Guest Network (N66U)

[jernau]

I've been converted to Asuswrt-Merlin after running dd-wrt for a number of years, just wanted to say thanks Merlin for an excellent re-spin of the standard (already good) standard Asus firmware.

I current run a custom DNSMasq set-up to enable me to provide different DNS servers for VIPs and NON-VIP users of the network (Adults with registered MAC addresses as opposed to the kids devices who get OpenDNS filtered DNS). This works great as it did on dd-wrt but I now wish to use the Guest Network feature and here-in lies the problem. I would like to publish another set of DNS entries for the guest network users (i.e. non OpenDNS for non-registed MAC addresses) but I seem to be unable to do this given that the Guest Network is simply a bridged WLAN interface using ebtables to segregate form the internal LAN rather than a separately IP addresses interface I could simply assign a new IP range to and then advertise separate DNS entries.

Anyone have any ideas of how I could go about achieving the publishing of different DNS addresses to the Guest Network users as opposed to my users on the standard LAN and wireless networks?

Many Thanks

 

[jobongo]

I was able to do this but for a different reason. There are several things you have to do. What you have to do is use ebtables take arp and IP packets out of br0 from the wireless interface you are using. Then modify the dnsmasq.conf to add the network you want to add. Assign an IP address to the guest network interface and finally modify iptables to allow traffic from the new network. Here is what I have set up on my network in order to add a dhcp server for the guest network using 2.4 Ghz guest network 1:

Interface configuration

ifconfig wl0.1 192.168.2.1/24

ebtables Rules

ebtables -t broute -I BROUTING -p ipv4 -i wl0.1 -j DROP
ebtables -t broute -I BROUTING -p arp -i wl0.1 -j DROP

These commands are tricky. The "DROP" at the end does not mean to drop the frame. I found out that the "DROP" target in the BROUTING chain of the broute table is used to route the traffic and not bridge it. (http://linux.die.net/man/8/ebtables)

line added to the dnsmasq.conf

dhcp-range=wl0.1,192.168.2.2,192.168.2.254,255.255.255.086400s
dhcp-option=wl0.1,3,192.168.2.1

Firewall

iptables -I FORWARD -i wl0.1 -j ACCEPT

Let me know if this helps, if anything doesn't make sense or if you need some help writing the scripts.

 

[jernau]

Many thanks for the response. Unfortunately this doesn't appear to work correctly for me essentially I do not get any DHCP response back from the router when connecting from a client on the guest network so not sure if the packets are still being blocked or similar even after changing ebtables and iptables as per your post

 

[jobongo]

There was one line that I forgot to add. Try adding this to the firewall rules.

iptables -I INPUT -i wl0.1 -j ACCEPT

Let me know if this helps.

 

[jernau]

Many thanks that did indeed work, I did add a couple of extra iptables entries to keep this network segregated from the internal LAN;

#!/bin/sh

#Start segrgated Guestwifi with seperate DNS
/sbin/ifconfig wl0.1 10.0.99.1 netmask 255.255.255.0
/usr/sbin/ebtables -t broute -I BROUTING -p ipv4 -i wl0.1 -j DROP
/usr/sbin/ebtables -t broute -I BROUTING -p arp -i wl0.1 -j DROP
/usr/sbin/iptables -I FORWARD -i wl0.1 -j ACCEPT
/usr/sbin/iptables -I INPUT -i wl0.1 -j ACCEPT
/usr/sbin/iptables -I FORWARD -i wl0.1 -d 192.168.1.1/24 -j DROP
/usr/sbin/iptables -I INPUT -i wl0.1 -d 192.168.1.1/24 -j DROP
/usr/bin/killall -9 dnsmasq
/usr/sbin/dnsmasq --log-async

 

[TheGrave]

What I don't get is - how do you map this new interface to the Guest SSID? Can't be done from the GUI for sure.