Last feature I find missing in Asuswrt-Merlin

[xman1]

This firmware is near perfect but it is missing one critical thing... The ability to block a 'wired' client from viewing the Intranet.

Example, I want my Dish DVR to be able to have wired internet access, but I really don't want that device to also have Intranet access. It doesn't need to see what is on my network. I want to limit it to a few internal IP's, such as the wireless Joey's. I would take it where a hard switch to stop all intranet traffic and only allow internet traffic, so maybe adding internal IP's is asking a bit much.

I can do these types of things with the Guest Wifi but I cannot do it with a wired client.

Thoughts?

 

[sbsnb]

You should be able to use a custom firewall rule. Something like:

iptables -A INPUT -m mac --mac-source FF:FF:FF:FF:FF:FF -d 192.168.1.0/24 -j DROP

I'm not an iptables expert, so take that with a grain of salt.

 

[dave14305]

You should be able to use a custom firewall rule. Something like:

iptables -A INPUT -m mac --mac-source FF:FF:FF:FF:FF:FF -d 192.168.1.0/24 -j DROP

I'm not an iptables expert, so take that with a grain of salt.

LAN to LAN traffic should never reach iptables rules since the traffic would not need to be routed.

 

[xman1]

You should be able to use a custom firewall rule. Something like:

iptables -A INPUT -m mac --mac-source FF:FF:FF:FF:FF:FF -d 192.168.1.0/24 -j DROP

I'm not an iptables expert, so take that with a grain of salt.

100% agree. Looking for a GUI add on really though so anyone can do this. Even just a no/yes item even. If I go messing with IPTables, now I am going to have to redo that every time I do an upgrade, and this is besides the point that IPTables is a pain in the butt from my past experiences.

 

[xman1]

You should be able to use a custom firewall rule. Something like:

iptables -A INPUT -m mac --mac-source FF:FF:FF:FF:FF:FF -d 192.168.1.0/24 -j DROP

I'm not an iptables expert, so take that with a grain of salt.

100% agree. Looking for a GUI add on really though so anyone can do this. Even just a no/yes item even. If I go messing with IPTables, now I am going to have to redo that every time I do an upgrade, and this is besides the point that IPTables is a pain in the butt from my past ex

LAN to LAN traffic should never reach iptables rules since the traffic would not need to be routed.

This too. Local traffic.

 

[sbsnb]

LAN to LAN traffic should never reach iptables rules since the traffic would not need to be routed.

Interesting. How does the router implement wireless MAC filtering?

 

[ColinTaylor]

Interesting. How does the router implement wireless MAC filtering?

It's a feature of the WiFi chipset that the clients are connecting to. This is physically separate to the CPU/switch chip that the LAN devices are connected to.

 

[sbsnb]

It's a feature of the WiFi chipset that the clients are connecting to. This is physically separate to the CPU/switch chip that the LAN devices are connected to.

And the same for bandwidth limiting I assume?

 

[ColinTaylor]

And the same for bandwidth limiting I assume?

No, that's handled by the normal QoS code.

 

[sbsnb]

Huh. I'm surprised to learn there are multiple codebases that cover scanning and identification of packets. So packet has to go through whatever wireless stuff scans for, then through whatever QoS scans for, and then finally through iptables (if it's to/from WAN)?

 

[ColinTaylor]

Pretty much.

 

[roundaway]

Surplus router with a static IP on a different address and plug the Dish TV cable into it. Point the router to your gateway IP.

 

[sbsnb]

Pretty much.

Having packet inspection and disposition done on so many layers seems like potential low-hanging fruit for optimizing throughput and latency.

 

[ColinTaylor]

What you call "scanning" is just basic routing, switching, bridging and packet filtering. These are the most basic functions of a router that's happening at a hardware or kernel level. Optimising throughput is what the Broadcom engineers and Linux kernel developers have spent years working on. If you think you can improve on it I'm sure they'd be interested in hearing from you.

 

[Yota]

Basically you are looking for a VLAN, the good news is the asus routers supports VLAN, but it is not easy to configure it.

At least I understand, no one in this forum really understands the use of Broadcom VLAN. However, you can still buy a router with VLANs for isolation.