Skip to content

Instantly share code, notes, and snippets.

Created Jun 5, 2022
What would you like to do?
AX88U Network Isolation

AX88U 网络隔离

物理端口映射:eth0 - WAN, eth1~4 - LAN4~1。

默认梅林会将 eth1~7 组成 br0。要做独立的网络就要将 Guest 网络需要用到的 eth 接口从 br0 里摘掉,然后加入到新的 br 里。 这里摘掉了 eth1(对应 LAN4)、wl0.2(第二个 2.4G 访客网络)和 wl1.2(第二个 5G 访客网络)。

之后利用 iptables 允许 Guest 网络访问公网,但禁止其向 br0 主动通信即可。

三个脚本 +x 后放 /jffs/scripts 里(管理页面也要开启 jffs 功能),dnsmasq.conf.add/jffs/configs 里。

梅林版本 386.5_2,主要参考这个

# Make sure the script is indeed invoked
touch /tmp/000-firewall-start
# Allow INPUT
iptables -I INPUT -i untrusted -m state --state NEW -j ACCEPT
iptables -I INPUT -i untrusted -p tcp --dport 80 -j DROP
iptables -I INPUT -i untrusted -p tcp --dport 22 -j DROP
iptables -I FORWARD -i untrusted -j DROP
iptables -I FORWARD -i untrusted -o untrusted -j ACCEPT
iptables -I FORWARD -i untrusted -o eth0 -j ACCEPT
iptables -I FORWARD -i untrusted -o ppp0 -j ACCEPT
iptables -I FORWARD -i untrusted -o br0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
date >> /tmp/000-firewall-start
# Make sure the script is indeed invoked
touch /tmp/000-nat-start
# MASQUERADE for untrusted intranet
iptables -t nat -I POSTROUTING -s -d -o untrusted -j MASQUERADE
date >> /tmp/000-nat-start
# Make sure the script is indeed invoked
touch /tmp/000-services-start
# Move eth1, wl0.2 and wl1.2 to untrusted
brctl delif br0 eth1
brctl delif br0 wl0.2
brctl delif br0 wl1.2
brctl addbr untrusted
brctl stp untrusted on
brctl addif untrusted eth1
brctl addif untrusted wl0.2
brctl addif untrusted wl1.2
# Set network for untrusted
ip addr add dev untrusted
ip link set dev untrusted up allmulticast on
date >> /tmp/000-services-start
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment