Hi All -
Apologies if duplicate post, I have come across many similar configs, but nothing identical with a solution.
I have two Asus RT-AC66U, one in router mode, one in AP mode, both running Merlin 380.65_2. Guest network (VLAN 100, 172.16.34.0/24) on the router is isolated to a dedicated VLAN / Bridge with separate DNSMasq for DHCP. All works great!
Port 1 on the router is connected to port 0 on the AP via a tagged link (VLAN 1 and VLAN 100). Ports 1,2,3 and eth1 and eth2 are in VLAN 1 (br0) on the AP. Devices plugged into these ports or connected to the AP Wifi work properly and can access all appropriate resources. Port 4 and WL0.1 and WL1.1 are in VLAN 100 (br1). Devices plugged into port 4 on the AP get an IP address in the appropriate range (172.16.34.0/24) and can connect to all appropriate resources. Devices that connect to the Guest Wifi on the AP get an IP address in the appropriate range, but are not able to access any resources. There is something strange going on with the WiFi interfaces while in AP mode that I haven't been able to put my finger on.
At this point, I have not performed any packet sniffing or deeper inspection. I suspect it is something with EBTables, but so far have not been successful with any changes here.
Any pointers are definitely appreciated. Various output and configs below. I suspect I'm missing something small here . . .
Thanks in advance!
robocfg output from router:
Switch: enabled gigabit
Port 0: 1000FD enabled stp: none vlan: 2 jumbo: off mac: 00:01:5c:8f:a2:46
Port 1: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 10:bf:48:d9:b2:08
Port 2: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 7c:f8:54:00:7d:9e
Port 4: DOWN enabled stp: none vlan: 1 jumbo: off mac: 40:6c:8f:3e:43:22
Port 8: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 30:85:a9:e6:32:f0
VLANs: BCM53115 enabled mac_check mac_hash
1: vlan1: 1t 2 3 4 8t
2: vlan2: 0 8u
100: vlan100: 1t 8t
brctl outputer from router:
bridge name bridge id STP enabled interfaces
br0 8000.3085a9e632f0 yes vlan1
eth1
eth2
br1 8000.3085a9e632f0 yes wl0.1
wl1.1
vlan100
Firewall-start snippet from router:
# Remove WiFi 2.4Ghz and 5Ghz Guests 1 and 2 from br0
brctl delif br0 wl0.1
brctl delif br0 wl1.1
# Create br1 for WiFi 2.4Ghz and 5Ghz Guest 1
brctl addbr br1
brctl stp br1 on
brctl addif br1 wl0.1
brctl addif br1 wl1.1
ifconfig br1 172.16.34.1 netmask 255.255.255.0 broadcast 172.16.34.255
# Fix WPA2 on Guest WiFi
nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="vlan100 wl0.1 wl1.1"
nvram set lan1_ifname="br1"
robocfg vlan 100 ports "1t 8t"
robocfg vlan 1 ports "1t 2 3 4 8t"
vconfig add eth0 100
ifconfig vlan100 up
brctl addif br1 vlan100
killall eapd
eapd
# Allow dnsmasq to listen to br1 and br2
iptables -D INPUT -i br1 -j ACCEPT 2> /dev/null > /dev/null
iptables -I INPUT -i br1 -j ACCEPT
ebtables -t broute -D BROUTING -i br1 -p ipv4 -j DROP 2> /dev/null > /dev/null
ebtables -t broute -I BROUTING -i br1 -p ipv4 -j DROP
# Allow br1 and br2 WAN access
iptables -t nat -I POSTROUTING -o $WAN_IF -j SNAT --to $WANIP
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
# Block br1 and br2 access to br0
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
# Block br1 from accessing the router by port:
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset
robocfg output from AP:
Switch: enabled gigabit
Port 0: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 98:01:a7:b4:cb:65
Port 1: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 2: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 4: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 10:bf:48:d9:b2:08
VLANs: BCM53115 enabled mac_check mac_hash
1: vlan1: 0t 1 2 3 4 8t
2: vlan2: 8t
100: vlan100: 0t 8t
brctl output from AP:
bridge name bridge id STP enabled interfaces
br0 8000.10bf48d9b208 no vlan1
eth1
eth2
br1 8000.10bf48d9b208 no wl0.1
wl1.1
vlan100
services-start snipper from AP:
#!/bin/sh
# Create vlan 100
robocfg vlan 100 ports "0t 4 8t"
robocfg vlan 1 ports "0t 1 2 3 8t"
vconfig add eth0 100
ifconfig vlan100 up
# Remove WiFi 2.4Ghz and 5Ghz Guests 1 and 2 from br0
brctl delif br0 wl0.1
brctl delif br0 wl1.1
# Create br1 for WiFi 2.4Ghz and 5Ghz Guest 1
brctl addbr br1
brctl stp br0 on
brctl stp br1 on
brctl addif br1 wl0.1
brctl addif br1 wl1.1
brctl addif br1 vlan100
ifconfig br1 up
nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="vlan100 wl0.1 wl1.1"
nvram set lan1_ifname="br1"
killall eapd
eapd
Apologies if duplicate post, I have come across many similar configs, but nothing identical with a solution.
I have two Asus RT-AC66U, one in router mode, one in AP mode, both running Merlin 380.65_2. Guest network (VLAN 100, 172.16.34.0/24) on the router is isolated to a dedicated VLAN / Bridge with separate DNSMasq for DHCP. All works great!
Port 1 on the router is connected to port 0 on the AP via a tagged link (VLAN 1 and VLAN 100). Ports 1,2,3 and eth1 and eth2 are in VLAN 1 (br0) on the AP. Devices plugged into these ports or connected to the AP Wifi work properly and can access all appropriate resources. Port 4 and WL0.1 and WL1.1 are in VLAN 100 (br1). Devices plugged into port 4 on the AP get an IP address in the appropriate range (172.16.34.0/24) and can connect to all appropriate resources. Devices that connect to the Guest Wifi on the AP get an IP address in the appropriate range, but are not able to access any resources. There is something strange going on with the WiFi interfaces while in AP mode that I haven't been able to put my finger on.
At this point, I have not performed any packet sniffing or deeper inspection. I suspect it is something with EBTables, but so far have not been successful with any changes here.
Any pointers are definitely appreciated. Various output and configs below. I suspect I'm missing something small here . . .
Thanks in advance!
robocfg output from router:
Switch: enabled gigabit
Port 0: 1000FD enabled stp: none vlan: 2 jumbo: off mac: 00:01:5c:8f:a2:46
Port 1: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 10:bf:48:d9:b2:08
Port 2: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 7c:f8:54:00:7d:9e
Port 4: DOWN enabled stp: none vlan: 1 jumbo: off mac: 40:6c:8f:3e:43:22
Port 8: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 30:85:a9:e6:32:f0
VLANs: BCM53115 enabled mac_check mac_hash
1: vlan1: 1t 2 3 4 8t
2: vlan2: 0 8u
100: vlan100: 1t 8t
brctl outputer from router:
bridge name bridge id STP enabled interfaces
br0 8000.3085a9e632f0 yes vlan1
eth1
eth2
br1 8000.3085a9e632f0 yes wl0.1
wl1.1
vlan100
Firewall-start snippet from router:
# Remove WiFi 2.4Ghz and 5Ghz Guests 1 and 2 from br0
brctl delif br0 wl0.1
brctl delif br0 wl1.1
# Create br1 for WiFi 2.4Ghz and 5Ghz Guest 1
brctl addbr br1
brctl stp br1 on
brctl addif br1 wl0.1
brctl addif br1 wl1.1
ifconfig br1 172.16.34.1 netmask 255.255.255.0 broadcast 172.16.34.255
# Fix WPA2 on Guest WiFi
nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="vlan100 wl0.1 wl1.1"
nvram set lan1_ifname="br1"
robocfg vlan 100 ports "1t 8t"
robocfg vlan 1 ports "1t 2 3 4 8t"
vconfig add eth0 100
ifconfig vlan100 up
brctl addif br1 vlan100
killall eapd
eapd
# Allow dnsmasq to listen to br1 and br2
iptables -D INPUT -i br1 -j ACCEPT 2> /dev/null > /dev/null
iptables -I INPUT -i br1 -j ACCEPT
ebtables -t broute -D BROUTING -i br1 -p ipv4 -j DROP 2> /dev/null > /dev/null
ebtables -t broute -I BROUTING -i br1 -p ipv4 -j DROP
# Allow br1 and br2 WAN access
iptables -t nat -I POSTROUTING -o $WAN_IF -j SNAT --to $WANIP
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
# Block br1 and br2 access to br0
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
# Block br1 from accessing the router by port:
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset
robocfg output from AP:
Switch: enabled gigabit
Port 0: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 98:01:a7:b4:cb:65
Port 1: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 2: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 4: DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8: 1000FD enabled stp: none vlan: 1 jumbo: off mac: 10:bf:48:d9:b2:08
VLANs: BCM53115 enabled mac_check mac_hash
1: vlan1: 0t 1 2 3 4 8t
2: vlan2: 8t
100: vlan100: 0t 8t
brctl output from AP:
bridge name bridge id STP enabled interfaces
br0 8000.10bf48d9b208 no vlan1
eth1
eth2
br1 8000.10bf48d9b208 no wl0.1
wl1.1
vlan100
services-start snipper from AP:
#!/bin/sh
# Create vlan 100
robocfg vlan 100 ports "0t 4 8t"
robocfg vlan 1 ports "0t 1 2 3 8t"
vconfig add eth0 100
ifconfig vlan100 up
# Remove WiFi 2.4Ghz and 5Ghz Guests 1 and 2 from br0
brctl delif br0 wl0.1
brctl delif br0 wl1.1
# Create br1 for WiFi 2.4Ghz and 5Ghz Guest 1
brctl addbr br1
brctl stp br0 on
brctl stp br1 on
brctl addif br1 wl0.1
brctl addif br1 wl1.1
brctl addif br1 vlan100
ifconfig br1 up
nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="vlan100 wl0.1 wl1.1"
nvram set lan1_ifname="br1"
killall eapd
eapd
