Script to enable isolated guest networks on ASUS routers in AP mode

[maxbraketorque]

One feature that's been missing from ASUS routers operating in AP mode is that isolated guest networks are not possible. For anyone who is using ASUS routers in a main/AP combo, this script will enable isolation of guest networks on the AP(s). This script is currently setup for an RT-AC86U, but it is adaptable to other models by determining the correct ethernet interfaces on the particular router and applying those names to this script. This is a very simple script with no command line or GUI interface. Features have to be enabled/disabled using hash tags. Improvements to the script are welcomed.

#!/bin/sh
#
# Script to create isolated guest networks on ASUS routers in AP mode for 386.x and 388.x firmware.
# This script is a modified version of a script originally created by Jimmy-Z and firstly modified by Eric Lieb.
# The original script by Jimmy-Z is here:  https://gist.github.com/Jimmy-Z/6120988090b9696c420385e7e42c64c4
# Eric Lieb's version of the Jimmy-Z script is here: https://www.snbforums.com/threads/ac86u-vlan-tagging-with-merlinwrt.84508/
#
# This script dovetails with the 386.x and 388.x firmware guest network on the main router
# to create isolated guest networks on APs.  This only works with Guest Network #1 on the main and AP router.
#
# Basic information about the VLANs that will be implemented:
#       1. This script requires Merlin firmware.
#       2. Newer 386.x and 388.x firmwares implentent a VLAN for Guest Network #1 when a router is in router mode.
#       3. Aimesh routers hook to this VLAN for their guest network, but AP routers do not do this.
#       4. This script will implement a VLAN on an AP router that will hook to the guest VLAN on the main router.
#       5. These guest networks on the AP will be isolated from the regular clients on the AP.
#       6. VLAN 501 gets assigned to the 2.4G channel range on Guest Network #1 of the main router.
#       7. VLAN 502 gets assigned to the 5G channel range on Guest Network #1 of the main router.
#       8. These VLANs will be isolated from each other.
#       9. Guest Network #1 on the main router and AP must be enabled per instructions below.
#
# Instructions for ASUS Main Router GUI Setup:
#       1. Create guest networks on the main router.
#          a. This only works for Guest Network #1.
#          b. Create either a 2.4G or 5G, or both.
#          c. Set "Access Intranet" to "Disable".
#
# Instructions for ASUS AP Router GUI Setup:
#       1. Create guest networks.
#          a. These should be created on Guest Network #1.
#          b. Create the same guest networks that were created on the main router.
#          c. There will be no option for guest network isolation in the GUI.  That's ok.
#       2. In the Administration/System page of the AP GUI, enable "JFFS custom scripts and configs".
#       3. Review and adjust this script for your desired guest network configuration.
#          a. Copy this script to a text file on your computer.
#          b. This script comes with all features enabled.  Review the script and add hashtags to disable unwanted features.
#       4. Copy this script into the file /jffs/scripts/services-start on the AP.
#          a. Create the file if it does not exist.
#          b. If the file already exists, there may already be entries in the file.  Paste this script after those entries.
#          c. It may be necessary to apply `chmod a+x services-start` on the command line after dropping the script into the file.
#       5. It is strongly suggested to associate the AP with a static IP instead of DHCP.
#       6. Reboot the AP.
#       7. Guest Network #1 on the AP will now be isolated.
#
# Here is some basic info about the interfaces of an RT-AC86U in AP mode:
#       eth0 => WAN port
#       eth1~4 => LAN port 4~1, they're numerically reversed
#       eth5 => Main Network WiFi 2.4G
#       eth6 => Main Network WiFi 5G
#       wl0.1 through wl0.3 => WiFi 2.4G guest networks 1 thru 3
#       wl1.1 through wl1.3 => WiFi 5G guest networks 1 thru 3

# Start of script commands to create isolated guest network on ASUS router AP.


# Commands to log AP VLAN config prior to running the script. Add hashtags in front of commands if no logging desired.

echo "=== START display of AP VLAN config PRIOR TO creating guest network VLAN, $(date) ===" >> /jffs/APGuestNetVLAN.log
echo "--- ip a ---" >> /jffs/APGuestNetVLAN.log
ip a >> /jffs/APGuestNetVLAN.log
echo "--- ip r ---" >> /jffs/APGuestNetVLAN.log
ip r >> /jffs/APGuestNetVLAN.log
echo "--- brctl show ---" >> /jffs/APGuestNetVLAN.log
brctl show >> /jffs/APGuestNetVLAN.log
echo "=== END display of AP VLAN config PRIOR TO creating guest network VLAN, $(date) ===" >> /jffs/APGuestNetVLAN.log

# End logging of initial VLAN config.


# Create 2.4G Guest Network #1 on the AP.  Add hashtags in front of commands if no 2.4 GHz guest network desired.

# Create VLAN 501 and link to eth0 (WAN port),
ip link add link eth0 name eth0.501 type vlan id 501
ip link set eth0.501 up

# Remove wl0.1 interface from br0.
brctl delif br0 wl0.1

# Set up br1, and then link VLAN 501 and wl0.1 (2.4G Guest Network #1) to br1.
brctl addbr br1
brctl addif br1 eth0.501
brctl addif br1 wl0.1
ip link set br1 up

# Create names in nvram.
nvram set lan1_ifnames="wl0.1 eth0.501"
nvram set lan1_ifname="br1"

nvram set br1_ifnames="wl0.1 eth0.501"
nvram set br1_ifname="br1"

# End setup of 2.4G Guest Network #1 on the AP.


# Create 5G Guest Network #1 on the AP.  Add hashtags in front of commands if no 5 GHz guest network desired.

# Create VLAN 502 and link to eth0 (WAN port),
ip link add link eth0 name eth0.502 type vlan id 502
ip link set eth0.502 up

# Remove wl1.1 interface from br0.
brctl delif br0 wl1.1

# Create br2, then link VLAN 502 and wl1.1 (5G Guest Network #1) to br2.
brctl addbr br2
brctl addif br2 eth0.502
brctl addif br2 wl1.1
ip link set br2 up

# Create names in nvram.
nvram set lan2_ifnames="wl1.1 eth0.502"
nvram set lan2_ifname="br2"

nvram set br2_ifnames="wl1.1 eth0.502"
nvram set br2_ifname="br2"

# End setup of 5G Guest Network #1 on the AP.


# eapd reads config from these.
# No need to set lan_ifname since it's already there.
nvram set lan_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth0"

# Restart eapd.
killall eapd
eapd

# Commands to log AP VLAN config after enabling guest nework VLAN(s). Add hashtags in front of commands if no logging desired.

echo "=== START display of AP VLAN config AFTER creating guest network VLAN, $(date) ===" >> /jffs/APGuestNetVLAN.log
echo "--- ip a ---" >> /jffs/APGuestNetVLAN.log
ip a >> /jffs/APGuestNetVLAN.log
echo "--- ip r ---" >> /jffs/APGuestNetVLAN.log
ip r >> /jffs/APGuestNetVLAN.log
echo "--- brctl show ---" >> /jffs/APGuestNetVLAN.log
brctl show >> /jffs/APGuestNetVLAN.log
echo "=== END display of AP VLAN config AFTER creating guest network VLAN, $(date) ===" >> /jffs/APGuestNetVLAN.log

# End logging of VLAN config after setting up isolated guest network APs.


# End of AP Isolated Guest Network VLAN Setup script.
#

 

[maxbraketorque]

This script works for a GT-AX6000 running 388 and acting as an AP:

#!/bin/sh
#
# Script to create isolated guest networks on ASUS routers in AP mode for 386.x and 388.x firmware.
# This script is a modified version of a script originally created by Jimmy-Z and firstly modified by Eric Lieb.
# The original script by Jimmy-Z is here:  https://gist.github.com/Jimmy-Z/6120988090b9696c420385e7e42c64c4
# Eric Lieb's version of the Jimmy-Z script is here: https://www.snbforums.com/threads/ac86u-vlan-tagging-with-merlinwrt.84508/
#
# This script dovetails with the 386.x and 388.x firmware guest network on the main router
# to create isolated guest networks on APs.  This only works with Guest Network #1 on the main and AP router.
#
# Basic information about the VLANs that will be implemented:
#       1. This script requires Merlin firmware.
#       2. Newer 386.x and 388.x firmwares implentent a VLAN for Guest Network #1 when a router is in router mode.
#       3. Aimesh routers hook to this VLAN for their guest network, but AP routers do not do this.
#       4. This script will implement a VLAN on an AP router that will hook to the guest VLAN on the main router.
#       5. The GN network range will be XXX.YYY.101.0/24 where XXX.YYY is the base address of your network.
#       5. These guest networks on the AP will be isolated from the regular clients on the AP.
#       6. VLAN 501 on the AP gets assigned to the 2.4G channel range on Guest Network #1 of the main router.
#       7. VLAN 502 on the AP gets assigned to the 5G channel range on Guest Network #1 of the main router.
#       8. These GN VLANs will be isolated from each other.
#       9. Guest Network #1 on the main router and AP must be enabled per instructions below.
#
# A. Instructions for ASUS Main Router GUI Setup (required):
#       1. Enable Guest Network #1 the main router.
#          a. This only works for Guest Network #1.
#          b. Create either a 2.4G or 5G, or both.
#          c. Set "Guest network on AiMesh" to "Router Only".
#          d. Set "Access Intranet" to "Disable".
#
# B. Instructions VLAN Configuration of Network Switches in Path Between Main Router and AP Router (may be required):
#       1a. Some unmanaged switches will pass the VLAN packets.  Others will not.  Buy a new switch if yours does not.
#       1b. Managed switches will likely need to programmed for the guest network VLAN.  This may involve:
#          a. Create a VLAN entry.
#               i. For managed Netgear switches, this is found in Switching -> VLAN -> Advanced -> VLAN Configuration.
#              ii. The GN VLAN ID is 501.
#          b. Tag the ports on the switch used in the path between the main router and AP router.
#               i. For managed Netgear switches, this is found in Switching -> VLAN -> Advanced -> VLAN Membership.
#              ii. Select VLAN ID 501.
#             iii. Clear all tags.
#              iv. Tag the two ports on the switch corresponding to the main and AP router with a "T"
#          c. Set the VLAN routing configuration.
#               i. For managed Netgear switches, this is found in Routing -> VLAN -> VLAN Routing.
#              ii. Select VLAN ID 501 from the list.
#             iii. Set the switch IP address for the VLAN as XXX.YYY.101.ZZZ. XXX.YYY is base address of network.  ZZZ is switch address.
#              iv. Set the Gateway to 255.255.255.0.
#
# C. Instructions for ASUS AP Router within the GUI Setup (required):
#       1. Enable Guest Network #1 on the AP.
#          a. This only works when using Guest Network #1.
#          b. Create the same guest network that was created on the main router.
#          c. Set "Guest network on AiMesh" to "Router Only".
#          d. There will be no option for guest network isolation in the GUI.  That's ok.
#       2. In the Administration/System page of the AP GUI, enable "JFFS custom scripts and configs".
#
# D. Instructions for ASUS AP Router on the Command Line (required):
#       1. Review and adjust script for your desired guest network configuration.
#          a. Copy this script to a text file on your computer.
#          b. The script comes with all features enabled.  Review script to add hashtags to disable unwanted features.
#       2. Copy this script into a file named "ap-isolated-gn-via-vlan.sh" in the directory "/jffs/scripts/" on the AP.
#          a. Create the file by vi, nano, etc.  Some command line skills are needed for this.
#          b. Copy the contents of the file on your computer into the file on the AP.
#          c. Apply 'chmod 0755 to the file after saving it.
#       3. In the 'services-start' file, add the following entry: '/jffs/scripts/sh ap-isolated-gn-via-vlan.sh'
#       4. Associate the AP with a static IP.
#       5. Reboot the AP.
#       6. Guest Network #1 on the AP will now be isolated.
#
# Here is some basic info about the interfaces of an RT-AC86U in AP mode:
#       eth0 => WAN port
#       eth1~4 => 1 gbps LAN ports 4~1, they're numerically reversed
#       eth5 => 2.5 gbps LAN port
#       eth6 => Main Network WiFi 2.4G
#       eth7 => Main Network WiFi 5G
#       wl0.1 through wl0.3 => WiFi 2.4G guest networks 1 thru 3
#       wl1.1 through wl1.3 => WiFi 5G guest networks 1 thru 3


# Start of script commands to create isolated guest network on ASUS router AP.

# Commands to log AP VLAN config prior to running the script. Add hashtags in front of commands if no logging desired.

echo "=== START display of AP VLAN config PRIOR TO creating guest network VLAN, $(date) ===" >> /jffs/APGuestNetVLAN.log
echo "--- ip a ---" >> /jffs/APGuestNetVLAN.log
ip a >> /jffs/APGuestNetVLAN.log
echo "--- ip r ---" >> /jffs/APGuestNetVLAN.log
ip r >> /jffs/APGuestNetVLAN.log
echo "--- brctl show ---" >> /jffs/APGuestNetVLAN.log
brctl show >> /jffs/APGuestNetVLAN.log
echo "=== END display of AP VLAN config PRIOR TO creating guest network VLAN, $(date) ===" >> /jffs/APGuestNetVLAN.log
echo "======" >> /jffs/APGuestNetVLAN.log

# End logging of initial VLAN config.


# Create 2.4G Guest Network #1 on the AP.  Add hashtags in front of commands if no 2.4 GHz guest network desired.

# Create VLAN 501 and link to eth0 (WAN port),
ip link add link eth0 name eth0.501 type vlan id 501
ip link set eth0.501 up

# Remove wl0.1 interface from br0.
brctl delif br0 wl0.1

# Set up br1, and then link VLAN 501 and wl0.1 (2.4G Guest Network #1) to br1.
brctl addbr br1
brctl addif br1 eth0.501
brctl addif br1 wl0.1
ip link set br1 up

# Create names in nvram.
nvram set lan1_ifnames="wl0.1 eth0.501"
nvram set lan1_ifname="br1"

nvram set br1_ifnames="wl0.1 eth0.501"
nvram set br1_ifname="br1"

# End setup of 2.4G Guest Network #1 on the AP.


# Create 5G Guest Network #1 on the AP.  Add hashtags in front of commands if no 5 GHz guest network desired.

# Create VLAN 502 and link to eth0 (WAN port),
ip link add link eth0 name eth0.502 type vlan id 502
ip link set eth0.502 up

# Remove wl1.1 interface from br0.
brctl delif br0 wl1.1

# Create br2, then link VLAN 502 and wl1.1 (5G Guest Network #1) to br2.
brctl addbr br2
brctl addif br2 eth0.502
brctl addif br2 wl1.1
ip link set br2 up

# Create names in nvram.
nvram set lan2_ifnames="wl1.1 eth0.502"
nvram set lan2_ifname="br2"

nvram set br2_ifnames="wl1.1 eth0.502"
nvram set br2_ifname="br2"

# End setup of 5G Guest Network #1 on the AP.


# eapd reads config from these.
# No need to set lan_ifname since it's already there.
nvram set lan_ifnames="eth1 eth2 eth3 eth4 eth5 eth6 eth7 eth0"

# Restart eapd.
killall eapd
eapd

# Commands to log AP VLAN config after enabling guest nework VLAN(s). Add hashtags in front of commands if no logging desired.

echo "=== START display of AP VLAN config AFTER creating guest network VLAN, $(date) ===" >> /jffs/APGuestNetVLAN.log
echo "--- ip a ---" >> /jffs/APGuestNetVLAN.log
ip a >> /jffs/APGuestNetVLAN.log
echo "--- ip r ---" >> /jffs/APGuestNetVLAN.log
ip r >> /jffs/APGuestNetVLAN.log
echo "--- brctl show ---" >> /jffs/APGuestNetVLAN.log
brctl show >> /jffs/APGuestNetVLAN.log
echo "=== END display of AP VLAN config AFTER creating guest network VLAN, $(date) ===" >> /jffs/APGuestNetVLAN.log

# End logging of VLAN config after setting up isolated guest network APs.


# End of AP Isolated Guest Network VLAN Setup script.
#
#
#
###################
#
#
#