Guest network DHCP

[sinshiva]

bleh, i suspect the 'bind-dynamic' in dnsmasq.conf might also be causing issues, change that to bind-interfaces

pid-file=/var/run/dnsmasq.pid
user=nobody
resolv-file=/tmp/resolv.conf
no-poll
min-port=4096
bind-interfaces
interface=br1
domain=LOCALDOMAINNAME
expand-hosts
no-negcache
cache-size=1500
dhcp-range=br1,192.168.85.100,192.168.85.200,255.255.255.0,86400s
dhcp-lease-max=253
dhcp-authoritative
dhcp-option=br1,15,ROUTERHOSTNAME
dhcp-option=br1,3,192.168.85.1
dhcp-option=br1,6,192.168.85.1,0.0.0.0
dhcp-option=br1,44,192.168.85.1
read-ethers
addn-hosts=/etc/hosts.dnsmasq
quiet-dhcp

sorry for using you as a guinea pig

 

[JRusso]

Ok, If I use the two latest files you posted. Everthing seems to work fine on the regular wireless network.

However, the clients still cannot connect to the guest network. So should the option for "Access to intranet" be on or off on the guest network? Either way I can't connect, but with it off I see the following line in the log:

Dec 31 19:00:12 dnsmasq-dhcp[445]: DHCP, IP range 192.168.85.100 -- 192.168.85.200, lease time 1d
Dec 31 19:00:12 dnsmasq-dhcp[445]: DHCP, sockets bound exclusively to interface br1

If its on, I don't see the above lines and I see errors about br1 not currently existing.

Dec 31 19:00:08 dnsmasq[308]: warning: interface br1 does not currently exist

That line above appears twice if the intranet access is turned on and only once if its off.

 

[sinshiva]

scratch that, one moment


i think this should stay in wan-start, so it makes changes based on if the wan interface goes up and down, for dynamic IPs

#!/bin/sh
WANIP=$(/sbin/ifconfig eth0|grep 'inet addr'|cut -d':' -f2|awk '{print $1}')
iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to $WANIP
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP

but, i think this may need to go into init-start

#!/bin/sh
brctl delif br0 wl0.1
brctl addbr br1
brctl addif br1 wl0.1
ifconfig br1 192.168.85.1 netmask 255.255.255.0 broadcast 192.168.85.255

it may also be a good idea to move the ifconfig line to init-start, but we already know it works this way so just leave it for now

[edit/] on second thought, just move it into init-start. no point in keeping it at wan-start

 

[sinshiva]

bump, since i know you're reading this in real-time

when this is sorted out, i'm going to collect the working configurations and make a new thread, then ask this one to be deleted. thank you for all your help. i can't mess with my network right now, unfortunately

 

[JRusso]

Ok based on the last suggestions, I CAN connect to the guest network. However, no dhcp and when I give static ip and dns no internet.

I also I have noticed that the br1 interface is not created any more, so wl0.1 is still on br0.

That would probably explain why I can connect to the guest network. It seems moving wl0.1 to br1 stops clients from connecting to it.

init-start seems to be to early to split wl0.1 off the br0 bridge, but that may not matter if the clients cannot connect to the guest network when its on br1.

 

[sinshiva]

back to the drawing board. will edit this momentarily

#!/bin/sh
WANIP=$(/sbin/ifconfig eth0|grep 'inet addr'|cut -d':' -f2|awk '{print $1}')
brctl delif br0 wl0.1
brctl addbr br1
brctl addif br1 wl0.1
ifconfig br1 192.168.85.1 netmask 255.255.255.0 broadcast 192.168.85.255
iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to $WANIP
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP

all back to wan-start

pid-file=/var/run/dnsmasq.pid
user=nobody
resolv-file=/tmp/resolv.conf
no-poll
min-port=4096
bind-interfaces
interface=wl0.1
domain=LOCALDOMAINNAME
expand-hosts
no-negcache
cache-size=1500
dhcp-range=wl0.1,192.168.85.100,192.168.85.200,255.255.255.0,86400s
dhcp-lease-max=253
dhcp-authoritative
dhcp-option=wl0.1,15,ROUTERHOSTNAME
dhcp-option=wl0.1,3,192.168.85.1
dhcp-option=wl0.1,6,192.168.85.1,0.0.0.0
dhcp-option=wl0.1,44,192.168.85.1
read-ethers
addn-hosts=/etc/hosts.dnsmasq
quiet-dhcp

set dnsmasq for wl0.1 instead of the bridge.

[edit/] i hope this works. i know the lan gateway ip is set on the bridge (rather than wl0.1), not sure how this one will play out

my next idea will be to not create br1 for wl0.1 and edit the iptables rules

 

[JRusso]

The configuration that seemed to be mostly working was the following:
wan-start

#!/bin/sh
WANIP=$(/sbin/ifconfig eth0|grep 'inet addr'|cut -d':' -f2|awk '{print $1}')
brctl delif br0 wl0.1
brctl addbr br1
brctl addif br1 wl0.1
ifconfig br1 192.168.85.1 netmask 255.255.255.0 broadcast 192.168.85.255
iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to $WANIP
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP

dnsmasq.conf

pid-file=/var/run/dnsmasq.pid
user=nobody
resolv-file=/tmp/resolv.conf
no-poll
min-port=4096
bind-dynamic
interface=br1
domain=guest
expand-hosts
no-negcache
cache-size=1500
dhcp-lease-max=50
dhcp-authoritative
interface=br1
dhcp-range=br1,192.168.85.50,192.168.85.100,255.255.255.0,86400s
dhcp-option=br1,15,guest
dhcp-option=br1,3,192.168.85.1
dhcp-option=br1,6,192.168.85.1,0.0.0.0
dhcp-option=br1,44,192.168.85.1
read-ethers
addn-hosts=/etc/hosts.dnsmasq
quiet-dhcp

And have the "access to intranet" turned off on the guest network through the web ui.

This config showed that the dhcp was bound to the br1 interface in the log.

However, no matter what I try, if the guest network is off of br0 clients cannot connect.

 

[sinshiva]

(wan-start)

#!/bin/sh
WANIP=$(/sbin/ifconfig eth0|grep 'inet addr'|cut -d':' -f2|awk '{print $1}')
brctl delif br0 wl0.1
ifconfig wl0.1 192.168.85.1 netmask 255.255.255.0 broadcast 192.168.85.255
iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to $WANIP
iptables -I FORWARD -i wl0.1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i wl0.1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o wl0.1 -m state --state NEW -j DROP

with the same prior dnsmasq.conf set on wl0.1

 

[JRusso]

wl0.1 is now gone and no connection can be made to the guest network

brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.3085a9394340       yes             vlan1
                                                                         eth1
                                                                         eth2

Also got a bunch of:

Dec 31 19:00:08 dnsmasq[308]: warning: interface wl0.1 does not currently exist
Dec 31 19:00:08 dnsmasq[308]: warning: interface wl0.1 does not currently exist

in the system log

 

[sinshiva]

i can finally break my network right now. will be back asap.

 

[JRusso]

It seems that as long as I keep the option in the guest network to "Access the intranet" off I can get dnsmasq to bind to the interface, either br1 or wl0.1 (if using the latest wan-start). However once the guest network is moved off of br0, you cannot establish a connection.

I really appreciate all the help.

 

[sinshiva]

ok, so.

#!/bin/sh
WANIP=$(/sbin/ifconfig eth0|grep 'inet addr'|cut -d':' -f2|awk '{print $1}')
brctl delif br0 wl0.1
ifconfig wl0.1 192.168.85.1 netmask 255.255.255.0 broadcast 192.168.85.255
iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to $WANIP
iptables -I FORWARD -i wl0.1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i wl0.1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o wl0.1 -m state --state NEW -j DROP

that works. this lets my laptop access the internet via wl0.1 instead of br1.

dnsmasq is giving me trouble, though

did figure out that the dnsmasq option bind-interfaces does need to be bind-dynamic

from the router, i can see via netstat -an that dnsmasq is listening on 192.168.85.1:53 and yet even after setting a manual configuration on the laptop, it wont get any dns if i set 192.168.85.1

i suspected maybe an another iptables rule was needed, but the laptop can access the webui at 192.168.85.1

[edit/] yay, excellent news, i CANT access the webui at 192.168.85.1 ! i thought i did, but it was cached or something frome arlier. this means iptables has to be the answer

hahahahahaha, i can taste victoreeeeeee

 

[RMerlin]

BTW, take a look at Postconf for a cleaner/more versatile customization of dnsmasq.

 

[sinshiva]

thanks merlin, i'll look into that as soon as i get the iptables business sorted;

/jffs/scripts/nat-start ended up being more reliable than /jffs/scripts/wan-start, and i can remove some lines from the configuration;

#!/bin/sh
brctl delif br0 wl0.1
ifconfig wl0.1 192.168.85.1 netmask 255.255.255.0 broadcast 192.168.85.255
iptables -I FORWARD -i wl0.1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i wl0.1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o wl0.1 -m state --state NEW -j DROP

haven't had much luck getting dnsmasq to play nice, yet, but i can feeeel it

[edit/] the answer has something to do with physdev matching, or the lack thereof

 

[sinshiva]

i'm starting to think this can't be done, we need the xt_physdev module

[edit/]

dumping stuff for future reference, nothing to see here, yet

kernel-module-xt-physdev

iptables -A INPUT -p udp --dport 53 -m physdev --physdev-in wl0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -m physdev --physdev-in wl0.1 -j ACCEPT

/lib/modules/2.6.22.19/kernel/net/netfilter/

module not in the entware repository

damn.

 

[BY-Atomic]

Check up ebtables. There are some rules when the Guest Network Access Intranet option is set to Disable.

 

[sinshiva]

it looks like the most that can be done is the networks can be segregated. by doing so, you lose the ability to make the guest gatway interface accept connections because it's not a physical device; it can only function as a transparent bridge, essentially. trying to run any kind of server off this interface doesn't seem to work unless we can use the above commands, either on wl0.1 or br1, idk.

seeking opinions/advice.

i tried setting an accept rule in every chain of iptables, flushing the seemingly unnecessary DROP rules in the input chain of ebtables for wl0.1. i think one could potentially setup a redirect in iptables to at least get dns from wl0.1 to the lan bridge, but even if that worked, i don't think dhcp would. running out of ideas here, without that xt_physdev module

[edit/] thanks atomic, was just posting on that. those rules seem to be useless

 

[sinshiva]

i intend to attack this problem from other angles tonight, i just have to wait before i can break my network til pretty late.

i'ld love to hear any and all input.

i still think it's workable, without physdev matching because i can ping the IP assigned to wl0.1

either i'm doing something wrong or i'm missing some information

[edit] suspecting this has to do with trunking, at least, and how it's configured

there's a ! rule in ip tables that i forgot about in my testing; could be the/an answer...

nevermind, !br0 is on the forward chain

this looks useful, saving it for later; http://forums.smallnetbuilder.com/showpost.php?p=70905&postcount=2

 

[JRusso]

Ok I got it working!!!

First create a guest wireless network though the web interface. Make sure that intranet access is set to "on". When its set to "off" the following is listed in the ebtables:

admin@RT-N66U:/jffs/scripts# ebtables --list
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 2, policy: ACCEPT
-i wl0.1 -j DROP
-o wl0.1 -j DROP

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

If its set to on, those two DROP entries are not there and everything works.

The following is at firewall-start:

#!/bin/sh

#Start Guest WiFi with separate DHCP/DNS
/sbin/ifconfig wl0.1 192.168.10.1 netmask 255.255.255.0
/usr/sbin/ebtables -t broute -I BROUTING -p ipv4 -i wl0.1 -j DROP
/usr/sbin/ebtables -t broute -I BROUTING -p ipv6 -i wl0.1 -j DROP
/usr/sbin/ebtables -t broute -I BROUTING -p arp -i wl0.1 -j DROP
/usr/sbin/iptables -I FORWARD -i wl0.1 -j ACCEPT
/usr/sbin/iptables -I INPUT -i wl0.1 -j ACCEPT
/usr/sbin/iptables -I FORWARD -i wl0.1 -d 192.168.1.1/24 -j DROP
/usr/sbin/iptables -I INPUT -i wl0.1 -d 192.168.1.1/24 -j DROP
/sbin/service restart_dnsmasq

The following is at dnsmasq.conf.add:

interface=wl0.1
dhcp-range=wl0.1,192.168.15.50,192.168.15.100,255.255.255.0,86400s
dhcp-option=wl0.1,3,192.168.10.1
dhcp-option=wl0.1,6,8.8.8.8,8.8.4.4

Thank you everyone for your help.

 

[sinshiva]

awesome, thanks! sorry, i had been meaning to test that, but the network was busy through the weekend/school holiday before getting sidetracked. glad it all worked out