sbnMerlin 1.2.1 - Network Isolation Tool based on Guest Networks, April 19 2024

[janico82]

I just installed v1.2.1. Thank you for adding bridge DNS servers! I currently only have guest network 1 enabled with separate SSIDs, both isolated.

#### Settings for Bridge 1 ####
br1_enabled=0
br1_ifnames=""
br1_dns1_x="8.8.8.8"
br1_dns2_x="8.8.4.4"
br1_staticlist=""
br1_ap_isolate=1
br1_allow_internet=1
br1_allow_onewayaccess=0
br1_allow_routeraccess=0

#### Settings for Bridge 2 ####
br2_enabled=0
br2_ifnames=""
br2_dns1_x="8.8.8.8"
br2_dns2_x="8.8.4.4"
br2_staticlist=""
br2_ap_isolate=1
br2_allow_internet=1
br2_allow_onewayaccess=0
br2_allow_routeraccess=0

I believe that there are some issues with the client list generated by sbnMerlin:

1. There are missing clients as compared to Network Map client list in router web UI.
2. I don't understand why interfaces are listed as "ethernet" instead of "wl0.1" or "wl1.1" for some clients.

bridge name     interfaces      client IP address    client MAC address   client name       
br1             wl0.1           192.168.101.197      xx:xx:xx:xx:20:28    AWAIR-ELEM-xx2028 
br1             wl0.1           192.168.101.237      xx:xx:xx:xx:D8:01    WYZE_CAKP2JFUS-xxxxxxxxD801
br1             wl0.1           192.168.101.114      xx:xx:xx:xx:C0:C1    WYZE_CAKP2JFUS-xxxxxxxxC0C1
br1             wl0.1           192.168.101.138      xx:xx:xx:xx:61:D0    WYZE_CAM_OG       
br1             wl0.1           192.168.101.176      xx:xx:xx:xx:DA:32    ESP_xxDA32       
br1             wl0.1           192.168.101.187      xx:xx:xx:xx:F4:72    ESP_xxF472       
br1             wl0.1           192.168.101.93       xx:xx:xx:xx:D2:00    ESP_AxxD200       
br1             wl0.1           192.168.101.161      xx:xx:xx:xx:F1:0C    net_a1_F10C       
br1             wl0.1           192.168.101.86       xx:xx:xx:xx:D8:7A    DA16600_D87A     
br1             ethernet        192.168.101.215      xx:xx:xx:xx:F0:7C    Indoorcam         
br1             ethernet        192.168.101.84       xx:xx:xx:xx:8C:4C    espressif         
br1             ethernet        192.168.101.144      xx:xx:xx:xx:A8:E9    192.168.101.144   
br1             ethernet        192.168.101.52       xx:xx:xx:xx:56:D5    WYZE_CAKP2JFUS-xxxxxxxx56D5
br1             ethernet        192.168.101.13       xx:xx:xx:xx:4F:E2    HL_PAN3-xxxxxxxx4FE2
br1             ethernet        192.168.101.99       xx:xx:xx:xx:DE:8C    ESP_xxDE8C       
br1             ethernet        192.168.101.7        xx:xx:xx:xx:A5:0C    XL824-xxxxxx     
br1             ethernet        192.168.101.79       xx:xx:xx:xx:07:DA    192.168.101.79   
br1             ethernet        192.168.101.26       xx:xx:xx:xx:67:EB    192.168.101.26   
br1             ethernet        192.168.101.8        xx:xx:xx:xx:32:F5    192.168.101.8     
br1             ethernet        192.168.101.9        xx:xx:xx:xx:B3:AF    WYZE_CAKP2JFUS-xxxxxxxxB3AF
br1             ethernet        192.168.101.173      xx:xx:xx:xx:F6:53    MyQ-91E           
br1             ethernet        192.168.101.233      xx:xx:xx:xx:B8:28    WYZE_CAKP2JFUS-xxxxxxxxB828
br1             ethernet        192.168.101.10       xx:xx:xx:xx:46:F0    ChimePro-f0       
br1             ethernet        192.168.101.213      xx:xx:xx:xx:07:5E    192.168.101.213   
br1             ethernet        192.168.101.43       xx:xx:xx:xx:CD:85    WYZE_CAKP2JFUS-xxxxxxxxCD85
br1             ethernet        192.168.101.95       xx:xx:xx:xx:50:B6    WYZE_CAKP2JFUS-xxxxxxxx50B6
br1             ethernet        192.168.101.241      xx:xx:xx:xx:90:86    192.168.101.241   
br1             ethernet        192.168.101.71       xx:xx:xx:xx:42:05    ChimePro-05       
br2             wl1.1           192.168.102.110      xx:xx:xx:xx:F8:C2    192.168.102.110

Thank's @visortgw! sbnMerlin client lists pretends to extend the Network Map because it didn't show devices connected to other bridges than br0. So the function for listing clients is based on the mac addresses of the arp table, then for each mac address the script checks the connected wireless interface and finally the list is completed with information of dns.

So for the list you've sent, the script didn't find the wireless interface the devices are connected. Can you send me privately the arp table? This device uses AiMesh?

 

[janico82]

yep I got it, also had to put the eth in the config. It all works as expected! thanks for the great tool!

Thanks a lot for the feedback @Ellenswamy

 

[janico82]

It is not often that I comment on scripts (unless I have an issue). I did not see this post until today. I've been busy with other projects and have not had a lot of time to browse these forums.

I am thrilled to see this script. I wrote my own YazFi replacement script last year as I had a need to add a wired outdoor AP to the guest network. I has been working well thus far. I never published my script as it is very much hands on to configure over several files (script, dnsmasq.add, firewall, services-event, etc). I never had the want or ambition to automate my script for the broader community (basically no time to do it or to provide support afterwards).

Very well done and my hand reached out to you for a heartly handshake.

Cheers!!

Thanks a lot for the feedback @Jeffrey Young

 

[visortgw]

Thank's @visortgw! sbnMerlin client lists pretends to extend the Network Map because it didn't show devices connected to other bridges than br0. So the function for listing clients is based on the mac addresses of the arp table, then for each mac address the script checks the connected wireless interface and finally the list is completed with information of dns.

So for the list you've sent, the script didn't find the wireless interface the devices are connected. Can you send me privately the arp table? This device uses AiMesh?

I can, but not until 4 May after I return home. Yes, I use AiMesh. Please send me command(s) to use display ARP table.

 

[janico82]

I can, but not until 4 May after I return home. Yes, I use AiMesh. Please send me command(s) to use display ARP table.

Thanks @visortgw for the support! I think that "ethernet" devices on your list, are devices from AiMesh, but I must get more info on that.

The command is "arp -a"

 

[visortgw]

Thanks @visortgw for the support! I think that "ethernet" devices on your list, are devices from AiMesh, but I must get more info on that.

The command is "arp -a"

That's easy enough to take care of remotely. Check for private message momentarily.

 

[arne123]

I have an issue with internet access on the bridge, possibly because of how my provider works; it's PPPoE split into vlans for TV, phone and internet. Had to set the VLAN for internet in the IPTV tab: wan0_ifname=vlan6. Just enabling internet in the script does not work. If I add a rule to -A FORWARD -i br8 -o ppp0 -j ACCEPT (and one to -A FORWARD -i ppp0 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT ) I can retrieve some websites, but most (at least partially) time out (often for CDN content). A simple way to reproduce is (from a machine on the bridge):

wget https://www.google.com
[...]
‘index.html’ saved [19746]

wget https://www.reddit.com
--2024-04-25 21:51:38--  https://www.reddit.com/
Resolving www.reddit.com (www.reddit.com)... 199.232.149.140
Connecting to www.reddit.com (www.reddit.com)|199.232.149.140|:443... connected.
^C

What am I missing?

 

[janico82]

I have an issue with internet access on the bridge, possibly because of how my provider works; it's PPPoE split into vlans for TV, phone and internet. Had to set the VLAN for internet in the IPTV tab: wan0_ifname=vlan6. Just enabling internet in the script does not work. If I add a rule to -A FORWARD -i br8 -o ppp0 -j ACCEPT (and one to -A FORWARD -i ppp0 -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT ) I can retrieve some websites, but most (at least partially) time out (often for CDN content). A simple way to reproduce is (from a machine on the bridge):

wget https://www.google.com
[...]
‘index.html’ saved [19746]

wget https://www.reddit.com
--2024-04-25 21:51:38--  https://www.reddit.com/
Resolving www.reddit.com (www.reddit.com)... 199.232.149.140
Connecting to www.reddit.com (www.reddit.com)|199.232.149.140|:443... connected.
^C

What am I missing?

@arne123! Frist of all thanks for the bugfix suggestions!

For the Internet access problem, I think there are some issues with the internet interface in the firewall rules. Can you send me privately the output of the following commands:

nvram show | grep wan
iptables -S FORWARD

Thanks for your feedback.