Guest network DHCP

[elsom25]

I've been trying to get this to work (I'd really like to be able to limit/throttle my guest network), and thus far I've had little luck.

Your post was super helpful in getting started, but it seems I'm not able to get an IP.

First, I have the first guest network, 2.4Ghz enabled, as an Open System with intranet access.

[admin@RT-AC68U] Wed 23:48:47 [6 files] /jffs
[1:25]+# ebtables --list
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 0, policy: ACCEPT

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

[admin@RT-AC68U] Wed 23:48:47 [6 files] /jffs
[1:25]+# less /jffs/scripts/wan-start
#!/bin/sh

# start 2.4Ghz guest WiFi with separate DHCP/DNS
/sbin/ifconfig wl0.1 192.168.10.1 netmask 255.255.255.0
/usr/sbin/ebtables -t broute -I BROUTING -p ipv4 -i wl0.1 -j DROP
/usr/sbin/ebtables -t broute -I BROUTING -p ipv6 -i wl0.1 -j DROP
/usr/sbin/ebtables -t broute -I BROUTING -p arp -i wl0.1 -j DROP
/usr/sbin/iptables -I FORWARD -i wl0.1 -j ACCEPT
/usr/sbin/iptables -I INPUT -i wl0.1 -j ACCEPT
/usr/sbin/iptables -I FORWARD -i wl0.1 -d 192.168.1.1/24 -j DROP
/usr/sbin/iptables -I INPUT -i wl0.1 -d 192.168.1.1/24 -j DROP
/sbin/service restart_dnsmasq

[admin@RT-AC68U] Wed 23:48:47 [6 files] /jffs
[1:25]+# less /jffs/configs/dnsmasq.conf.add
interface=wl0.1
dhcp-range=wl0.1,192.168.15.200,192.168.15.254,255.255.255.0,86400s
dhcp-option=wl0.1,3,192.168.10.1
dhcp-option=wl0.1,6,8.8.8.8,8.8.4.4

And of pertinence in the logs, before it establishes the DHCP, I always get:

warning: interface wl0.1 does not currently exist

, so not too sure why it can't find my guest network...

 

[elsom25]

and trying more things. If I run simply `restart_dnsmasq` on the router, I can get an internet connection again, but im back in the DHCP range of my main network (192.168.1.200+), but if I instead run `sh /jffs/scripts/wan-start`, I no longer get the `warning: interface wl0.1 does not currently exist` error, but am still unable to acquire an IP address...

 

[JRusso]

This is what I use currently and its working for me. Its in firewall-start not wan-start. I will update the older post.

firewall-start

#!/bin/sh

#Start Guest WiFi with separate DHCP/DNS
/sbin/ifconfig wl0.1 192.168.10.1 netmask 255.255.255.0
/usr/sbin/ebtables -t broute -I BROUTING -p ipv4 -i wl0.1 -j DROP
/usr/sbin/ebtables -t broute -I BROUTING -p ipv6 -i wl0.1 -j DROP
/usr/sbin/ebtables -t broute -I BROUTING -p arp -i wl0.1 -j DROP
/usr/sbin/iptables -I FORWARD -i wl0.1 -j ACCEPT
/usr/sbin/iptables -I INPUT -i wl0.1 -j ACCEPT
/usr/sbin/iptables -I FORWARD -i wl0.1 -d 192.168.1.1/24 -j DROP
/usr/sbin/iptables -I INPUT -i wl0.1 -d 192.168.1.1/24 -j DROP
/sbin/service restart_dnsmasq

dnsmasq.conf.add

interface=wl0.1
dhcp-range=wl0.1,192.168.10.50,192.168.10.65,255.255.255.0,4h
dhcp-option=wl0.1,3,192.168.10.1
dhcp-option=wl0.1,6,8.8.8.8,8.8.4.4

I still get this in the log but it works...

Dec 31 19:00:21 dnsmasq[444]: warning: interface wl0.1 does not currently exist

Later in the log I see this:

Dec 31 19:00:21 dnsmasq-dhcp[495]: DHCP, IP range 192.168.10.50 -- 192.168.10.65, lease time 4h

 

[elsom25]

Awesome, that did the trick! Thanks!!

You should consider posting this to asuswrt-merlin's wiki

 

[atx32]

I accomplished something similar and described my setup in this thread http://forums.smallnetbuilder.com/showthread.php?t=17740. I wanted to force specific DNS filtering for the guest network, so if that is not important to you I don't know if my method has any advantages but you may want to check it out anyway.

 

[saffron]

This is what I use currently and its working for me. Its in firewall-start not wan-start. I will update the older post.

I've done pretty much the same thing with a VPN tunnel.

With the tunnel switched off, I've noticed a 1-2mbps hit using dnsmasq?

Seems like a lot of wasted overhead for just a bridge and dhcp. I'm wondering if I've missed some code or is this a deeper problem in dnsmasq???

 

[CaptainOblivi0us]

anyway to do this but use external DNS/DHCP server?

I have one in br0 (192.168.1/24) and want to block all traffic except dns/dhcp.