Prohibit Guest network device accessing lan in AP mode

[newnews]

Hi,

Recently I used Raspberry Pi4 as main router (wifi disabled, lan ip 192.168.10.1) and turned RT-AC68U to AP mode (lan ip 192.168.10.9) for wired/wireless network extender. Two routers are connected by cable. Everything works fine except guess wifi. The devices in guest network can still access my lan which is not expected. It was ok when using RT-AC68U in router mode, the only thing changed is gateway and DNS to 192.168.10.1 after switching to AP mode.

What is the problem?

 

[RMerlin]

APs cannot isolate clients from the rest of the LAN because they merely act as a bridge to your main router. Any isolation has to be implemented at the primary router.

 

[newnews]

APs cannot isolate clients from the rest of the LAN because they merely act as a bridge to your main router. Any isolation has to be implemented at the primary router.

thanks, so how to let main router know the devices are connected in guest wifi?

 

[RMerlin]

thanks, so how to let main router know the devices are connected in guest wifi?

You would have to ask the RPI4 community, I'm not familiar with how that router works.

 

[newnews]

You would have to ask the RPI4 community, I'm not familiar with how that router works.

ok, I will ask in openwrt forum as RPI4 is using openwrt firmware

 

[Tech9]

@dave14305 was running OpenWrt on RPi and he is an Asuswrt wizard as well.

Look for VLAN setup for AC68U, this one is the easier model. Information available around SNB Forums.

 

[newnews]

@dave14305 was running OpenWrt on RPi and he is an Asuswrt wizard as well.

Look for VLAN setup for AC68U, this one is the easier model. Information available around SNB Forums.

thanks, I will search for it

 

[Yota]

Yes, with VLAN you can do it, I have the same AP as you, I use VLAN for completely isolated guest network.

But honestly instead of fumbling with the vlan commands, it's better to use the Fresh Tomato with GUI and full VLAN support, it works for AC68U.


If you're going to stay on Merlin, I wrote a guide a few years ago where the commands in the AP mode still apply today because that's how I do it.

Expand the Guest Network to two merlin routers

Today, I will show you how to set up the same guest network on the primary router and the secondary router, and prevent the guest network from accessing resources on the LAN. What do I need? I have two RT-AC68U routers, they both flashed Merlin 384.14_2, One is running router mode, the other...

www.snbforums.com

 

[newnews]

Yes, with VLAN you can do it, I have the same AP as you, I use VLAN for completely isolated guest network.

But honestly instead of fumbling with the vlan commands, it's better to use the Fresh Tomato with GUI and full VLAN support, it works for AC68U.


If you're going to stay on Merlin, I wrote a guide a few years ago where the commands in the AP mode still apply today because that's how I do it.

Expand the Guest Network to two merlin routers

Today, I will show you how to set up the same guest network on the primary router and the secondary router, and prevent the guest network from accessing resources on the LAN. What do I need? I have two RT-AC68U routers, they both flashed Merlin 384.14_2, One is running router mode, the other...

www.snbforums.com

Hello Yota:

In main router, I created guest network vlan10(eth1.10) with dhcp 192.168.20.x, firewall only allow forward from guest to wan; in RT-AC68U, I used your script, and I am able to link vlan10 to my guest wifi, my guest device got ip assigned to 192.168.20.x range, (my private ip is in 192.168.10.x), internet access is fine:

#!/bin/sh
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

robocfg show | grep -i vlan10 > /dev/null 2>&1 || \
(
robocfg vlan 10 ports "0t 5t"
vconfig add eth0 10
ifconfig vlan10 up

brctl addbr br1
brctl delif br0 wl0.1
brctl addif br1 vlan10
brctl addif br1 wl0.1
ifconfig br1 up

nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="vlan10 wl0.1"
nvram set lan1_ifname="br1"
nvram commit

killall eapd
eapd
)

However, I am still able to access 192.168.10.x from guest network. To make sure my main router RPI4 is configured properly, I enabled guest wifi on RPI4 and linked vlan10 to wlan0. The devices directly connected to guest wifi on RPI4 can access internet but not the LAN.

It seems RT-AC68U is doing routing between 192.168.10.x and 192.168.20.x?

 

[Yota]

It seems RT-AC68U is doing routing between 192.168.10.x and 192.168.20.x?

You need to know, as RMerlin said "APs cannot isolate clients from the rest of the LAN", but it can use the VLAN you specify, and bind that vlan to a specific interface, such as guest wifi or a lan port.

You have to use your router (rpi) to isolate the traffic between the two vlans, that's the router's job, not the ap's.

So your router definitely doesn't have the isolation between vlans properly configured, otherwise it would work as expected. and don't use the guest wifi on the rpi, because it may be on a different interface, use your computer to connect to the ethernet interface of the rpi, and then modify the vlan of the computer to see if the problem can be reproduced.

 

[newnews]

no matter how I configure the main router, the guest devices can still access private lan. The main router configuration works on another AP router with guest wifi(not merlin firmware). I decide to flash Tacoma firmware.

 

[drinkingbird]

no matter how I configure the main router, the guest devices can still access private lan. The main router configuration works on another AP router with guest wifi(not merlin firmware). I decide to flash Tacoma firmware.

If you're running it in AP mode, there is no routing. So something was messed up, the AP can't do what it can't do.

 

[newnews]

If you're running it in AP mode, there is no routing. So something was messed up, the AP can't do what it can't do.

Yeap, I flashed FreshTomato firmware, I reached my goal in a few clicks. Has been using Merlin for many years so I would like say thanks to the developer.

 

[tarzan2000]

Hello!
I have the following problem.
There is an AiMesh network of AX86U + AX86S.
There is a 2.4GHz guest tarzan_R1 mesh for smart home devices from the 192.168.10.x range.
In this case, the main network has addressing 10.7.0.x.
The guest grid is system-wide.
Sometimes, one of my IoT devices connects to a far node AX86S and for some reason gets an address from the network 10.7.0.x
When I reboot the second AX86S node, the IoT devices switch to the main AX86U node and successfully obtain a DHCP address from the guest network 192.168.10.x

What is the reason for this behaviour?

Firmware :
AX86S - Current Version : 3.0.0.4.388_22525-gd35b8fe
AX86U - Current Version : 388.2_alpha1-g0372e21e53

in the photo below, there are two identical smart home devices, but they are connected to different nodes to their guest network....

Spoiler

 

[Tech9]

AX86U - Current Version : 388.2_alpha1-g0372e21e53

Your main router is running early Alpha firmware to begin with. It's for testing purposes only and unsupported. You have to check is the issue is present with stock Asuswrt (and report it to Asus) or in Asuswrt-Merlin 388.2 stable release when ready (and report it here).

 

[tarzan2000]

It does not depend on the firmware.

 

[Tech9]

If the behavior is the same with Asuswrt 388_22525 on the main router - report it to Asus.

 

[tarzan2000]

no - this behavior is only on the secondary Ai Mesh node

 

[Tech9]

How did you define Guest Network IP range? The default is 192.168.101.x for 2.4GHz Guest Network 1.

 

[tarzan2000]

How did you define Guest Network IP range? The default is 192.168.101.x for 2.4GHz Guest Network 1.

Yes