Restricting device access when in usb failover Asus rt-ac5300

[MITEECSrat]

What is the easiest way to restrict access when in failover mode on Asus router that's connected to usb 4g modem? Merlin Firmware

I only want 2 of my 50+ devices to be able to access WAN when fiber is down (due to power outage or someone trying to disable security by cutting power) so I don't blow through data.

Hope is just have arlo and smart home hub (not cellular backup capable) during that period. Router, 4g backup, hub and arlo have 8hrs of backup power.

 

[bill001g]

Even having the dual wan backup feature is very rare on routers. Most their customer base has no clue what that even is. I have not see a way with the default software to do this. On dd-wrt you could do something like put rules in that block all traffic going to the USB port except from certain machines. It is a messy configuration.

The largest issue I have seen with primary/backup devices is knowing when the connection is actually down. Most times the internet will not function but the ethernet connection to the modem is still up. What I have seen people do is write scripts that ping some ip and force a change. I suppose you could also activate a firewall rule set with that same script. I do not know what asus can do with default firmware, I have always loaded the asus-merlin or dd-wrt on my asus routers.

I suspect the simplest is to manually have a firewall rule that only allows the 2 machines. Since it is highly likely you are going to have to manually force it to go to the back up connections you could turn the firewall rules on.

 

[MITEECSrat]

That's very true, and if they've somehow managed to find it they screw everything up.

Yeah I'm running beta Merlin because of stock limits. I had it set up and working perfectly until Verizon jetpack was bricked after they pushed new firmware to it.

I'm thinking I could allow those 2 devices to pass through and do firewall rules on new usb, but not exactly secure and .....

Since this is how my whole network is setup (smart hub, servers, laptops, tvs, etc) :

I use an AP that has multiple SSIDs mapped to separate VLANs. Then with a firewall or access lists, I can control what each VLAN has access to, then I broke the devices into classes of connectivity:

Need just a constant "cloud" connection to work properly
Need no connection except for initial config/updates, need local connection
Need both a cloud connection and a local connection to work

The class of devices that are truly cloud-based (i.e. they don't use any local traffic, it all must go out to the internet and back) I created a SSID and VLAN that segregates traffic  to make sure that any hostile activity it might be repurposed for is sheltered from high value targets like backup server. I put devices that need some sort of always-on connection in their own class to keep them sidelined if there is some sort of remote compromise of their command and control structure (the cloud.)

To get local access to those devices, like to give daughters phone just the ability to access port 80 on TV or light bulb i have a stateful firewall rule to enforce that only her phone, to only that port on the TV, will be allowed. With my outdoor TV that i only really want it to be able to talk to the internet but no other devices, and be all by itself, has very own SSID and VLAN.

My guest network is on another VLAN, since for example my smart light bulb, even if i purposefully open a port from the internet at large, it is of no harm even without a password since I trust all the other devices on network to not be under malicious control.

It's quite complex already and if I go firewall rules route I'm worried about memory and heat.

Only other option is to tweak firmware myself to allow for rules. Or Linux box