sbnMerlin 1.2.1 - Network Isolation Tool based on Guest Networks, April 19 2024

[visortgw]

Also, I thought that ifconfig output for br0, br1, and br2 might help:

# ifconfig
br0       Link encap:Ethernet  HWaddr 04:42:1A:59:99:80
          inet addr:192.168.222.1  Bcast:192.168.222.255  Mask:255.255.255.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:836808 errors:0 dropped:68 overruns:0 frame:0
          TX packets:1581458 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:175970403 (167.8 MiB)  TX bytes:1802789344 (1.6 GiB)

br1       Link encap:Ethernet  HWaddr 04:42:1A:59:99:81
          inet addr:192.168.101.1  Bcast:192.168.101.255  Mask:255.255.255.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:630615 errors:0 dropped:0 overruns:0 frame:0
          TX packets:257593 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:201683847 (192.3 MiB)  TX bytes:62021234 (59.1 MiB)

br2       Link encap:Ethernet  HWaddr 04:42:1A:59:99:85
          inet addr:192.168.102.1  Bcast:192.168.102.255  Mask:255.255.255.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:191495 errors:0 dropped:0 overruns:0 frame:0
          TX packets:41341 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:215287454 (205.3 MiB)  TX bytes:7178917 (6.8 MiB)
         
          :
          :

Please let me know anything else that might help.

 

[visortgw]

Another request: Please consider a configurable setting to allow nano as the default editor as opposed to vi. I know, it's a personal preference (and what I'm used to as of late)... Thanks!

 

[visortgw]

@janico82: I see that you posted new v1.1.0 on github. Do you have any updated info or documentation as to how to configure and use new features? Thanks!

 

[archiel]

As a very non-technical user, can someone explain if/why I might want to add this? For instance

• does it provide better isolation than the default guest options?
• would (could) the guests benefit from diversion?
• other?

Also I already add an IPv4 alias to br0:1 and an IPv6 alias to eth5 (part of routing Unbound DNS lookups via Wireguard), so might this cause problems?

For me, guest access is just used for visiting friends/family wanting internet access for their devices (phones, tablets, laptops) and for a couple of Alexa devices. Currently this is provided using an old RT-AC87U configured as a router and connected to a LAN port on the main router (AX-88U) and where it is blocked from accessing any clients on the main router.

 

[vlord]

As a very non-technical user, can someone explain if/why I might want to add this? For instance

• does it provide better isolation than the default guest options?
• would (could) the guests benefit from diversion?
• other?

Also I already add an IPv4 alias to br0:1 and an IPv6 alias to eth5 (part of routing Unbound DNS lookups via Wireguard), so might this cause problems?

For me, guest access is just used for visiting friends/family wanting internet access for their devices (phones, tablets, laptops) and for a couple of Alexa devices. Currently this is provided using an old RT-AC87U configured as a router and connected to a LAN port on the main router (AX-88U) and where it is blocked from accessing any clients on the main router.

Similar question. I have multiple APs in addition to my main router that has a guest network with isolation from the main network. Can I use this script to configure the APs with guest network isolation? Would be really cool if this could propagate a guest network configuration across AP nodes similar to the AI Mesh. It would basically take the main advantage of AI Mesh away.

 

[janico82]

Another request: Please consider a configurable setting to allow nano as the default editor as opposed to vi. I know, it's a personal preference (and ehat I'm used to as of late)... Thanks!

Thanks for the feedback @visortgw, I'll include that option for managing the configuration file.

 

[janico82]

@janico82: I see that you posted new v1.1.0 on github. Do you have any updated info or documentation as to how to configure and use new features? Thanks!

Yes! There's a new version that includes the given feedback and options!

 

[visortgw]

Yes! There's a new version that includes the given feedback and options!

@janico82: I've been experimenting with this on my GT-AX6000 yesterday evening and this morning. The ports to Ethernet interfaces mapping appears to be the same as your RT-AX68U, with the WAN port being 2.5 Gbps as well as LAN5. Some generic feedback:

• I edited sbnMerlin to use nano instead of vi — works just fine. I know that you promised this in a future release.
• Please consider adding "brctl show" as a menu option. It will make troubleshooting easier.
• Likewise, please consider adding "ifconfig" (or "ifconfig brn" (for configured bridges) as a menu option.
• For the 3. List clients menu option, please add a prompt after displaying clients — currently, the results scroll by, and the screen clears.

For my specific configuration, I have guest network wl0.1, configured and enabled using AiMesh — wl1.1 is disabled in order to restrict IoT devices to 2.4 GHz (helps to minimize connection issues). wl0.2, wl1.2, wl0.3, and wl1.3 are enabled as well. Access Intranet is disabled in the router GUI (Merlin firmware 3004.388.6_2) for all guest networks. There appears to be an issue with wl0.3. I cannot connect or access Internet on wl0.3 or wl1.3 (same SSID/password for both). br9 is created, but it is not functional. The same thing occurs if I disable 5 GHz wifi guest 3 (wl1.3) —br5 is created, but it is not functional. If I disable 2.4 GHz wifi guest 3 (wl0.3) — br6 is created, and guest wifi connects and works on 5 GHz wl1.3.

Let me know what diagnostics you might need in what configuration(s).

Thanks for your fantastic efforts to date.

 

[visortgw]

@janico82: I've been experimenting with this on my GT-AX6000 yesterday evening and this morning. The ports to Ethernet interfaces mapping appears to be the same as your RT-AX68U, with the WAN port being 2.5 Gbps as well as LAN5. Some generic feedback:

• I edited sbnMerlin to use nano instead of vi — works just fine. I know that you promised this in a future release.
• Please consider adding "brctl show" as a menu option. It will make troubleshooting easier.
• Likewise, please consider adding "ifconfig" (or "ifconfig brn" (for configured bridges) as a menu option.
• For the 3. List clients menu option, please add a pause/prompt after displaying clients — currently, the results scroll by, and the screen clears.

For my specific configuration, I have guest network wl0.1, configured and enabled using AiMesh — wl1.1 is disabled in order to restrict IoT devices to 2.4 GHz (helps to minimize connection issues). wl0.2, wl1.2, wl0.3, and wl1.3 are enabled as well. Access Intranet is disabled in the router GUI (Merlin firmware 3004.388.6_2) for all guest networks. There appears to be an issue with wl0.3. I cannot connect or access Internet on wl0.3 or wl1.3 (same SSID/password for both). br9 is created, but it is not functional. The same thing occurs if I disable 5 GHz wifi guest 3 (wl1.3) —br5 is created, but it is not functional. If I disable 2.4 GHz wifi guest 3 (wl0.3) — br6 is created, and guest wifi connects and works on 5 GHz wl1.3.

Let me know what diagnostics you might need in what configuration(s).

Thanks for your fantastic efforts to date.

In further troubleshooting, I have additional data points but no root cause or solutuion:

• Even though br9 appeared to be configured, I discovered some "orphan" references to br6 in both /jffs/scripts/dnsmasq.postconf and /jffs/scripts/hosts.postconf.
• After removing these br6 references, I could disable wl1.3, and wl0.3 functions correctly (with br5 now configured) — with both wl0.3 and wl1.3 enabled, br9 is still non-functional:

# brctl show
bridge name    bridge id        STP enabled    interfaces
br0        8000.04421a599980    no        eth1
                            eth2
                            eth3
                            eth4
                            eth5
                            eth6
                            eth7
                            tap22
                            wds0.0.1
                            wds1.0.1
br1        8000.04421a599981    yes        eth1.501
                            eth2.501
                            eth3.501
                            eth4.501
                            eth5.501
                            eth6.501
                            eth7.501
                            wds0.0.1.501
                            wds1.0.1.501
                            wl0.1
br5        8000.04421a599983    yes        wl0.3
br8        8000.04421a599982    yes        wl0.2
                            wl1.2
# ifconfig br5
br5       Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          inet addr:192.168.105.1  Bcast:192.168.105.255  Mask:255.255.255.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:59595 errors:0 dropped:92 overruns:0 frame:0
          TX packets:131387 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:7199063 (6.8 MiB)  TX bytes:184289684 (175.7 MiB)

# ifconfig br8
br8       Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          inet addr:192.168.108.1  Bcast:192.168.108.255  Mask:255.255.255.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:48094 errors:0 dropped:272 overruns:0 frame:0
          TX packets:149409 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:9085735 (8.6 MiB)  TX bytes:188588173 (179.8 MiB)

 

[janico82]

As a very non-technical user, can someone explain if/why I might want to add this? For instance

• does it provide better isolation than the default guest options?
• would (could) the guests benefit from diversion?
• other?

Also I already add an IPv4 alias to br0:1 and an IPv6 alias to eth5 (part of routing Unbound DNS lookups via Wireguard), so might this cause problems?

For me, guest access is just used for visiting friends/family wanting internet access for their devices (phones, tablets, laptops) and for a couple of Alexa devices. Currently this is provided using an old RT-AC87U configured as a router and connected to a LAN port on the main router (AX-88U) and where it is blocked from accessing any clients on the main router.

@archiel, this script uses the same Asuswrt-Merlin behavior when you enable guest networks 1 (2.4Ghz or 5Ghz) without intranet access, for all other guest networks, so it provides better isolation than the default guest options. I only have one RT-AX86U, and I wanted to isolate my lan network, from well-known devices (family and friends) and from IoT. So I've built this script.

Frist I need to stable the script, and try it with other Asuswrt-Merlin devices, than I'll try to add more Asuswrt-Merlin addons like diversion and skynet. Logically there isn't any confit with those addons, but I need to try to tell you for sure.

 

[janico82]

Similar question. I have multiple APs in addition to my main router that has a guest network with isolation from the main network. Can I use this script to configure the APs with guest network isolation? Would be really cool if this could propagate a guest network configuration across AP nodes similar to the AI Mesh. It would basically take the main advantage of AI Mesh away.

Sorry @vlord but Ai Mesh only works with guest networks 1 (2.4 Ghz or 5 Ghz). This option is by design.

 

[janico82]

In further troubleshooting, I have additional data points but no root cause or solutuion:

• Even though br9 appeared to be configured, I discovered some "orphan" references to br6 in both /jffs/scripts/dnsmasq.postconf and /jffs/scripts/hosts.postconf.
• After removing these br6 references, I could disable wl1.3, and wl0.3 functions correctly (with br5 now configured) — with both wl0.3 and wl1.3 enabled, br9 is still non-functional:

# brctl show
bridge name    bridge id        STP enabled    interfaces
br0        8000.04421a599980    no        eth1
                            eth2
                            eth3
                            eth4
                            eth5
                            eth6
                            eth7
                            tap22
                            wds0.0.1
                            wds1.0.1
br1        8000.04421a599981    yes        eth1.501
                            eth2.501
                            eth3.501
                            eth4.501
                            eth5.501
                            eth6.501
                            eth7.501
                            wds0.0.1.501
                            wds1.0.1.501
                            wl0.1
br5        8000.04421a599983    yes        wl0.3
br8        8000.04421a599982    yes        wl0.2
                            wl1.2
# ifconfig br5
br5       Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          inet addr:192.168.105.1  Bcast:192.168.105.255  Mask:255.255.255.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:59595 errors:0 dropped:92 overruns:0 frame:0
          TX packets:131387 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:7199063 (6.8 MiB)  TX bytes:184289684 (175.7 MiB)

# ifconfig br8
br8       Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          inet addr:192.168.108.1  Bcast:192.168.108.255  Mask:255.255.255.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:48094 errors:0 dropped:272 overruns:0 frame:0
          TX packets:149409 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:9085735 (8.6 MiB)  TX bytes:188588173 (179.8 MiB)

Thanks @visortgw for all the feedback, I'll add those options in the next release.

I don't understand why you are having those problems, because the scripts seams to be working with the creation of the bridge instances, with the correct network info like ip addresses and network mask.

Sorry for making this question, but what do you mean with the sentence "it's no functional"? You can't connect to the network? or You can connect but there's no ip address?

Meanwhile, I've found a bug that i need to correct. When you follow this sequence: activate wl0.3, then activate wl1.3 with the same SSID, the script response should be: create br5, then create br9 and remove br5. This final step of removing br5 isn't working, so i need to add more options to the removal logic.

Again thanks for the feedback @visortgw!

 

[janico82]

In further troubleshooting, I have additional data points but no root cause or solutuion:

• Even though br9 appeared to be configured, I discovered some "orphan" references to br6 in both /jffs/scripts/dnsmasq.postconf and /jffs/scripts/hosts.postconf.
• After removing these br6 references, I could disable wl1.3, and wl0.3 functions correctly (with br5 now configured) — with both wl0.3 and wl1.3 enabled, br9 is still non-functional:

# brctl show
bridge name    bridge id        STP enabled    interfaces
br0        8000.04421a599980    no        eth1
                            eth2
                            eth3
                            eth4
                            eth5
                            eth6
                            eth7
                            tap22
                            wds0.0.1
                            wds1.0.1
br1        8000.04421a599981    yes        eth1.501
                            eth2.501
                            eth3.501
                            eth4.501
                            eth5.501
                            eth6.501
                            eth7.501
                            wds0.0.1.501
                            wds1.0.1.501
                            wl0.1
br5        8000.04421a599983    yes        wl0.3
br8        8000.04421a599982    yes        wl0.2
                            wl1.2
# ifconfig br5
br5       Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          inet addr:192.168.105.1  Bcast:192.168.105.255  Mask:255.255.255.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:59595 errors:0 dropped:92 overruns:0 frame:0
          TX packets:131387 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:7199063 (6.8 MiB)  TX bytes:184289684 (175.7 MiB)

# ifconfig br8
br8       Link encap:Ethernet  HWaddr xx:xx:xx:xx:xx:xx
          inet addr:192.168.108.1  Bcast:192.168.108.255  Mask:255.255.255.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:48094 errors:0 dropped:272 overruns:0 frame:0
          TX packets:149409 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:9085735 (8.6 MiB)  TX bytes:188588173 (179.8 MiB)

@visortgw please send me privately the output of the following command: iptables -S | grep br

 

[visortgw]

Thanks @visortgw for all the feedback, I'll add those options in the next release.

I don't understand why you are having those problems, because the scripts seams to be working with the creation of the bridge instances, with the correct network info like ip addresses and network mask.

Sorry for making this question, but what do you mean with the sentence "it's no functional"? You can't connect to the network? or You can connect but there's no ip address?

Meanwhile, I've found a bug that i need to correct. When you follow this sequence: activate wl0.3, then activate wl1.3 with the same SSID, the script response should be: create br5, then create br9 and remove br5. This final step of removing br5 isn't working, so i need to add more options to the removal logic.

Again thanks for the feedback @visortgw!

Alll of the above?!? I am using Android phone for testing (Samsung Galaxy Z Flip5, Android 14) since I'm using MacBook Pro to configure sbnMerlin. Sometimes it connects, but there is no Internet access, and other times it does not connect period. That bug that you're describing may be what is causing the issue — it definitely sounds to be related.

 

[visortgw]

@visortgw please send me privately the output of the following command: iptables -S | grep br

In what configuration would you like this? It is "working" right now with br5 and br8, but my ultimate goal would be br8 and br9.

 

[visortgw]

@visortgw please send me privately the output of the following command: iptables -S | grep br

Sent in both configurations (i.e., br5/br8 (working) and br8/br9 (broken)).

 

[janico82]

Sent in both configurations (i.e., br5/br8 (working) and br8/br9 (broken)).

@visortgw and I have found an other bug with the bridge br9 configuration setting.

It's missing an "_" in the br9_allow_internet setting between the allow and internet, so the default setting is always applied.

I'm going to correct the configuration file, but this correction is not applied with an update. So everyone that is using sbnMerlin script please correct the configuration setting option from "br9_allowinternet" to "br9_allow_internet".

Thanks and thank you @visortgw for all the patience and diagnostic info.

 

[janico82]

New sbnMerlin version available that corrects the bug in the bridge creation logic and missing "_" in the br9_allow_internet setting in the configuration file.

 

[visortgw]

I installed sbnMerlin v1.1.1 update, and I confirmed that the bridge creation logic is fixed — no more orphan bridges with no interfaces when adding second interface with same SSID! I had previously manually corrected br9_allow_internet setting, and I confirmed the fix.

Thanks! This is quickly becoming "YazFi on steroids"!

 

[visortgw]

New sbnMerlin version available that corrects the bug in the bridge creation logic and missing "_" in the br9_allow_internet setting in the configuration file.

You forgot to mention the other changes in v1.1 — menu options 1b and 1v (as well as the improvements in output from both 3. List clients and d. Diagnostics menu menu options):

#############################################################
##            _           __  __           _ _             ##
##        ___| |__  _ __ |  \/  | ___ _ __| (_)_ __        ##
##       / __| '_ \| '_ \| |\/| |/ _ \ '__| | | '_ \       ##
##       \__ \ |_) | | | | |  | |  __/ |  | | | | | |      ##
##       |___/_.__/|_| |_|_|  |_|\___|_|  |_|_|_| |_|      ##
##                                                         ##
##          https://github.com/janico82/sbnMerlin          ##
##                                                         ##
#############################################################

  sbnMerlin Main menu - version: 1.1.1
  1n.  Edit configuration (editor: nano)
  1v.  Edit configuration (editor: vi)
  2.   Run configuration
  3.   List clients
  d.   Diagnostics menu
  u.   Update check
  e.   Exit
  z.   Uninstall

#############################################################

Choose an option: