RT-BE88U - Inter-VLAN ACLs using Merlin?

[Laggiter]

Hello! I've got an RT-BE88U running the latest stock firmware, and using Guest Network Pro I've setup 2 wireless VLANs for IoT and guest devices, and an additional VLAN for my home lab/server running services like Pi-Hole, Nextcloud and others.

The problem I've run into is that inter-VLAN connectivity is quite primitive on the stock software, you can either isolate them completely or interconnect them completely, without the ability to configure firewall rules between VLANs. So right now, my main LAN is just fully connected to the server VLAN to use its services, which is not ideal, as I want to expose Nextcloud to the internet using a reverse proxy, and I want to reduce the blast radius as much as possible in case of a breach. Plus, the IoT and guest networks are isolated, so they can't access Pi-Hole directly, and have to use the router as the indirect DNS server. I want to do two things:

1. Isolate all VLANs and just open port 53 between all of them so they can use Pi-Hole directly.
2. Open certain ports between my homelab VLAN and my main network so I can both control my services and access data on them from my PC on the main network.

Is this possible to do on Merlin using scripts? If so, could you point me towards any resources so I can try to figure it out? Thanks in advance!

P.S. Feel free to poke holes in my setup, I'm still in the process of learning home networking.

 

[bennor]

Welcome. If you haven't done so already, please use the forum search feature to search the subforum(s). There are a number of posts and discussions that address, and may answer, the questions you have asked about using Asus-Merlin. Short answer is yes you can have Guest Network Pro profile clients use Pi-Hole and open up communication from the Guest Network Pro profile to specific main LAN clients with the Asus-Merlin 3006.102.x firmware.

For the Pi-Hole, see the various discussions for how to setup Pi-Hole on a router running the Asus-Merlin 3006.102.x firmware. For example see my post here:
https://www.snbforums.com/threads/i...-i-dont-know-where-to-start.95823/post-970933

It goes generally like this:

• For the WAN > DNS fields use any public or ISP DNS server.
• Input the Pi-Hole IP address into the LAN > DHCP Server DNS field(s). And set Advertise router's IP in addition to user-specified DNS to No.
• When setting up the Guest Network Pro profile, make sure to disable Use same subnet as main network. This will isolate the Guest Network Pro profile from the main LAN clients.
• On the Guest Network Pro profile settings, under Advanced Settings set the DNS Server to Default.
• On the LAN > DNS Director page, enable DNS Director, set Global Redirection to User defined DNS #1, input the Pi-Hole IP into User defined DNS #1 field.
• On the DNS Director page, in the Client List select the Pi-Hole's MAC address and set Redirection to No Redirection, then click the Add (plus) icon to add it to the list.
• On the DNS Director page, under Guest Network Pro profile add any Guest Network Pro profiles you wish to use the Pi-Hole then set Redirection to User defined #1.
• When finished modifying the DNS Director settings, remember to select the Apply button.
• On the Pi-Hole > DNS Settings, one may need to change the Interface Settings to either Respond only on interface (select Pi-Hole network interface), or select Permit all all origins.
• On the Pi-Hole DNS Settings page under Conditional forwarding follow the examples to input your router's main LAN and any Guest Network Pro profiles in the format the example indicates (ex: true,192.168.0.0/24,192.168.0.1,fritz.box). Make sure to apply any changes to the Pi-Hole settings.

When finished test the settings to see if clients are using the Pi-Hole and if the Pi-Hole is properly showing the client requests in the Pi-Hole Query Log.

It may help to restart the router and network clients after making the changes.

For opening up communication from/to Guest Network Pro profiles to/from main LAN clients, see some of the following links (there are others that can be found using forum search) for various discussion on how others are attempting to do so. It generally involves using SSH to access the router and configure additional rules in the iptables using a /jffs/scripts/firewall-start file.
https://www.snbforums.com/threads/t...st-network-pro-limitations.94438/#post-952345

mDNs / Bonjour / Multicast

Hi everyone, I am having issues with 3 HomePods in my home. I have 2 AirPlay receivers which work flawlessly, however my HomePods are very hit and miss to work, I took one on holiday and noticed it was much better than at home. Are there any settings or things to enable/check to ensure mDNs /...

www.snbforums.com

Iptables functionality on 3006.102.4

Dirty upgrade from 3004 to 3006.102.4 on my AX88u-Pro a couple days ago. All looked good so far, except I have some iptables rules in firewall-start that do not seem to work anymore. One set of rules dnat'd any DNS other than those in the cleanbrowsing ranges. Ie, if a device used any...

www.snbforums.com

https://www.snbforums.com/threads/gt-ax6000-home-assistant-cant-access-iot-vlan-devices.93634/

More discussions on homelab here:
https://www.snbforums.com/search/16...t&c[child_nodes]=1&c[nodes][0]=37&o=relevance

If one's main LAN device has two network ports (or can be configured with two IP addresses) it can be configured using VLAN to have one network port on the main LAN and another on a Guest Network Pro profile VLAN.

 

[Untried3868]

On the Pi-Hole DNS Settings page under Conditional forwarding follow the examples to input your router's main LAN and any Guest Network Pro profiles in the format the example indicates (ex: true,192.168.0.0/24,192.168.0.1,fritz.box). Make sure to apply any changes to the Pi-Hole settings.

Questions regarding this step. If one were to enter domains/IP addresses (e.g. laptop.local/192.168.0.110) within Pihole: Settings; Local DNS Records, would the step quoted above be necessary? Is one method preferred over the other, or should both be in place?

Also, if using Conditional Forwarding, according to Pihole documentation proper formatting is: <enabled>,<ip-address>[/<prefix-len>],<server>[#<port>],<domain> (for example) true,192.168.1.0/24,192.168.1.1#8443,lan

How would one enter a second line for GNP as only a single IP address? Would true,192.168.52.112 be sufficient or would true,192.168.52.0/18,192.168.1.1#8443,lan be required?

Thank you for you patience and informative posts.

Edit: Perhaps I'm just overthinking this and should simply use true,192.168.1.0/18,192.168.1.1#8443,lan to cover both the LAN and GNP.

 

[bennor]

@Untried3868, my example assumes one is using the router's DHCP server. The use of Conditional Forwarding in the Pi-Hole DNS setting is supposed to allow the Pi-Hole to properly resolve client IP addresses to their client names by requesting the client information from the router. In the attached Conditional Forwarding Pi-Hole example I have the following listed:

true,192.168.2.0/24,192.168.2.1,lan
true,192.168.52.0/24,192.168.2.1,lan
true,192.168.53.0/24,192.168.2.1,lan

The value: 192.168.2.0/24 is the main LAN subnet.
The values: 192.168.52.0/24 and 192.168.53.0/24 are the respective Guest Network Pro profiles (I have two) subnets, one entry per line.
The main router value is: 192.168.2.1
The LAN name (from the router LAN > Domain Name) is: lan

 

[Untried3868]

Thank you again @bennor