sbnMerlin 1.2.1 - Network Isolation Tool based on Guest Networks, April 19 2024

[visortgw]

@archiel, this script uses the same Asuswrt-Merlin behavior when you enable guest networks 1 (2.4Ghz or 5Ghz) without intranet access, for all other guest networks, so it provides better isolation than the default guest options. I only have one RT-AX86U, and I wanted to isolate my lan network, from well-known devices (family and friends) and from IoT. So I've built this script.

Frist I need to stable the script, and try it with other Asuswrt-Merlin devices, than I'll try to add more Asuswrt-Merlin addons like diversion and skynet. Logically there isn't any confit with those addons, but I need to try to tell you for sure.

I'm currently running unbound, Diversion, and Skynet with sbnMerlin with no apparent conflicts.

 

[janico82]

You forgot to mention the other changes in v1.1 — menu options 1b and 1v (as well as the improvements in output from both 3. List clients and d. Diagnostics menu menu options):

#############################################################
##            _           __  __           _ _             ##
##        ___| |__  _ __ |  \/  | ___ _ __| (_)_ __        ##
##       / __| '_ \| '_ \| |\/| |/ _ \ '__| | | '_ \       ##
##       \__ \ |_) | | | | |  | |  __/ |  | | | | | |      ##
##       |___/_.__/|_| |_|_|  |_|\___|_|  |_|_|_| |_|      ##
##                                                         ##
##          https://github.com/janico82/sbnMerlin          ##
##                                                         ##
#############################################################

  sbnMerlin Main menu - version: 1.1.1
  1n.  Edit configuration (editor: nano)
  1v.  Edit configuration (editor: vi)
  2.   Run configuration
  3.   List clients
  d.   Diagnostics menu
  u.   Update check
  e.   Exit
  z.   Uninstall

#############################################################

Choose an option:

I forgot to mention that, thanks @visortgw!

 

[janico82]

I'm currently running unbound, Diversion, and Skynet with sbnMerlin with no apparent conflicts.

That's an important feedback @visortgw! Thanks a lot.

 

[Underskore]

I'll admit I'm pretty dumb with this stuff. I was hoping to give my stuff on my guest network (IOT) a static ip and route them through my adguardhome, while still using aimesh. this would work wouldn't it? put mesh on br2, don't allow br2 to have intranet access with the rest?

 

[roscoe211]

Sorry for the noob question, but can I run this along with YazFI? or do I have to pick one or the other?

 

[visortgw]

Sorry for the noob question, but can I run this along with YazFI? or do I have to pick one or the other?

One or the other!

"**ATTENTION**: This script is not compatible with other network isolation scripts."

 

[Ellenswamy]

just for clarification, maybe I am just tired (it is!). But does this mean I can have my work laptop plugged into ethernet (instead of wifi guest network) and isolate it so they (my work) can see what I have on my home network?

 

[janico82]

I'll admit I'm pretty dumb with this stuff. I was hoping to give my stuff on my guest network (IOT) a static ip and route them through my adguardhome, while still using aimesh. this would work wouldn't it? put mesh on br2, don't allow br2 to have intranet access with the rest?

@Underskore, with sbnMerlin you can adjust the bridge(br2) settings like ip address reservations, giving your IoT devices a static ip address and a different dns server. The denial of intranet access to bridge(br2) can be done on Asuswrt web interface. The sbnMerlin scripts helps to manage the Internet access to the bridge. I need more information about your adguardhome implementation, in order to advise you correctly. (You can send me a private message)

The Guest Wireless Networks (wl0.1 and wl1.1) are the only guest network used bu the AiMesh.

 

[janico82]

just for clarification, maybe I am just tired (it is!). But does this mean I can have my work laptop plugged into ethernet (instead of wifi guest network) and isolate it so they (my work) can see what I have on my home network?

@Ellenswamy, with sbnMerlin script you can isolate wireless or ethernet devices in separated networks. But remember that the ethernet bridges are enabled when the guest wireless networks are enabled.

 

[Ellenswamy]

@Ellenswamy, with sbnMerlin script you can isolate wireless or ethernet devices in separated networks. But remember that the ethernet bridges are enabled when the guest wireless networks are enabled.

I tried the script and had a laptop plugged into ethernet 2, but I wasn't sure how to set this up...I have a AX11000 pro

 

[arne123]

Thanks for the amazing work. I ran into an interesting bug where exactly once in two reloads, it's missing the first dnsmasq configuration for one of my two bridge interfaces (pc_append "interface=br8"). The rest of the file is the same. I created (and closed) a PR with a quick fix that worked for me, hopefully it helps.

 

[janico82]

I tried the script and had a laptop plugged into ethernet 2, but I wasn't sure how to set this up...I have a AX11000 pro

@Ellenswamy if you have tried the script, I suppose that the script is installed and running! Then you have to enable a Wireless Guest Network with intranet access disabled, for instance the 2.4 GHz Wireless Guest Network 2 (wl0.2). sbnMerlin script will automatically create a bridge(br3) for the enabled guest network. Then for the created bridge, you to change the sbnMerlin config setting (br3_ifnames) and map the ethernet port to that bridge, for instance br3_ifnames="eth2". sbnMerlin script will automatically assign the eth2 port to the bridge(br3)

Now you have a bridge(br3) isolated network with the Wireless Guest Network (wl0.2) and ethernet port 2.

 

[janico82]

Thanks for the amazing work. I ran into an interesting bug where exactly once in two reloads, it's missing the first dnsmasq configuration for one of my two bridge interfaces (pc_append "interface=br8"). The rest of the file is the same. I created (and closed) a PR with a quick fix that worked for me, hopefully it helps.

Thanks a lot @arne123! I'm going to check on that bug, and the quick fix you've created.

 

[Ellenswamy]

@Ellenswamy if you have tried the script, I suppose that the script is installed and running! Then you have to enable a Wireless Guest Network with intranet access disabled, for instance the 2.4 GHz Wireless Guest Network 2 (wl0.2). sbnMerlin script will automatically create a bridge(br3) for the enabled guest network. Then for the created bridge, you to change the sbnMerlin config setting (br3_ifnames) and map the ethernet port to that bridge, for instance br3_ifnames="eth2". sbnMerlin script will automatically assign the eth2 port to the bridge(br3)

Now you have a bridge(br3) isolated network with the Wireless Guest Network (wl0.2) and ethernet port 2.

ah ok, so you take the guest network and map eth2 or whichever to it....?

I thought you just pick the ethernet port from the start

 

[janico82]

ah ok, so you take the guest network and map eth2 or whichever to it....?

I thought you just pick the ethernet port from the start

@Ellenswamy that's why the tool is based on guest networks.

 

[visortgw]

I just installed v1.2.1. Thank you for adding bridge DNS servers! I currently only have guest network 1 enabled with separate SSIDs, both isolated.

#### Settings for Bridge 1 ####
br1_enabled=0
br1_ifnames=""
br1_dns1_x="8.8.8.8"
br1_dns2_x="8.8.4.4"
br1_staticlist=""
br1_ap_isolate=1
br1_allow_internet=1
br1_allow_onewayaccess=0
br1_allow_routeraccess=0

#### Settings for Bridge 2 ####
br2_enabled=0
br2_ifnames=""
br2_dns1_x="8.8.8.8"
br2_dns2_x="8.8.4.4"
br2_staticlist=""
br2_ap_isolate=1
br2_allow_internet=1
br2_allow_onewayaccess=0
br2_allow_routeraccess=0

I believe that there are some issues with the client list generated by sbnMerlin:

1. There are missing clients as compared to Network Map client list in router web UI.
2. I don't understand why interfaces are listed as "ethernet" instead of "wl0.1" or "wl1.1" for some clients.

bridge name     interfaces      client IP address    client MAC address   client name        
br1             wl0.1           192.168.101.197      xx:xx:xx:xx:20:28    AWAIR-ELEM-xx2028  
br1             wl0.1           192.168.101.237      xx:xx:xx:xx:D8:01    WYZE_CAKP2JFUS-xxxxxxxxD801
br1             wl0.1           192.168.101.114      xx:xx:xx:xx:C0:C1    WYZE_CAKP2JFUS-xxxxxxxxC0C1
br1             wl0.1           192.168.101.138      xx:xx:xx:xx:61:D0    WYZE_CAM_OG        
br1             wl0.1           192.168.101.176      xx:xx:xx:xx:DA:32    ESP_xxDA32        
br1             wl0.1           192.168.101.187      xx:xx:xx:xx:F4:72    ESP_xxF472        
br1             wl0.1           192.168.101.93       xx:xx:xx:xx:D2:00    ESP_AxxD200        
br1             wl0.1           192.168.101.161      xx:xx:xx:xx:F1:0C    net_a1_F10C        
br1             wl0.1           192.168.101.86       xx:xx:xx:xx:D8:7A    DA16600_D87A      
br1             ethernet        192.168.101.215      xx:xx:xx:xx:F0:7C    Indoorcam          
br1             ethernet        192.168.101.84       xx:xx:xx:xx:8C:4C    espressif          
br1             ethernet        192.168.101.144      xx:xx:xx:xx:A8:E9    192.168.101.144    
br1             ethernet        192.168.101.52       xx:xx:xx:xx:56:D5    WYZE_CAKP2JFUS-xxxxxxxx56D5
br1             ethernet        192.168.101.13       xx:xx:xx:xx:4F:E2    HL_PAN3-xxxxxxxx4FE2
br1             ethernet        192.168.101.99       xx:xx:xx:xx:DE:8C    ESP_xxDE8C        
br1             ethernet        192.168.101.7        xx:xx:xx:xx:A5:0C    XL824-xxxxxx      
br1             ethernet        192.168.101.79       xx:xx:xx:xx:07:DA    192.168.101.79    
br1             ethernet        192.168.101.26       xx:xx:xx:xx:67:EB    192.168.101.26    
br1             ethernet        192.168.101.8        xx:xx:xx:xx:32:F5    192.168.101.8      
br1             ethernet        192.168.101.9        xx:xx:xx:xx:B3:AF    WYZE_CAKP2JFUS-xxxxxxxxB3AF
br1             ethernet        192.168.101.173      xx:xx:xx:xx:F6:53    MyQ-91E            
br1             ethernet        192.168.101.233      xx:xx:xx:xx:B8:28    WYZE_CAKP2JFUS-xxxxxxxxB828
br1             ethernet        192.168.101.10       xx:xx:xx:xx:46:F0    ChimePro-f0        
br1             ethernet        192.168.101.213      xx:xx:xx:xx:07:5E    192.168.101.213    
br1             ethernet        192.168.101.43       xx:xx:xx:xx:CD:85    WYZE_CAKP2JFUS-xxxxxxxxCD85
br1             ethernet        192.168.101.95       xx:xx:xx:xx:50:B6    WYZE_CAKP2JFUS-xxxxxxxx50B6
br1             ethernet        192.168.101.241      xx:xx:xx:xx:90:86    192.168.101.241    
br1             ethernet        192.168.101.71       xx:xx:xx:xx:42:05    ChimePro-05        
br2             wl1.1           192.168.102.110      xx:xx:xx:xx:F8:C2    192.168.102.110

 

[Ellenswamy]

Ok I think I finally got this working, Turned on guest network, connected my laptop to it, it shows the IP of guest. the tool shows it under lists clients, also have it connected to ethernet but how do I make sure the ethernet port it working on the same subnet as guest? on the laptop it still shows the subnet for my router for the internet.

 

[visortgw]

Ok I think I finally got this working, Turned on guest network, connected my laptop to it, it shows the IP of guest. the tool shows it under lists clients, also have it connected to ethernet but how do I make sure the ethernet port it working on the same subnet as guest? on the laptop it still shows the subnet for my router for the internet.

By connecting Ethernet, the laptop apparently prefers hardwired over WiFi. You need to disconnect Ethernet in order to connect to guest WiFi and to obtainIP address assigned from guest network.

 

[Ellenswamy]

By connecting Ethernet, the laptop apparently prefers hardwired over WiFi. You need to disconnect Ethernet in order to connect to guest WiFi and to obtainIP address assigned from guest network.

yep I got it, also had to put the eth in the config. It all works as expected! thanks for the great tool!

 

[Jeffrey Young]

It is not often that I comment on scripts (unless I have an issue). I did not see this post until today. I've been busy with other projects and have not had a lot of time to browse these forums.

I am thrilled to see this script. I wrote my own YazFi replacement script last year as I had a need to add a wired outdoor AP to the guest network. I has been working well thus far. I never published my script as it is very much hands on to configure over several files (script, dnsmasq.add, firewall, services-event, etc). I never had the want or ambition to automate my script for the broader community (basically no time to do it or to provide support afterwards).

Very well done and my hand reached out to you for a heartly handshake.

Cheers!!