 on my AX88u-Pro a couple days ago.

All looked good so far, except I have some iptables rules in firewall-start that do not seem to work anymore.

One set of rules dnat'd any DNS other than those in the cleanbrowsing ranges. Ie, if a device used any cleanbrowsing DNS, went through fine. Try to use 8.8.8.8, or 9.9.9.9 or anything else, requests were directed to cleanbrowsing family.

This does not seem to work on 3006.

Any thoughts?

 

[bennor]

All looked good so far, except I have some iptables rules in firewall-start that do not seem to work anymore.

Might help others if you post the full firewall-start file contents so people can review and see if there are any issues.

If you are referencing Guest Network Pro clients then things are slightly different than the 3004.388.x firmware. There is some discussion on using IPTables in several other recent posts in reference to the 3006.102.4 Asus-Merlin firmware. Here is one of those discussions:

Trying to understand Guest Network Pro limitations

Using an AX-86U Pro on FW 3006.102.4_beta1, I'm experimenting with Guest Network Pro and VLANs and I must be missing something. I've created a VLAN (tagged as 3) and set ethernet port 3 as an access port tagged with that VLAN. I've then created a new guest network with that same VLAN, turned on...

www.snbforums.com

In particular my post here with some example scripting for Guest Network Pro clients:
https://www.snbforums.com/threads/t...st-network-pro-limitations.94438/#post-952345

 

[madre]

I'm following other threads that talk about this topic to see if I can solve my problem but so far I hasn't found a solution.
In my case, the Intranet access from Guest Network Pro doesn't work and I have tried to solve it with Iptable, but in my router it does not work either.
I have tried @bennor's suggestions without success.
I have seen that in other router models it works, so I suspect that not all firmware are equally well implemented.

 

[bennor]

In my case, the Intranet access from Guest Network Pro doesn't work and I have tried to solve it with Iptable, but in my router it does not work either.

You may, if you haven't done so already, have to dump the entire iptables (iptables-save -c or iptables-save) from the router and review line by line to see if or where Intranet access is being blocked. One can also review such a iptables dump to see if their firewall-start script is being properly added to iptables.

 

[RandomUser777]

Might help others if you post the full firewall-start file contents so people can review and see if there are any issues.

If you are referencing Guest Network Pro clients then things are slightly different than the 3004.388.x firmware. There is some discussion on using IPTables in several other recent posts in reference to the 3006.102.4 Asus-Merlin firmware. Here is one of those discussions:

Trying to understand Guest Network Pro limitations

Using an AX-86U Pro on FW 3006.102.4_beta1, I'm experimenting with Guest Network Pro and VLANs and I must be missing something. I've created a VLAN (tagged as 3) and set ethernet port 3 as an access port tagged with that VLAN. I've then created a new guest network with that same VLAN, turned on...

www.snbforums.com

In particular my post here with some example scripting for Guest Network Pro clients:
https://www.snbforums.com/threads/t...st-network-pro-limitations.94438/#post-952345

#!/bin/sh

REJECT="REJECT --reject-with icmp-host-prohibited"
REJECT_TCP="REJECT --reject-with tcp-reset"

#block dhcp allocated devices 224-255
iptables -I FORWARD        -s 192.168.50.224/27 -j $REJECT
iptables -I FORWARD -p tcp -s 192.168.50.224/27 -j $REJECT_TCP

#allow Nintendo Bedrock Server for Switch
iptables -t nat -A PREROUTING -p udp -s 192.168.50.191 -d 104.238.130.180 --dport 53 -j DNAT --to 104.238.130.180
iptables -t nat -A PREROUTING -p tcp -s 192.168.50.191 -d 104.238.130.180 --dport 53 -j DNAT --to 104.238.130.180 

#Redirect all other DNS to Kids DNS if not 168 or 169 CBDNS Ranges
iptables -t nat -A PREROUTING -p udp ! -d 185.228.168.0/23 --dport 53 -j DNAT --to 185.228.168.53 
iptables -t nat -A PREROUTING -p tcp ! -d 185.228.168.0/23 --dport 53 -j DNAT --to 185.228.168.53

 

[dave14305]

The nat table rules are safer in nat-start than in firewall-start.

 

[RandomUser777]

The nat table rules are safer in nat-start than in firewall-start.

#!/bin/sh

REJECT="REJECT --reject-with icmp-host-prohibited"
REJECT_TCP="REJECT --reject-with tcp-reset"

#block dhcp allocated devices 224-255
iptables -I FORWARD        -s 192.168.50.224/27 -j $REJECT
iptables -I FORWARD -p tcp -s 192.168.50.224/27 -j $REJECT_TCP

#allow Nintendo Bedrock Server for Switch
iptables -t nat -A PREROUTING -p udp -s 192.168.50.191 -d 104.238.130.180 --dport 53 -j DNAT --to 104.238.130.180
iptables -t nat -A PREROUTING -p tcp -s 192.168.50.191 -d 104.238.130.180 --dport 53 -j DNAT --to 104.238.130.180

#Redirect all other DNS to Kids DNS if not 168 or 169 CBDNS Ranges
iptables -t nat -A PREROUTING -p udp ! -d 185.228.168.0/23 --dport 53 -j DNAT --to 185.228.168.53
iptables -t nat -A PREROUTING -p tcp ! -d 185.228.168.0/23 --dport 53 -j DNAT --to 185.228.168.53

NB:

I am intending on this to be either global or applied to the main bridge/network, so this should not be a SDN issue.

 

[madre]

You may, if you haven't done so already, have to dump the entire iptables (iptables-save -c or iptables-save) from the router and review line by line to see if or where Intranet access is being blocked. One can also review such a iptables dump to see if their firewall-start script is being properly added to iptables.

Thanks for your help once again but my knowledge of Iptable is very limited.
Inside the dump I can't find any REJECT, only ACCEPT and DROP.
My LAN IP is in the range 192.168.0.x and the Guest Network Pro is in VLAN 53 and range 192.168.53.x.
The only thing I have found in the dump that refers to those IP's are the following lines

-A POSTROUTING -s 192.168.0.0/24 -d 192.168.0.0/24 -o br0 -j MASQUERADE
-A POSTROUTING -s 192.168.53.0/24 -d 192.168.53.0/24 -o br53 -j MASQUERADE

-A FORWARD -s 192.168.53.0/24 -d 192.168.0.0/24 -i br53 -j ACCEPT
-A FORWARD -s 192.168.0.0/24 -d 192.168.53.0/24 -i br0 -j ACCEPT

-A SDN_FI -d 192.168.0.1/32 -i br53 -j DROP

I don't know if that will be enough.

 

[bennor]

@madre, did you ever post how you setup your Guest Network Pro profiles? Which Profile(s) are you using and how did you configure it/them? Is "Use same subnet as main network" enabled or disabled? You mentioned wanting or using VPN with Guest Network Pro in one of your posts, using VPN may potentially cause an issue with trying to have intranet access at the same time the VPN tunnel for the Guest Network Pro profile is active. How one sets up the Guest Network Pro Profile may be impacting the ability to properly use iptables or the Guest Network Pro Access Intranet option.

 

[madre]

@bennor, as I already commented in another post, the VPN is not configured (for the moment) in the Guest Network Pro profile (to prevent it from interfering).
My configuration is very simple:
I have only one Guest Network Pro profile on VLAN 53 (I have tried first with VLAN 52 without success). This profile was created with the Customized Network option, the “Use same subnet as main network” option is disabled and “Access Intranet” is enabled (even though it doesn't work and the option does not appear when creating the profile, only once created).
I don't know if it can affect but in LAN-IPTV I have configured an ISP profile that is necessary for my Internet and TV connection.

 

[bennor]

I have only one Guest Network Pro profile on VLAN 53 (I have tried first with VLAN 52 without success).

Run the following via SSH and see what it returns.
brctl show

Could be something specific to the GT-AXE16000. Do you have any other features or options enabled like AP Isolation, gaming, AiProtection, Dual WAN, addon scripts, any changes to the Firewall settings in the GUI, etc.?

 

[madre]

Run the following via SSH and see what it returns.
brctl show

Could be something specific to the GT-AXE16000. Do you have any other features or options enabled like AP Isolation, gaming, AiProtection, Dual WAN, addon scripts, any changes to the Firewall settings in the GUI, etc.?

@bennor, I attach an image of the brctl show result.
I don't have any other features or scripts enabled. I am testing on a version installed with a factory reset and I only have configured, as I mentioned, a profile in LAN-IPTV without which I cannot connect to the Internet, all other features are configured by default.
Since it works for you, I would ask you to check if when you create a Customized Network profile the Access Intranet option appears, since it does not appear for me, only when the profile is created.
This is the first firmware version of the 3006 branch for this router and I can't determine if in any other previous version that option appeared.
Thanks for your help.

 

[bennor]

@bennor, I attach an image of the brctl show result.
I don't have any other features or scripts enabled. I am testing on a version installed with a factory reset and I only have configured, as I mentioned, a profile in LAN-IPTV without which I cannot connect to the Internet, all other features are configured by default.
Since it works for you, I would ask you to check if when you create a Customized Network profile the Access Intranet option appears, since it does not appear for me, only when the profile is created.
This is the first firmware version of the 3006 branch for this router and I can't determine if in any other previous version that option appeared.
Thanks for your help.

The brctl show results look OK (similar to what I see on a RT-AX86U Pro).

Attached are two examples showing Customized Network profile with the Access Intranet option. In the past some of us have found that Guest Network Pro gets a bit wonky if we've added and removed a number of Profiles. Like the firmware gets confused and incorrectly displays the options for a Profile. What you may have to do is deleted all existing Guest Network Profiles then reboot the router. Give the router 5 to 10 minutes to settle down after reboot, then try adding in a new Guest Network Pro Profile and see if the missing options show up.

My current setup uses the IoT Guest Network Profile. I also have the WiFi Bands option set to a single WiFi band, not to 2.4 GHz/5 GHz.

 

[madre]

The brctl show results look OK (similar to what I see on a RT-AX86U Pro).

Attached are two examples showing Customized Network profile with the Access Intranet option. In the past some of us have found that Guest Network Pro gets a bit wonky if we've added and removed a number of Profiles. Like the firmware gets confused and incorrectly displays the options for a Profile. What you may have to do is deleted all existing Guest Network Profiles then reboot the router. Give the router 5 to 10 minutes to settle down after reboot, then try adding in a new Guest Network Pro Profile and see if the missing options show up.

My current setup uses the IoT Guest Network Profile. I also have the WiFi Bands option set to a single WiFi band, not to 2.4 GHz/5 GHz.

Thank you very much for your interest and help.
I have done everything you said before without success (deleting profiles, turning off the router, etc.)
I sincerely believe that Guest Network Pro is poorly implemented, at least in some models.
This update hasn't been good for my router. I've detected other failures lately. For example, today the WAN port dropped from 1 Gbps to 100 Mbps for no apparent reason, and Wi-Fi devices frequently fail in the 6 GHz band, even though they worked well before.
I will wait a little longer to see if the bugs are fixed. If not, I will revert to the previous version on the 3004 branch.
Thank you again for your help. I will try again with a new update and let you know.

 

[bennor]

I sincerely believe that Guest Network Pro is poorly implemented, at least in some models.

Yes the Guest Network Pro feature feels like it's still beta. Quite a few have reported issues with it on this forum, and or people are finding it not operating as expected. Like with the IoT profile having "Use same subnet as main LAN" option defaulting to enabled and causing the IoT profile not to be isolated from main LAN. The Access Intranet option seems to be one that quite a few have reported not working properly as well. Which is why some have had to resort to trying to use iptables to solve the issue.

 

[SomeWhereOverTheRainBow]

Yes the Guest Network Pro feature feels like it's still beta. Quite a few have reported issues with it on this forum, and or people are finding it not operating as expected. Like with the IoT profile having "Use same subnet as main LAN" option defaulting to enabled and causing the IoT profile not to be isolated from main LAN. The Access Intranet option seems to be one that quite a few have reported not working properly as well. Which is why some have had to resort to trying to use iptables to solve the issue.

One problem I have noticed with Guest Network Pro is cross compatibility with nodes. Nodes are better off being newer more supported models, than older -- otherwise the already limited band steering support seems more broken ergo Guest Network Pro seems more beta/alpha in such environment. Note- this is from testing on the original Asus Beta firmware, and not the new RMerlin release.