Repeater connected to Guest SSID bypassing Access Intranet = Disable

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

hiluke88

Occasional Visitor
Hoping someone can point out something I've mis-configured somehow to remove this security issue.

I connect an RT-AC68U in repeater mode to the Guest network of the primary RT-AX86U router. Access Intranet is disabled for the Guest network, however any devices connected to the repeater can see all devices connected to the primary router, bypassing the access intranet = disabled setting. Any devices connected directly to the guest network do not have intranet access as expected.

Network Devices:
RT-AX86U primary router running Merlin 386.1_2
RT-AC68U repeater running Merlin 386.1_2
This setup replaces a configuration I have had in place for 4+ years (until the RT-N56U recently died): RT-AC68U primary router on Merlin 384.19, RT-N56U repeater bridge on Padavan 3.X.3.9-099. What was the primary RT-AC68U has now become the repeater, and the primary router is now a RT-AX86U.

Configuration:
LAN Subnet 192.168.22.0/24 with primary router 192.168.22.1 and repeater configured to manual IP of 192.168.22.2 (Gateway and DNS on repeater set to 192.168.22.1).
DHCP range 192.168.22.20 - 192.168.22.254

SSID setup:
RT-AX86U SSIDs: PRIMARY and PRIMARY_5G, WPA2-Personal
RT-AX86U Guest SSIDs: GUEST and GUEST_5G (configured in index 2), WPA2-Personal
RT-AC68U SSIDs: STUDIO and STUDIO_5G, WPA2-Personal
(I had to disable the WPA2/WPA3-Personal option on the RT-AX86U because it stopped an old iPad and LG TV from connecting).
RT-AC68U joins the network as a repeater by connecting to the GUEST SSID of the RT-AX86U.

Scenario:
People connecting to the GUEST and STUDIO SSIDs only need to connect to the network for internet access.
GUEST and STUDIO SSIDs should be not be able to access devices on the primary network.
The repeater connecting to the GUEST SSID will then broadcast its own networks so they are completely isolated from the primary network.
By connecting the repeater to the GUEST network was how I had previously isolated the repeater network from the primary network as Access Intranet was set to disable on the GUEST networks.

Issue:
Any devices I connect to the STUDIO SSIDs on the repeater (via the GUEST SSID on the primary router) can see all devices on the Primary network. I do not want this, and they should be isolated because the GUEST network has Intranet access disabled.
Examples of this include:
- The Network Map client list on the Repeater Web UI shows all devices connected to the primary router.
- When opening a chromecast app (e.g. Foxtel, Prime Video, Netflix) I can see all chromecast devices connected to the primary network. This is actually how I discovered the problem. The STUDIO network doesn't have any chromecasts on it, yet the cast icon popped up in the apps, showing all chromecasts connected to the PRIMARY router. Guests connected to the STUDIO network should not be able to chromecast to devices on the primary network.
- When I do a network scan in a file explorer, I can see the PC on the primary network.

However when I connect a device directly to the GUEST SSID on the primary router, it is isolated from the main network as expected. The devices cannot see any other devices on the primary network.
This is only an issue for devices connected via the repeater.

It seems fairly easy to replicate. Setup a secondary router as a repeater for the GUEST network of the primary router with Access Intranet = Disable.

What I have tried:
1. AIMesh. I tried to achieve a similar setup by using "Sync to AIMesh Node" to get the GUEST network on index 1 to the second router. However I had a lot of issues with devices not staying connected (especially cameras connected to PRIMARY SSID) and general network latency from other devices. Disabling the Guest network in index 1 resolved this, but meant I couldn't get a guest network on the secondary router. Also AIMesh wouldn't allow me to segregate the LAN ports on the repeater off to the guest network.
2. Guest SSIDs in index 2 and 3. No difference.
3. Guest SSIDs in 2.4GHz and 5GHz. No difference.

What this now means is that if someone gives me access to the guest network of an Asus router, thinking I'll be isolated from their Intranet, they will actually be giving me full access to their network.
Surely this is a security issue?
 

eibgrad

Very Senior Member
Really just a guess at this point, but one of the issues w/ guest networks on ASUS/Merlin routers is the inconsistency of implementation. On some routers (and different builds), guests will be part of the *same* network as the private, where separation is managed (presumably) using ebtables at the ethernet level. On other routers, it's managed using *different* IP networks, and thus managed using iptables.

The problem w/ anything based on ebtables is that kind of firewall doesn't extend to other switches. It's localized to that switch alone. But an IP based firewall doesn't suffer from that problem.

I happen to know the RT-AC68U *always* use a different IP network for guests, even w/ the latest 386.1 build. But many others routers use the same IP network, *except* when using the first guest network. A recent change was made for the benefit of AiMesh to support a different IP network w/ the first guest. That's when I noticed you mentioned using the *second* guest network rather than the first, then your other issues w/ the first guest (which I suspect did provide the isolation you wanted/expected).

For all I know it could be something completely different at play here, but the fact your RT-AC68U worked previously, and now your RT-AC86U doesn't, and while using the 2nd or 3rd guest networks, makes me highly suspicious it's this issue of having the same network used for both the private and guest networks. In general, I don't like it because it can lead to weird problems. At the very least, it usually means your guests can see your private resources through network discovery (if not access them). Using a different IP network just avoids a lot of these kinds of issues. But when it comes to AiMesh issues, that's outside my area of expertise.

Bottomline, if using the first guest network resolves the problems (putting aside your other issues w/ AiMesh), I have a strong feeling this issue of having the guests on the same network is the source of the problem.
 
Last edited:

hiluke88

Occasional Visitor
Thanks for the response.

I think the different subnet may be the next thing I try (by using the guest profile on network index 1, defaulting into the 192.168.101.x or 192.168.102.x subnets). I hadn't tried this index with the repeater configuration as I've been really hesitant of this index because of all the drop outs I experienced when I setup AIMesh. But without an AIMesh node the network drops may not occur...

Once I get back to the house with this setup I'll reconfigure to index and validate.

I am still concerned about the security vulnerability with the guest networks on index 2 or 3 though, because even with access Intranet disabled, they can actually open up access to the whole primary network.
 

kernol

Very Senior Member
You may wish to try the YazFi add-on on the AX86U - it provides a convenient and easy way to configure the Guest Network [revert to using Guest Index 2 as per your #1 post though]. I still have periodic issues with my AX86U on Guest Network index 1.

YazFi will install off the amtm menu under SSH access - or you will find info here .
https://www.snbforums.com/threads/yazfi-v4-x.70308/
 

hiluke88

Occasional Visitor
Thanks for the YazFi suggestion. I might need to look at it.
What it looks like is Guest networks on this build do not provide segregation at all. They can be completely bypassed with another Asus router in repeater mode.

I have just reset the repeater to default, and re-configured as a repeater for the GUEST_5G network in index 1.
Theoretically, this should have assigned the repeater with an IP address in the 192.168.102.x subnet (as any other device connecting to that network does).
It did not. The repeater has been assigned a DHCP address of 192.168.22.76, in the primary pool - any devices connecting to it also receive addresses in the primary 192.168.22.x subnet.

So what this now looks like is that if an AsusWRT router sees another AsusWRT based router connecting as a repeater, it just allows it straight into the primary network, regardless of what VLAN or Guest network it is connecting through.

Unfortunately, I can't tell if this is a .386 only issue (or if this existed in .384) as the RT-AX86U only has .386 builds.
 

kernol

Very Senior Member
If you enable Guest #2 {rather than #1] on the AX86U then
  • install and apply YasFi on the AX86U
  • go to YasFi tab in the webgui and edit settings for Guest #2 with its own subnet - say 192.168.53.0
  • set DHCP start to 20 and end to 254
  • set DNS to 192.168.53.1 [assuming your actual DNS is on 192.168.22.1 as you stated above];
  • Force DNS = Yes;
  • Redirect all to VPN = No;
  • Two way guest = No
  • One way to guest = No
  • Client Isolation = No
Give your AC68U a static address of say 192.168.53.11 then connect as repeater on Guest WiFi #2 at the AX86U ... and you should be good to go with what you are trying to achieve.

YazFi-Guest-2.JPG
 
Last edited:

hiluke88

Occasional Visitor
If you enable Guest #2 {rather than #1] on the AX86U then
  • install and apply YasFi on the AX86U
  • go to YasFi tab in the webgui and edit settings for Guest #2 with its own subnet - say 192.168.53.0
  • set DHCP start to 20 and end to 254
  • set DNS to 192.168.53.1 [assuming your actual DNS is on 192.168.22.1 as you stated above];
  • Force DNS = Yes;
  • Redirect all to VPN = No;
  • Two way guest = No
  • One way to guest = No
  • Client Isolation = No
Give your AC68U a static address of say 192.168.53.11 then connect as repeater on Guest WiFi #2 at the AX86U ... and you should be good to go with what you are trying to achieve.

View attachment 32403
That's awesome, thank you.
I'll configure and test when I am back there tomorrow.
Just to clarify, the primary router is 192.168.22.1. Should the DNS be 192.168.22.1, not the IP in the new subnet? Or will it default route from 192.168.53.1 to 192.168.22.1?

Edit: I was impatient and reconfigured via OVPN.
After installing YazFi on the RT-AX86U and setting the config as advised, I rebooted the repeater. After the reboot, it was still accessible through the DHCP assigned 192.168.22.76 address. Strange. I would have thought it should get something in the 192.168.53.x range.

I then tried setting the repeater IP via its LAN settings page to 192.168.53.1. Now it's not online at all.
Seems to be the same as result as when I used the 192.168.103.x subnet on guest index 1, but will need to check when I am back there in the morning.
 
Last edited:

Jack Yaz

Part of the Furniture
a repeater should be just that, a dumb device repeating/re-broadcasting an SSID. it shouldn't be doing any of its own dhcp or firewalling, just passing packets back to the router.

it sounds like its not doing that, however
 

hiluke88

Occasional Visitor
a repeater should be just that, a dumb device repeating/re-broadcasting an SSID. it shouldn't be doing any of its own dhcp or firewalling, just passing packets back to the router.

it sounds like its not doing that, however
That's exactly what I was expecting! Which is also why I was trying to connect the repeater to the guest Wi-Fi so it's segregated from the primary network.

Is anyone able to replicate this with 2x 386 compatible Asus routers? Or alternatively, advise what else I could have misconfigured to allow the repeater to bypass all guest network configuration/security?
 

kernol

Very Senior Member
That's awesome, thank you.
I'll configure and test when I am back there tomorrow.
Just to clarify, the primary router is 192.168.22.1. Should the DNS be 192.168.22.1, not the IP in the new subnet? Or will it default route from 192.168.53.1 to 192.168.22.1?

Edit: I was impatient and reconfigured via OVPN.
After installing YazFi on the RT-AX86U and setting the config as advised, I rebooted the repeater. After the reboot, it was still accessible through the DHCP assigned 192.168.22.76 address. Strange. I would have thought it should get something in the 192.168.53.x range.

I then tried setting the repeater IP via its LAN settings page to 192.168.53.1. Now it's not online at all.
Seems to be the same as result as when I used the 192.168.103.x subnet on guest index 1, but will need to check when I am back there in the morning.
Try again by setting the repeater ip to what I had suggested - 192.168.53.11

What YasFi does to the DNS entry I had suggested above [192.168.53.1 in the webgui tab]] is create a port fwd [YazFiDNSFILTER] for 192.168.53.1 so it sees your actual DNS on 192.168.22.1 - you will find this under "System Log" [left tab] and then "Port Forwarding" top tab.

So ... if you gave the repeater an ip address of 192.168.53.1 as stated in your post under reply ... the connection would fail.

EDIT: I have pretty much identical settings to what I have described for you above - and not a single guest wifi connection can see my intranet devices. If I don't use YazFi but do use the Guest Wifi #2 - then despite saying no intranet access - devices on that guest connection get ip addresses within the same range as my intranet devices and guests can see intranet devices [problem may be peculiar to AX86U?].
 
Last edited:

hiluke88

Occasional Visitor
Okay, I 30-30-30 reset the RT-AC68U repeater and reconfigured it with a static IP address of 192.168.53.11 as part of the setup. I connected it to the GUEST_5G network. I still cannot access its web interface.
However, I can connect to the STUDIO SSIDs it is broadcasting, and they are assigning IPs in the 192.168.22.x range.
Going to full reset both the RT-AX86U and RT-AC68U and start again from scratch.
 

Attachments

  • YazFi.png
    YazFi.png
    95.7 KB · Views: 50
  • Screenshot_20210325-093335_Settings.jpg
    Screenshot_20210325-093335_Settings.jpg
    19.3 KB · Views: 41

hiluke88

Occasional Visitor
EDIT: I have pretty much identical settings to what I have described for you above - and not a single guest wifi connection can see my intranet devices. If I don't use YazFi but do use the Guest Wifi #2 - then despite saying no intranet access - devices on that guest connection get ip addresses within the same range as my intranet devices and guests can see intranet devices [problem may be peculiar to AX86U?].
Any devices that connect directly to the RT-AX86U guest network have no Intranet access as expected. It is only the repeater connecting to the guest network (and any devices connecting through it) that appears to be able to bypass this setting.
 

hiluke88

Occasional Visitor
So I did a full 30-30-30 reset on both the RT-AX86U and the RT-AC68U and reconfigured from scratch.
Using Guest network index 2 to connect the repeater, and I still have the same problem.
Any clients connecting via the repeater have access to the primary network.

I have now taken the RT-AC68U home with me, to test with my own RT-AC68U. Same problem. This is not isolated to the RT-AX86U.
I setup the same GUEST SSID on my own RT-AC68U, the repeater RT-AC68U immediately connected, and upon connecting to the STUDIO SSID it was broadcasting, I am able to see all devices on my internal network (PCs, chromecasts, etc.).

Now I am not sure if this is a 386 issue, or if it existed in 384 as well. I am hesitant to roll the RT-AC68Us back (but might have to in order to test) because when I did the initial upgrade to 386, the web UI was not accessible for over an hour.

Any other suggestions?
 

eibgrad

Very Senior Member
As I said originally, I've never been a fan of how guest networks are implemented on ASUS/Merlin. I find it just more straightforward and to my liking to daisy-chain another router to the primary router (WAN to LAN respectively) solely for that purpose, then use firewall rules to prevent access by guests to the private network over the second router's WAN. Simple and effective.

If you want to extend its reach, you can either use a repeater (now it doesn't matter since the guest and private network are one and the same), or perhaps some other form of bridging between that second router and the primary (e.g., powerline or MoCA).

I know it's NOT what everyone is looking for, but sometimes you just have to think outside the box, esp. when a given firmware just doesn't work the way you want.
 

hiluke88

Occasional Visitor
Thanks. I had been doing a 30-30-30 with the WPS button, but have now followed your instructions instead.

I did several more tests, and this issue appears to exist in 384 as well.
1. I swapped the primary RT-AC68U router to stock FW_RT_AC68U_900438641994 firmware. Repeater still on Merlin 386.1_2. The issue persisted.
2. I rolled back the primary RT-AC68U to Merlin 384.19. Repeater still on Merlin 386.1_2. The issue persisted.
3. I rolled back the repeater RT-AC68U to Merlin 384.19. The issue persisted.

It looks like this security vulnerability has been in place for a while (and in the stock Asus firmware).
It's as though AsusWRT recognises another AsusWRT router trying to repeat and lets it into the inner network, regardless of what VLAN, subnet, or isolation should be in place for the network it is connecting through.

I don't think the description for the Guest Networks is helpful or correct either. "The Guest Network provides Internet connection for guests but restricts access to your local network." This is not correct. Access for most devices is restricted, but not all.
It's concerning that people are running their guest networks, but anyone they give the password to could gain full access to their internal network. As much as you may trust the people you give guest network access, do you trust them with access to your internal network?

As I said originally, I've never been a fan of how guest networks are implemented on ASUS/Merlin. I find it just more straightforward and to my liking to daisy-chain another router to the primary router (WAN to LAN respectively) solely for that purpose, then use firewall rules to prevent access by guests to the private network over the second router's WAN. Simple and effective.

If you want to extend its reach, you can either use a repeater (now it doesn't matter since the guest and private network are one and the same), or perhaps some other form of bridging between that second router and the primary (e.g., powerline or MoCA).

I know it's NOT what everyone is looking for, but sometimes you just have to think outside the box, esp. when a given firmware just doesn't work the way you want.
The other option is a different brand/model router that doesn't run AsusWRT (as the previous RT-N56U I was using as the repeater ran padavan firmware, not based on AsusWRT and was able to achieve this segmentation).
The location of the repeater router is in a studio/granny flat, separate to the house (about 10m away), and does not share the same wiring, nor is there any network cabling. I have tried EoP in the past but it didn't work because the power is on a different circuit. MoCA also not available for the same reason.
I think you are right though that a 3rd device may be one of the only remaining ways to achieve this.

Before I find a 3rd router, any other configuration options that would be worth trying?
 

eibgrad

Very Senior Member
Before I find a 3rd router, any other configuration options that would be worth trying?

The problem as I see it is w/ the primary router, NOT the repeater. And if that's the case, I don't see how anything other than avoiding the guest network(s) on the primary router is the solution.
 

hiluke88

Occasional Visitor
The problem as I see it is w/ the primary router, NOT the repeater. And if that's the case, I don't see how anything other than avoiding the guest network(s) on the primary router is the solution.
Yep agreed, I have disabled the guest networks now because they are not secure.
I might actually look into alternate firmware for the RT-AC68U (DD-WRT or Tomato, which I have used in the past) that offer different repeater options and keep traffic isolated from the main network.
 

Jack Yaz

Part of the Furniture
I'm going to repurpose my dev router into a repeater because this doesn't seem right. Just to check you are only connecting devices via wireless to the repeater, and not plugged into the LAN ports? (i assume the LAN ports are actually disabled in repeater mode, but I've not used that mode in asuswrt)
 

hiluke88

Occasional Visitor
I'm going to repurpose my dev router into a repeater because this doesn't seem right. Just to check you are only connecting devices via wireless to the repeater, and not plugged into the LAN ports? (i assume the LAN ports are actually disabled in repeater mode, but I've not used that mode in asuswrt)
Thank you!
I actually tried both wired and wireless clients on the repeater. Both are able to connect.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top