Last active
May 24, 2022 12:09
-
-
Save SAPikachu/d00b8eea099f06e6e2a7 to your computer and use it in GitHub Desktop.
Custom guest wireless network on ASUS RT-AC68U (Merlin firmware)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # /jffs/scripts/firewall-start | |
| # A VM in VLAN 1111 (tagged) is plugged to port 1, it will act as router of guest network, offer DHCP, and do other filtering as necessary | |
| # Port 5 (internal CPU port) has to be included to make it works | |
| robocfg vlan 1111 ports "1t 5t" | |
| # Bring up VLAN interface | |
| ip link add link eth0 name vlan1111 type vlan id 1111 | |
| ip link set dev vlan1111 up | |
| # We can't just add vlan1111 and wl0.+ to a new bridge, because wl0.+ need to stay in br0 to make Wi-Fi authentication works. | |
| # So we use ebtables to isolate traffics. | |
| # Forward rules: Isolate vlan1111 and guest wireless interfaces | |
| ebtables -N vlan1111 || true | |
| ebtables -F vlan1111 | |
| ebtables -A vlan1111 -i wl0.+ -o vlan1111 -j RETURN | |
| ebtables -A vlan1111 -o wl0.+ -i vlan1111 -j RETURN | |
| ebtables -A vlan1111 -i wl1.+ -o vlan1111 -j RETURN | |
| ebtables -A vlan1111 -o wl1.+ -i vlan1111 -j RETURN | |
| ebtables -A vlan1111 -i wl0.+ -j DROP | |
| ebtables -A vlan1111 -o wl0.+ -j DROP | |
| ebtables -A vlan1111 -i wl1.+ -j DROP | |
| ebtables -A vlan1111 -o wl1.+ -j DROP | |
| ebtables -A vlan1111 -i vlan1111 -j DROP | |
| ebtables -A vlan1111 -o vlan1111 -j DROP | |
| ebtables -D FORWARD -j vlan1111 >/dev/null 2>&1 || true | |
| ebtables -I FORWARD -j vlan1111 | |
| ebtables -D FORWARD -j vlan1111-done >/dev/null 2>&1 || true | |
| ebtables -X vlan1111-done || true | |
| ebtables -E vlan1111 vlan1111-done | |
| # Don't allow the VLAN and guests to access the router | |
| # Note that we can't drop everything from wl0.+, otherwise Wi-Fi authentication will fail | |
| ebtables -N vlan1111-in || true | |
| ebtables -F vlan1111-in | |
| ebtables -A vlan1111-in -i vlan1111 -j DROP | |
| ebtables -A vlan1111-in -i wl0.+ -p ip -j DROP | |
| ebtables -A vlan1111-in -i wl0.+ -p ip6 -j DROP | |
| ebtables -A vlan1111-in -i wl1.+ -p ip -j DROP | |
| ebtables -A vlan1111-in -i wl1.+ -p ip6 -j DROP | |
| ebtables -D INPUT -j vlan1111-in >/dev/null 2>&1 || true | |
| ebtables -I INPUT -j vlan1111-in | |
| ebtables -D INPUT -j vlan1111-in-done >/dev/null 2>&1 || true | |
| ebtables -X vlan1111-in-done || true | |
| ebtables -E vlan1111-in vlan1111-in-done | |
| # Prevent normal traffic from being leaked to guest network | |
| ebtables -N vlan1111-out || true | |
| ebtables -F vlan1111-out | |
| ebtables -A vlan1111-out -o vlan1111 -j DROP | |
| ebtables -A vlan1111-out -o wl0.+ -p ip -j DROP | |
| ebtables -A vlan1111-out -o wl0.+ -p ip6 -j DROP | |
| ebtables -A vlan1111-out -o wl1.+ -p ip -j DROP | |
| ebtables -A vlan1111-out -o wl1.+ -p ip6 -j DROP | |
| ebtables -D OUTPUT -j vlan1111-out >/dev/null 2>&1 || true | |
| ebtables -I OUTPUT -j vlan1111-out | |
| ebtables -D OUTPUT -j vlan1111-out-done >/dev/null 2>&1 || true | |
| ebtables -X vlan1111-out-done || true | |
| ebtables -E vlan1111-out vlan1111-out-done | |
| # Finish up | |
| brctl addif br0 vlan1111 |
The official firmware doesn't support scripting, so this wouldn't work. Merlin is an easy install, though.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi @SAPikachu
Will this might work on official Asus firmware for ASUS RT-AC68U?