AC68U guest network problem

[metasys1]

I’ve spend days trying to configure my AC68U + 378.55 firmware for a separate guest wireless network, but cannot get it to work reliably. I already have Windows DHCP handling my private network (10.0.0.1 – 199), and modified the default dnsmasq.conf according to suggestions on this forum to handle a guest network range of 10.0.0.200 – 254. This is what I have in jffs/configs:

pid-file=/var/run/dnsmasq.pid
user=nobody
bind-interfaces
interface=br0
resolv-file=/tmp/resolv.conf
servers-file=/tmp/resolv.dnsmasq
no-poll
no-negcache
cache-size=1500
min-port=4096
domain=guest.local
expand-hosts
bogus-priv
local=/guest.local/
dhcp-range=wl0.1,10.0.0.200,10.0.0.254,255.255.255.0,86400s
dhcp-option=wl0.1,3,10.0.0.1
dhcp-option=wl0.1,6,8.8.8.8,4.4.4.4,0.0.0.0
dhcp-option=wl0.1,15,guest.local
dhcp-option=wl0.1,44,10.0.0.1
dhcp-option=wl0.1,252,"\n"
dhcp-authoritative

There are 2 problems with this:

1. dnsmasq occasionally supplies IPs from the guest range for non-Windows devices on the private network, which messes up everything. I think this could be caused by setting ‘interface=br0’; however if set it to ‘interface=wl0.1’ as suggested by others, I get ‘interface not found’ errors in the log and dnsmasq won’t start.

2. I can overcome (1) to a certain extent by assigning static IPs to the offending non-Windows devices, but then every now and then another problem occurs – those devices cease communicating properly with other devices on the private network. According to Wireshark, ARP messages are getting blocked somewhere.

By setting ‘Access Intranet’ for the Guest network to 'Enable' then 'Disable' again, the problem goes away for a while, but it isn’t a permanent solution.

Any ideas? I tried creating another bridge interface and moving wl0.1 to it, but the problems remained.

 

[Hornet.NL]

I know this was posted a long time ago but have you figured this out? I could start a new post but I think adding to this is more efficient.

My network layout is similar. I use a Windows 2012r2 box as dhcp server, the main advantage is that I'm able to apply dhcp policies on my scope. However we would like to give guests access to out wifi network but i don't want them to have access to my local lan and they don't want to enter the 63chrs wpa password... ;-) I too found this post from 2013 what describes what to do but it doesnt seem to work (anymore). Can someone please help me/us?

Below is what i got so far (but which isn't working):

Fw ver: 378.56_2

Ifconfig tells me that the below networks are my 2 & 5 Ghz guest networks:

wl0.1 Link encap:Ethernet HWaddr AC:9E:17:7E09
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:24 errors:0 dropped:0 overruns:0 frame:987
TX packets:118 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4264 (4.1 KiB) TX bytes:9726 (9.4 KiB)

wl1.1 Link encap:Ethernet HWaddr AC:9E:17:7E0D
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:162314
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

Based on that and the old post combined with the default dnsmasq.conf i came up with this:

pid-file=/var/run/dnsmasq.pid
user=nobody
bind-dynamic
interface=wl0.1
interface=wl1.1
resolv-file=/tmp/resolv.conf
servers-file=/tmp/resolv.dnsmasq
no-poll
no-negcache
cache-size=1500
min-port=4096
domain=[my.domain]
expand-hosts
bogus-priv
dhcp-range=wl0.1,172.16.32.100,172.16.32.149,255.255.255.0,43200s
dhcp-option=wl0.1,3,172.16.32.1
dhcp-option=wl0.1,6,208.67.222.222,208.67.220.220,0.0.0.0
dhcp-option=wl0.1,15,[my.domain]
dhcp-option=wl0.1,252,"\n"
dhcp-authoritative

Which doesnt work. As you can see i started on getting the 2.4Ghz network to work first, ignoring the 5Ghz network for now.

Any ideas anyone?

 

[metasys1]

I was never able to get this working properly for more than a couple of days before dnsmasq assigned an IP to a device it shouldn’t. It may have something to do with the interface setting, but as noted I was unable to get dnsmasq to start with interface=wl0.1. Someone who understands the inner workings of dnsmasq might be able to offer a solution, but it is beyond me.

 

[BatKing]

I was never able to get this working properly for more than a couple of days before dnsmasq assigned an IP to a device it shouldn’t. It may have something to do with the interface setting, but as noted I was unable to get dnsmasq to start with interface=wl0.1. Someone who understands the inner workings of dnsmasq might be able to offer a solution, but it is beyond me.

see this, I wasn't able to assign it to wl0 or grouping the wl0.1 and wl1.1 into br1. but eventually fixed it. not sure if this is exactly what you want. But DHCP and wifi WPS2 both works for me now.

http://www.snbforums.com/threads/help-on-dhcp-for-custom-bridge.28004/

 

[Hornet.NL]

Thanks for your replies metasys1 & BatKing.

I had a go with your solution BatKing but I can't get it to work. Here is what I used based on your work:

DNSMASQ.CONF

pid-file=/var/run/dnsmasq.pid
user=nobody
bind-dynamic
interface=br0
interface=br1
interface=tap21
interface=tun22
interface=ppp1*
no-dhcp-interface=br0
no-dhcp-interface=ppp1*
resolv-file=/tmp/resolv.conf
servers-file=/tmp/resolv.dnsmasq
no-poll
no-negcache
cache-size=1500
min-port=4096
domain=[MyDomain]
expand-hosts
bogus-priv
local=/[MyDomain]/
dhcp-range=br1,172.16.34.100,172.16.34.149,255.255.255.0,86400s
dhcp-option=br1,3,172.16.34.1
dhcp-option-br1,6,208.67.222.222,208.67.220.220
dhcp-option-br1,15,[MyDomain]

Firewall-Start

#!/bin/sh
exec 1>>/tmp/firewall-start.log 2>&1
date
set -x
WANIP=$(/sbin/ifconfig eth0|grep 'inet addr'|cut -d':' -f2|awk '{print $1}')
# remove guest1 2.4Ghz/5Ghz from br0
brctl delif br0 wl0.1
brctl delif br0 wl1.1

# create br1
brctl addbr br1
brctl addif br1 wl0.1
brctl addif br1 wl1.1

ifconfig br1 172.16.34.1 netmask 255.255.255.0 broadcast 172.16.34.255

# Fix WPA2 on guest wifi
nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="wl0.1 wl1.1"
nvram set lan1_ifname="br1"
nvram commit
killall eapd
eapd

# fix dnsmasq not listen to br1 -D prevent duplicate rules if previously already exist
iptables -D INPUT -i br1 -j ACCEPT
iptables -I INPUT -i br1 -j ACCEPT

# br1 WAN access
iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to $WANIP
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT

# block br1 access br0
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP

# Keep br1 from accessing the router:
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset

After rebooting to make DNSMAQ.CONF effective I ran the Firewall-Start script manually (actually did that a couple of times to squash some bugs in the script). 'ifconfig' shows me the new bridge and 'brctl show' shows me that the 2 guest interfaces are connected to it. However it also showed that STP was disabled, so enabled that with 'brctl stp br1 on'. All is well except for the fact that I'm still not getting an IP addres from the routers DHCP server.

One thing (but it shouldn't prevent the DHCP server from handing out an address) the internal IP of the router is 172.16.32.1. If I give br1 an IP address in the same range (like so: ifconfig br1 172.16.32.9 netmask 255.255.255.0 broadcast 172.16.32.255) then the scripts hangs at that line. This is why I moved to the 172.16.34.0/24 range for br1.

I am failing but do not know where....

 

[BatKing]

Thanks for your replies metasys1 & BatKing.

I had a go with your solution BatKing but I can't get it to work. Here is what I used based on your work:

DNSMASQ.CONF

pid-file=/var/run/dnsmasq.pid
user=nobody
bind-dynamic
interface=br0
interface=br1
interface=tap21
interface=tun22
interface=ppp1*
no-dhcp-interface=br0
no-dhcp-interface=ppp1*
resolv-file=/tmp/resolv.conf
servers-file=/tmp/resolv.dnsmasq
no-poll
no-negcache
cache-size=1500
min-port=4096
domain=[MyDomain]
expand-hosts
bogus-priv
local=/[MyDomain]/
dhcp-range=br1,172.16.34.100,172.16.34.149,255.255.255.0,86400s
dhcp-option=br1,3,172.16.34.1
dhcp-option-br1,6,208.67.222.222,208.67.220.220
dhcp-option-br1,15,[MyDomain]

Firewall-Start

#!/bin/sh
exec 1>>/tmp/firewall-start.log 2>&1
date
set -x
WANIP=$(/sbin/ifconfig eth0|grep 'inet addr'|cut -d':' -f2|awk '{print $1}')
# remove guest1 2.4Ghz/5Ghz from br0
brctl delif br0 wl0.1
brctl delif br0 wl1.1

# create br1
brctl addbr br1
brctl addif br1 wl0.1
brctl addif br1 wl1.1

ifconfig br1 172.16.34.1 netmask 255.255.255.0 broadcast 172.16.34.255

# Fix WPA2 on guest wifi
nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="wl0.1 wl1.1"
nvram set lan1_ifname="br1"
nvram commit
killall eapd
eapd

# fix dnsmasq not listen to br1 -D prevent duplicate rules if previously already exist
iptables -D INPUT -i br1 -j ACCEPT
iptables -I INPUT -i br1 -j ACCEPT

# br1 WAN access
iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to $WANIP
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT

# block br1 access br0
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP

# Keep br1 from accessing the router:
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset

After rebooting to make DNSMAQ.CONF effective I ran the Firewall-Start script manually (actually did that a couple of times to squash some bugs in the script). 'ifconfig' shows me the new bridge and 'brctl show' shows me that the 2 guest interfaces are connected to it. However it also showed that STP was disabled, so enabled that with 'brctl stp br1 on'. All is well except for the fact that I'm still not getting an IP addres from the routers DHCP server.

One thing (but it shouldn't prevent the DHCP server from handing out an address) the internal IP of the router is 172.16.32.1. If I give br1 an IP address in the same range (like so: ifconfig br1 172.16.32.9 netmask 255.255.255.0 broadcast 172.16.32.255) then the scripts hangs at that line. This is why I moved to the 172.16.34.0/24 range for br1.

I am failing but do not know where....

How did you change your dnsmasq.conf? I use the custom config file from here (https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files). the /etc/dnsmasq.conf will get overwritten after reboot.

Also you do not need to restart the router for the dnsmesq.conf to take effect. All you need to do is

service restart_dnsmasq

I will suggest to run the firewall script manually one by one line in SSH. see if any errors. once it is done, then
service restart_dnsmasq to let the dnsmasq take effect.

So I will do the following to debug your situation.
1. enable guest1 2.4Ghz and Guest1 5Ghz SSID. Set Intranet access to enable (you should use your own iptables rules to fine turn the firewalls for this new subnet) If you want less trouble for debug purpose only, then you can set Open network security for now so u don't need the nvram commands and modify your nvram value yet. Reboot the router to make sure everything is good.

2 Once router rebooted and checking guest wifi works. then run the following commands line by line in SSH (minimum u need, the rest is other firewall restrictions which u refine later). You will need to find out your public IP 1st and replace the xxx.xxx.xxx.xxx to your actual IP address. which just similate the code WANIP=$(/sbin/ifconfig eth0|grep 'inet addr'|cut -d':' -f2|awk '{print $1}'). BTW here you may want to replace eth0 to vlan2 as vlan2 should be the WAN interface.

# remove guest1/guest2 2.4Ghz/5Ghz from br0
brctl delif br0 wl0.1
brctl delif br0 wl1.1

# create br1 and br2
brctl addbr br1
brctl addif br1 wl0.1
brctl addif br1 wl1.1

ifconfig br1 192.168.3.1 netmask 255.255.255.0 broadcast 192.168.3.255


# Fix WPA2 on guest wifi, If open network security for Guest network, then following is not needed.
nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="wl0.1 wl1.1"
nvram set lan1_ifname="br1"
nvram commit
killall eapd
eapd

# fix dnsmasq not listen to br1 and br2 -D prevent duplicate rules if previously already exist
iptables -D INPUT -i br1 -j ACCEPT
iptables -I INPUT -i br1 -j ACCEPT

# br1 and br2 WAN access
iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to xxx.xxx.xxx.xxx
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT

#add more iptables rules later. for now the above should be enough.

3. once the above is done and assuming your dnsmasq.conf is correctly configured for br1, (either by custom config or for test purpose only, you can modify the /etc/dnsmasq.conf directly). I use custom config as below and I enabled the log during debug. When your guest wifi client connects you should able to see the request logs. if there is no log and you fail to connect, that only means your iptables rule is mess up. see my previous comment for what I was missing.

dnsmasq.conf.add

log-facility=/tmp/dnsmasq.log
log-dhcp
interface=br1
dhcp-range=br1,192.168.3.100,192.168.3.199,255.255.255.0,86400s
dhcp-option=br1,3,192.168.3.1

run following to restart dnsmasq. for the above config to take effect.

service restart_dnsmasq

4. now connect to your guest1 wifi to test. If everything works, create your firewall-start script in /jffs/scripts/firewall-start and make sure you change the permission to 777 executable. reboot your router to see if the config preserve.

 

[Hornet.NL]

Ok, so it works (sort off).

Small recap:
- Created a 'dnsmasq.conf' in '/jffs/configs'. No alteration compared to my previous post.
- Created 'firewall-start' also in '/jffs/configs'. Made it executable using the command 'chmod a+rx ./firewall-start'. This file is the same as in my previous post with the addition of 'brctl stp br1 on' on the last line.
- I have no vlan2 so the grep on eth0 stayed (and works)
- After testing with 'firewall-start' and beeing content with it I moved it to '/jffs/scripts' so it will execute on boot.

Connecting to the guest network works (as it did already) but the client got stuck on getting an IP address. Giving the client an fixed IP address works, the internet is browseable.

Giving the guest networks intranet access through the web interface gives them access to the DHCP server (the Windows2012R2 box) on my internal LAN. So this sort of works.

However; the goal was (is I should say) that 'external' people with their devices are allowed internet access while keeping them from my internal lan. For this I therefore need the routers internal DHCP server to give out IP addresses to the guest networks only...