#!/bin/sh

#       version: 2.0.0, 30-jul-2022, by eibgrad

#                service-event-end, services-start

#          href: https://tinyurl.com/ycxxmw6d (version 2.x.x)

#  installation:

#    1. enable jffs custom scripts and configs (administration->system)

#         curl -kLs bit.ly/merlin-installer|tr -d '\r'|sh -s hvHHic1V

#    3. modify script w/ your preferred options using nano editor:

#         nano /jffs/configs/merlin-ac68u-add-networks.options

#    4. reboot

# compatibility checks

if [ "$(nvram get sw_mode)" != '1' ]; then

elif ! which robocfg &>/dev/null; then

    echo 'error: script is NOT compatible w/ this firmware; requires robocfg'

    exit 1

fi

CONFIGS_DIR='/jffs/configs'

CONFIG="$CONFIGS_DIR/merlin-ac68u-add-networks.options"

SCRIPTS_DIR='/jffs/scripts'

SCRIPT1="$SCRIPTS_DIR/merlin-ac68u-add-networks.dnsmasq"

SCRIPT2="$SCRIPTS_DIR/merlin-ac68u-add-networks.firewall"

SCRIPT3="$SCRIPTS_DIR/merlin-ac68u-add-networks.service-event-end"

SCRIPT5="$SCRIPTS_DIR/dnsmasq.postconf"

SCRIPT6="$SCRIPTS_DIR/firewall-start"

SCRIPT8="$SCRIPTS_DIR/services-start"

mkdir -p $CONFIGS_DIR $SCRIPTS_DIR

# ----------------- begin merlin-ac68u-add-networks.options ------------------ #

cat << 'EOF' > $CONFIG

# ------------------------------ BEGIN OPTIONS ------------------------------- #

# VLANS_PORTS='[<vlan-id>[/<port>...] ...]'

VLANS_PORTS='1/1/2/3 3/4'          # vlan1 ports 1 2 3, vlan3 port 4

#VLANS_PORTS='1/1/2 3/3/4'          # vlan1 ports 1 2, vlan3 ports 3 4

#VLANS_PORTS='1 10/1/2/3/4'         # vlan1 no ports, vlan10 ports 1 2 3 4

#VLANS_PORTS='1/1 10/2 11/3 12/4'   # vlan1/vlan10/vlan11/vlan12, one port each

#VLANS_PORTS='1/1/2/3/4t 3/4t'      # vlan1/vlan3 port 4 trunk

# VLANS_WL='[<vlan-id>[/<wireless-if>...] ...]'

#VLANS_WL=''                        # no wireless changes required

#VLANS_WL='3/eth1'                  # bridge vlan3 w/ 2.4ghz

VLANS_WL='3/eth2'                  # bridge vlan3 w/ 5ghz

#VLANS_WL='3/wl0.1/wl1.1'           # bridge vlan3 w/ guest 1 (2.4+5ghz)

#VLANS_WL='11/wl0.2/wl1.2'          # bridge vlan11 w/ guest 2 (2.4+5ghz)

#VLANS_WL='12/wl0.3/wl1.3'          # bridge vlan12 w/ guest 3 (2.4+5ghz)

# bridge vlans 10/11/12 /w guests 1/2/3 respectively

#VLANS_PORTS=''; VLANS_WL=''        # for cleanup purposes only

#IP_PFX='10.99.' # first two dotted octets only

#   warning: any change requires reinstallation w/ this script!

INCLUDE_DNSMASQ=

DNS_SERVERS='8.8.8.8,8.8.4.4' # comma-separated

# uncomment/comment to include/exclude pre-defined firewall rules

# uncomment/comment to allow/deny access to/from openvpn clients/servers

#ALLOW_OVPN_ACCESS=

# these are just examples; uncomment and modify as you see fit

DNSMASQ_ADDITIONS='

# static leases (hostname and lease time optional)

#dhcp-host=br3,47:b5:1d:54:5c:fb,192.168.3.100,desktop,24h

#dhcp-host=br3,64:67:16:cd:c7:c0,59:21:2d:99:28:70,192.168.3.101

# per-network static leases for device w/ multiple network adapters

#dhcp-host=br0,b8:70:f4:b3:4d:6a,38:59:f9:14:1f:d3,192.168.1.99,laptop

#dhcp-host=br10,b8:70:f4:b3:4d:6a,38:59:f9:14:1f:d3,192.168.10.99,laptop

#dhcp-host=br11,b8:70:f4:b3:4d:6a,38:59:f9:14:1f:d3,192.168.11.99,laptop

#dhcp-host=br12,b8:70:f4:b3:4d:6a,38:59:f9:14:1f:d3,192.168.12.99,laptop

# hostnames (dynamic leases only)

#dhcp-host=a3:fa:ca:ba:07:2c,somehostname1

#dhcp-host=43:f3:52:dd:67:d9,somehostname2

'

# useful constants

local LAN_IP="$(nvram get lan_ipaddr)" # (e.g., 192.168.1.1)

local LAN_NET="$LAN_IP/$(nvram get lan_netmask)" # (e.g., 192.168.1.0/24)

case "$1" in

3) ### vlan3/br3 rules go here ###

# allow access to printer hosted on router

#iptables -I INPUT -p tcp -i $brx --dport 9100 -j ACCEPT

:;; # DO NOT DISTURB

4) ### vlan4/br4 rules go here ###

# deny routing to internet based on source ip range

#iptables -I FORWARD -i $brx -o $WAN_IF -m iprange \

#    --src-range "${IP_PFX}${1}.110-${IP_PFX}${1}.119" -j REJECT

# deny routing to internet based on source mac address

#    0a:32:13:75:7d:95 -j REJECT

:;; # DO NOT DISTURB

# deny routing from 10:00PM to 6:00AM, Sunday->Friday (student schedule)

#iptables -I FORWARD -i $brx -m time --timestart 22:00 --timestop 00:00 \

#    --weekdays Sun,Mon,Tue,Wed,Thu --kerneltz -j REJECT

#iptables -I FORWARD -i $brx -m time --timestart 00:00 --timestop 06:00 \

#    --weekdays Mon,Tue,Wed,Thu,Fri --kerneltz -j REJECT

:;; # DO NOT DISTURB

# repeat as necessary for additional vlans/bridges

*) ### rules that apply across all vlans/bridges (br+) go here ###

# allow access to printer hosted on private network (other than router)

#iptables -I FORWARD -p tcp -i $brx -o br0 -d "${LAN_PFX}100" \

:;; # DO NOT DISTURB

# ---------------------- DO NOT CHANGE BELOW THIS LINE ----------------------- #

# shared/global functions and constants (do NOT touch!)

debug_enabled() { set -o | egrep -q '^xtrace\s+on$'; }

NOW="$(date +'%Y-%m-%d-%H%M%S')"

MIN_VID=3 MAX_VID=255 MIN_PORT=1 MAX_PORT=4

[ "$IP_PFX" ] || IP_PFX="$(nvram get lan_ipaddr | egrep -o '^(.{1,3}\.){2}')"

EOF

# ------------------ end merlin-ac68u-add-networks.options ------------------- #

# ----------------- begin merlin-ac68u-add-networks.dnsmasq ------------------ #

#set -x # comment/uncomment to disable/enable debug mode

. /usr/sbin/helper.sh

DNSMASQ_CONFIG="$1"

# function write( string )

write() { pc_append "$1" $DNSMASQ_CONFIG; }

# function validate_vlan_id( vlan-id )

validate_vlan_id() {

    local vlan_id=$1

    if ! echo $vlan_id | egrep -q '^[0-9]+$'; then

        return 1

    elif [[ $vlan_id -lt $MIN_VID || $vlan_id -gt $MAX_VID ]]; then

        return 1

    fi

    write "dhcp-range=br${1},${IP_PFX}${1}.100,${IP_PFX}${1}.254,255.255.255.0,24h"

# add dhcp server configuration for each new bridge

for vp in $VLANS_PORTS; do

IFS="$OIFS"

[ ${DEBUG+x} ] && sed -ri '2 s/^#(set -x)/\1/' $SCRIPT1

sed -i "s:\$CONFIG:$CONFIG:g" $SCRIPT1

chmod +x $SCRIPT1

# ------------------ end merlin-ac68u-add-networks.dnsmasq ------------------- #

# ----------------- begin merlin-ac68u-add-networks.firewall ----------------- #

#!/bin/sh

#set -x # comment/uncomment to disable/enable debug mode

. $CONFIG

{

WAN_IF="$([ $1 ] && echo $1 || echo $(nvram get wan0_ifname))"

# function validate_vlan_id( vlan-id )

    if ! echo $vlan_id | egrep -q '^[0-9]+$'; then

        return 1

    fi

}

# function add_rules( bridge-index )

add_rules() {

    # limit new bridge to essential router services (dhcp, dns, ping)

    iptables -I INPUT -i br${1} -j REJECT

    iptables -I INPUT -i br${1} -d ${IP_PFX}${1}.1 -p icmp -j ACCEPT

    if [ ! "$DNS_SERVERS" ]; then

        iptables -I INPUT -i br${1} -d ${IP_PFX}${1}.1 -p tcp --dport 53 -j ACCEPT

        iptables -I INPUT -i br${1} -d ${IP_PFX}${1}.1 -p udp --dport 53 -j ACCEPT

    fi

    iptables -I INPUT -i br${1} -p udp --dport 67 -j ACCEPT

    # define routing limits of new bridge (default is internet only)

    if [ ! ${ALLOW_PRIVATE_TO_ANY+x} ]; then

        iptables -I FORWARD -i br0 -o br${1} -j REJECT

    fi

    if [ ${ALLOW_OVPN_ACCESS+x} ]; then

        iptables -I FORWARD -i tun2+  -o br${1} -j ACCEPT

        iptables -I FORWARD -i br${1} -o tun1+  -j ACCEPT

    fi

    iptables -I FORWARD -i br${1} -m conntrack --ctstate DNAT -j ACCEPT

    iptables -I FORWARD -i br${1} -o $WAN_IF -j ACCEPT

}

# add firewall rules for each new bridge

for vp in $VLANS_PORTS; do

    vlan_id="$(echo $vp | cut -d/ -f1)"

    # ignore bad/missing input

    validate_vlan_id $vlan_id || continue

    add_rules $vlan_id

    firewall_additions $vlan_id

echo "installed: $SCRIPT2"

fi

# -------------- begin merlin-ac68u-add-networks.services-start -------------- #

cat << 'EOF' > $SCRIPT3

#set -x # comment/uncomment to disable/enable debug mode

. $CONFIG

{

CPU_PORT="$(robocfg show | awk '/vlan1:/{print $NF}')"

# function validate_vlan_id( vlan-id )

    local vlan_id=$1

        if [ $vlan_id == '2' ]; then

            return 1

        elif ! echo $vlan_id | egrep -q '^[0-9]+$'; then

            echo "error: vlan-id ${vlan_id} not numeric"

            return 1

        elif [[ $vlan_id -lt $MIN_VID || $vlan_id -gt $MAX_VID ]]; then

            echo "error: vlan${vlan_id} out of range ($MIN_VID-$MAX_VID)"

            return 1

        fi

    fi

    return 0

}

# function add_vlan_and_bridge( vlan-id ports )

add_vlan_and_bridge() {

    local vlan_id=$1

    local ports="$2"

    # create new vlan w/ specified port(s)

    robocfg vlan $vlan_id ports "$ports"

    # add new vlan to eth0 (cpu) network interface

    vconfig add eth0 $vlan_id

    # bring up new vlan

    ifconfig vlan${vlan_id} up

    # create new bridge and add new vlan

    brctl addbr br${vlan_id}

    brctl addif br${vlan_id} vlan${vlan_id}

    # configure new bridge w/ preferred settings

    stp=$([ "$(nvram get lan_stp)" == '1' ] && echo 'on' || echo 'off')

    brctl stp br${vlan_id} $stp # stp to prevent bridge loops

    brctl setfd br${vlan_id} 2  # stp forward delay (2 secs)

    # config ip on new bridge and bring up network

    ifconfig br${vlan_id} ${IP_PFX}${vlan_id}.1 netmask 255.255.255.0 up

}

# respond to *all* wireless events (start/restart/stop)

[ "$2" == 'wireless' ] || exit 0

# cleanup any previous vlan/bridge configurations

n=$MIN_VID

while [ "$(nvram get br${n}_ifname)" ]; do

    br="$(nvram get br${n}_ifname)"

    ifconfig $br down 2>/dev/null && brctl delbr $br && vconfig rem $vl

    nvram unset  br${n}_ifname

    nvram unset  br${n}_ifnames

    nvram unset lan${n}_ifname

    nvram unset lan${n}_ifnames

    [ $((++n)) -le $MAX_VID ] || break

done

# commit changes from cleanup if no other actions requested/required

[[ $((n)) -gt $MIN_VID && ! "$VLANS_PORTS" && ! "$VLANS_WL" ]] && nvram commit

# assign ports to vlans

for vp in $VLANS_PORTS; do

    vlan_id="$(echo $vp | cut -d/ -f1)"

    # ignore bad/missing input

    [ $vlan_id ] || continue

    validate_vlan_id $vlan_id || continue

    # isolate ports from vlan-id

    vlan_ports="$(echo $vp | awk -F/ '{$1=""; print $0}')"

    # validate ports

    for p in $vlan_ports; do

        if ! echo $p | egrep -q '^[0-9]+[tu*]{0,1}$'; then

            echo "error: port $p specification not valid"

            continue 2

        fi

        _p="$(echo $p | egrep -o '^[0-9]*')"

        if [[ $_p -lt $MIN_PORT || $_p -gt $MAX_PORT ]]; then

            echo "error: port $p out of range ($MIN_PORT-$MAX_PORT)"

            continue 2

        fi

    done

    # add cpu port to ports

    vlan_ports="$(echo $vlan_ports $CPU_PORT)"

    if [ $vlan_id == '1' ]; then

        robocfg vlan 1 ports "$vlan_ports"

        continue

    fi

    add_vlan_and_bridge $vlan_id "$vlan_ports"

    # determine next available bridge/lan index

    #n=$vlan_id # doesn't work; must be assigned sequentially

    n=$MIN_VID; while [ "$(nvram get lan${n}_ifname)" ]; do let n++; done

    # add and initialize network interface names

    nvram set  br${n}_ifname=br${vlan_id}

    nvram set  br${n}_ifnames=vlan${vlan_id}

    nvram set lan${n}_ifname=br${vlan_id}

    nvram set lan${n}_ifnames=vlan${vlan_id}

done

# bridge wireless to vlans

for vw in $VLANS_WL; do

    vlan_id="$(echo $vw | cut -d/ -f1)"

    # ignore bad/missing input

    [ $vlan_id ] || continue

    validate_vlan_id $vlan_id || continue

    # validate vlan-id usage

    if ! ifconfig vlan${vlan_id} &>/dev/null; then

        echo "error: vlan${vlan_id} not found"

        continue

    fi

    # isolate wireless network interfaces from vlan-id

    vlan_wl="$(echo $(echo $vw | awk -F/ '{$1=""; print $0}'))"

    # move wireless network interfaces to new bridge

    for wl in $vlan_wl; do

        # validate wireless network interface

        case $wl in

            'eth1'|'eth2'|'wl0.1'|'wl1.1'|'wl0.2'|'wl1.2'|'wl0.3'|'wl1.3') :;;

          *) echo "error: unknown wireless network interface: ${wl}"; continue 2;;

        esac

        # wireless network interface must be up and running

        if ! ifconfig $wl &>/dev/null; then

            echo "error: wireless network interface not available: ${wl}"

            continue 2

        fi

        # delete wireless network interface from current bridge

        n=0

        if brctl show | grep -q "\s${wl}\$"; then

            while ! brctl delif br${n} $wl 2>/dev/null; do

                if [ $((++n)) -gt $MAX_VID ]; then

                    echo "program error: wireless network interface not found: ${wl}"

                    break

                fi

            done

        fi

        # add wireless network interface to new bridge

        brctl addif br${vlan_id} $wl

    done

    # find bridge/lan index for this vlan

    n=$MIN_VID

    while ! nvram get br${n}_ifnames | egrep -q "^vlan${vlan_id}( |$)"; do

        if [ $((++n)) -gt $MAX_VID ]; then

            echo "program error: bridge/lan index not found: ($n)"

            continue 2

        fi

    done

    # add wireless network interface names to corresponding bridge/lan

    nvram set  br${n}_ifnames="$(nvram get  br${n}_ifnames) $vlan_wl"

    nvram set lan${n}_ifnames="$(nvram get lan${n}_ifnames) $vlan_wl"

    # convert wireless network interface names to sed search mask

    mask=''; for wl in $vlan_wl; do mask="${mask}${wl}(\s|\$)|"; done

    # remove wireless network interface names from system bridges/lans

    for i in 0 1 2; do

        [ "$(nvram get  br${i}_ifnames)" ] && \

             nvram set  br${i}_ifnames="$(echo $(nvram get  br${i}_ifnames | \

                 sed -r s/$mask//g))"

        [ "$i" == '0' ] && j='' || j="$i"

        [ "$(nvram get lan${j}_ifnames)" ] && \

             nvram set lan${j}_ifnames="$(echo $(nvram get lan${j}_ifnames | \

                 sed -r s/$mask//g))"

    done

done

# force system to recognize any changes

eapd

exit 0

} 2>&1 | tee $LOG | logger -t $BASENAME[$$]

EOF

[ ${DEBUG+x} ] && sed -ri '2 s/^#(set -x)/\1/' $SCRIPT3

sed -i "s:\$CONFIG:$CONFIG:g" $SCRIPT3

chmod +x $SCRIPT3

echo "installed: $SCRIPT3"

# --------------- end merlin-ac68u-add-networks.services-start --------------- #

# ------------ begin merlin-ac68u-add-networks.service-event-end ------------- #

cat << 'EOF' > $SCRIPT4

#set -x # comment/uncomment to disable/enable debug mode

sed -i "s:\$CONFIG:$CONFIG:g" $SCRIPT4

chmod +x $SCRIPT4

# -------------------------- begin dnsmasq.postconf -------------------------- #

create_script() {

cat << 'EOF' > $SCRIPT5

#!/bin/sh

#set -x # comment/uncomment to disable/enable debug mode

$SCRIPT1 "$1"

} 2>&1 | logger -t $(basename $0)[$$]

[ ${DEBUG+x} ] && sed -ri '2 s/^#(set -x)/\1/' $SCRIPT5

chmod +x $SCRIPT5

if [ -f $SCRIPT5 ]; then

    create_script

fi

# --------------------------- begin firewall-start --------------------------- #

if grep -q '^INCLUDE_FIREWALL=' $CONFIG; then

create_script() {

cat << 'EOF' > $SCRIPT6

#!/bin/sh

#set -x # comment/uncomment to disable/enable debug mode

$SCRIPT2 "$1"

} 2>&1 | logger -t $(basename $0)[$$]

[ ${DEBUG+x} ] && sed -ri '2 s/^#(set -x)/\1/' $SCRIPT6

else

    create_script

fi

# ---------------------------- end firewall-start ---------------------------- #

# ------------------------- begin service-event-end -------------------------- #

cat << 'EOF' > $SCRIPT7

#set -x # comment/uncomment to disable/enable debug mode

{

$SCRIPT3 "$1" "$2"

} 2>&1 | logger -t $(basename $0)[$$]

EOF

[ ${DEBUG+x} ] && sed -ri '2 s/^#(set -x)/\1/' $SCRIPT7

sed "s:\$SCRIPT3:$SCRIPT3:g" -i $SCRIPT7

chmod +x $SCRIPT7

}

if [ -f $SCRIPT7 ]; then

    echo "error: $SCRIPT7 already exists; requires manual installation"

else

    create_script

    echo "installed: $SCRIPT7"

fi

# -------------------------- end service-event-end --------------------------- #

# --------------------------- begin services-start --------------------------- #

create_script() {

cat << 'EOF' > $SCRIPT8

#!/bin/sh

#set -x # comment/uncomment to disable/enable debug mode

{

$SCRIPT4

} 2>&1 | logger -t $(basename $0)[$$]

EOF

[ ${DEBUG+x} ] && sed -ri '2 s/^#(set -x)/\1/' $SCRIPT8

sed "s:\$SCRIPT4:$SCRIPT4:g" -i $SCRIPT8

chmod +x $SCRIPT8

}

if [ -f $SCRIPT8 ]; then

    echo "error: $SCRIPT8 already exists; requires manual installation"

else

    create_script

    echo "installed: $SCRIPT8"

fi

# ---------------------------- end services-start ---------------------------- #