Allow only DNS from Guest Wifi to internal

[mugabemkomo]

Hi,
I currently have a RT-AC87U with Merlin installed (thank you for that).
Now I tried a seperate DNS Proxy in my LAN, but obviously the Guest Wifi has no access to it.

How can I grant the guest wifi only access to the one DNS Server and nothing else?
I'm guessing I have to modify ebtables/iptables but I can't say that I have a lot of knowledge in it

Maybe someone could help me with it.
Thank you.

 

[mugabemkomo]

Ok it seems to work when I add this in firewall-start
#!/bin/sh
/usr/sbin/ebtables -I FORWARD -i wl0.1 -d b8:27:eb:d7:2d:8d -j ACCEPT
/usr/sbin/ebtables -I FORWARD -o wl0.1 -s b8:27:eb:d7:2d:8d -j ACCEPT

But somehow it gets duplicated, is this not purged on reboot?

Bridge chain: FORWARD, entries: 6, policy: ACCEPT
-s b8:27:eb:d7:2d:8d -o wl0.1 -j ACCEPT
-d b8:27:eb:d7:2d:8d -i wl0.1 -j ACCEPT
-s b8:27:eb:d7:2d:8d -o wl0.1 -j ACCEPT
-d b8:27:eb:d7:2d:8d -i wl0.1 -j ACCEPT
-i wl0.1 -j DROP
-o wl0.1 -j DROP

I'm also trying to figure out why this does not work:
ebtables -I FORWARD -i wl0.1 -d b8:27:eb:d7:2d:8d -p ipv4 --ip-proto udp --ip-destination-port 53 -j ACCEPT

 

[mugabemkomo]

And now after a few minutes it stopped working? Why?

 

[hursey013]

I came here with an almost identical issue. I am running Pi-Hole (DNS filtering) on my network which works great, but I need to expose the IP address of the Pi-Hole server to the guest wifi networks without opening them up to my entire internal network. Please let me know if you come across a solutuon!

 

[sfx2000]

I came here with an almost identical issue. I am running Pi-Hole (DNS filtering) on my network which works great, but I need to expose the IP address of the Pi-Hole server to the guest wifi networks without opening them up to my entire internal network. Please let me know if you come across a solutuon!

If you're using pi-hole - set the WAN DNSIP to the pi-hole, and this should be available for both private and guest networks...

 

[bearever]

I also came across this issue where Guest WiFi cannot access Pihole IP, and using YazFi script https://www.snbforums.com/threads/yazfi-enhanced-asuswrt-merlin-guest-wifi-networks.45924/ forcing guest WiFi to use public DNS resolves the connectivity issue.

Do not attempt to put your Pihole IP in WAN DNS servers setting as you will run into random WAN connectivity issues — https://discourse.pi-hole.net/t/should-i-use-pi-hole-as-wan-dns-too/9950

In the future release of YazFi, it will support Guest WiFi to access pre-defined LAN target (such as your Pihole IP) so eventually our problem will be fully resolved.