Skip to content

Instantly share code, notes, and snippets.

@ihciah

ihciah/README.md

Created June 5, 2022 04:00
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ihciah/354862d012bcca4e6c7d09afa8bd8930 to your computer and use it in GitHub Desktop.
Save ihciah/354862d012bcca4e6c7d09afa8bd8930 to your computer and use it in GitHub Desktop.
Download ZIP
AX88U Network Isolation
Raw
README.md

AX88U 网络隔离

物理端口映射:eth0 - WAN, eth1~4 - LAN4~1。

默认梅林会将 eth1~7 组成 br0。要做独立的网络就要将 Guest 网络需要用到的 eth 接口从 br0 里摘掉,然后加入到新的 br 里。 这里摘掉了 eth1(对应 LAN4)、wl0.2(第二个 2.4G 访客网络)和 wl1.2(第二个 5G 访客网络)。

之后利用 iptables 允许 Guest 网络访问公网,但禁止其向 br0 主动通信即可。

三个脚本 +x 后放 /jffs/scripts 里(管理页面也要开启 jffs 功能),dnsmasq.conf.add/jffs/configs 里。

梅林版本 386.5_2,主要参考这个

Raw
dnsmasq.conf.add
interface=untrusted
dhcp-range=untrusted,192.168.1.2,192.168.1.254,255.255.255.0,86400s
dhcp-option=untrusted,3,192.168.1.1
dhcp-option=untrusted,6,119.29.29.29,223.6.6.6
Raw
firewall-start
#!/bin/sh
# Make sure the script is indeed invoked
touch /tmp/000-firewall-start
# Allow INPUT
iptables -I INPUT -i untrusted -m state --state NEW -j ACCEPT
iptables -I INPUT -i untrusted -p tcp --dport 80 -j DROP
iptables -I INPUT -i untrusted -p tcp --dport 22 -j DROP
# Allow FORWARD
iptables -I FORWARD -i untrusted -j DROP
iptables -I FORWARD -i untrusted -o untrusted -j ACCEPT
iptables -I FORWARD -i untrusted -o eth0 -j ACCEPT
iptables -I FORWARD -i untrusted -o ppp0 -j ACCEPT
iptables -I FORWARD -i untrusted -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
date >> /tmp/000-firewall-start
Raw
nat-start
#!/bin/sh
# Make sure the script is indeed invoked
touch /tmp/000-nat-start
# MASQUERADE for untrusted intranet
iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -o untrusted -j MASQUERADE
date >> /tmp/000-nat-start
Raw
services-start
#!/bin/sh
# Make sure the script is indeed invoked
touch /tmp/000-services-start
# Move eth1, wl0.2 and wl1.2 to untrusted
brctl delif br0 eth1
brctl delif br0 wl0.2
brctl delif br0 wl1.2
brctl addbr untrusted
brctl stp untrusted on
brctl addif untrusted eth1
brctl addif untrusted wl0.2
brctl addif untrusted wl1.2
# Set network for untrusted
ip addr add 192.168.1.1/24 dev untrusted
ip link set dev untrusted up allmulticast on
date >> /tmp/000-services-start
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment