Guest network with access to Chromecast?

[JoQ]

Hi,

Is it possible to create a guest wifi with LAN access off, and still forward a few devices (like Chromecasts) to be available both from the main Wifi network and the Guest network?

How would this be done?

Thank you!

 

[JoQ]

Is this possible?
Does anyone know?

 

[CaptainSTX]

Some routers will let you create multiple guest networks on each band.

Try creating a second guest network that allows access to the intranet as well as the internet. Devices connected to this guest network should be able to communicate will all devices on your network.

 

[JoQ]

Some routers will let you create multiple guest networks on each band.

Try creating a second guest network that allows access to the intranet as well as the internet. Devices connected to this guest network should be able to communicate will all devices on your network.

But this would not help? Also, some of my Chromecast devices are ethernet (Android TV boxes). So I cannot connect them to a guest network.

Is it possible to "forward" a specific IP to the Guest network?

 

[CaptainSTX]

A couple of things I can recommend that might let you accomplish some or all of what you want.

1. You a smart switch you can set up VLANs. I use #1 for my video devices, #2 for Iot, and 3# secure devices. You then could attach an separate AP to one or more of these VLANs. I use TP-Link smart switches which are available for less than $US 40.

2. Using a current version of Tomato on a router you have the option using the GUI to set up multiple VLANs. You also have the option to setup virtual APs which can be linked to a VLAN.

If neither of these options accomplishes what you want then you either will have to try and develop custom scripts for your hardware. Router software that runs on a PC such as Pfsense give you more flexibility than what you typically find on a SOHO router but the learning curve is steep.

 

[eibgrad]

The issue is NOT whether you can or can't forward an IP. The problem is that the private and guest networks are on different ethernet networks. And Chromecast relies on network discovery to locate devices to which is can broadcast. But network discovery, by definition, is limited to its own ethernet network! It can't cross network boundaries at the ethernet level, so it just doesn't work when you have separate ethernet networks like the primary and guest.

IOW, you can't have it both ways, at least at the ethernet level. Either devices share the same ethernet network (i.e, they're bridged) and the same broadcast domain, OR, they use different ethernet networks and broadcast domains. What you're asking for is basically an exception to be made for Chromecast.

The only thing I know that's likely to work is Avahi. This acts as a sort of replicator, allowing network discovery to traverse ethernet boundaries.

FWIW, I did a search for *avahi* from a shell (ssh) and got the following results:

admin@RT-AC68U-0960:/tmp/home/root# find / -iname *avahi*
/tmp/avahi
/tmp/avahi/avahi-daemon.conf
/tmp/var/run/avahi-daemon
/usr/lib/libavahi-common.so.3
/usr/lib/libavahi-common.so.3.5.3
/usr/lib/libavahi-core.so.7
/usr/lib/libavahi-core.so.7.0.2
/usr/sbin/avahi-daemon

And if I dump the process table, I do see the avahi daemon running.

admin@RT-AC68U-0960:/tmp/home/root# ps | grep -i avahi
  282 nobody    1540 S    avahi-daemon: running [RT-AC68U-0960.local]

For what purpose, I don't know. Maybe this replicator feature is exposed in the GUI and I just don't know it (I'm not a Merlin expert). Or perhaps you can leverage it for your own purposes.

I'm a little surprised to see it, since most times this software is NOT included in third-party firmware, and so you need to install it from optware (e.g., Entware).

 

[JoQ]

The issue is NOT whether you can or can't forward an IP. The problem is that the private and guest networks are on different ethernet networks. And Chromecast relies on network discovery to locate devices to which is can broadcast. But network discovery, by definition, is limited to its own ethernet network! It can't cross network boundaries at the ethernet level, so it just doesn't work when you have separate ethernet networks like the primary and guest.

IOW, you can't have it both ways, at least at the ethernet level. Either devices share the same ethernet network (i.e, they're bridged) and the same broadcast domain, OR, they use different ethernet networks and broadcast domains. What you're asking for is basically an exception to be made for Chromecast.

The only thing I know that's likely to work is Avahi. This acts as a sort of replicator, allowing network discovery to traverse ethernet boundaries.

FWIW, I did a search for *avahi* from a shell (ssh) and got the following results:

admin@RT-AC68U-0960:/tmp/home/root# find / -iname *avahi*
/tmp/avahi
/tmp/avahi/avahi-daemon.conf
/tmp/var/run/avahi-daemon
/usr/lib/libavahi-common.so.3
/usr/lib/libavahi-common.so.3.5.3
/usr/lib/libavahi-core.so.7
/usr/lib/libavahi-core.so.7.0.2
/usr/sbin/avahi-daemon

And if I dump the process table, I do see the avahi daemon running.

admin@RT-AC68U-0960:/tmp/home/root# ps | grep -i avahi
  282 nobody    1540 S    avahi-daemon: running [RT-AC68U-0960.local]

For what purpose, I don't know. Maybe this replicator feature is exposed in the GUI and I just don't know it (I'm not a Merlin expert). Or perhaps you can leverage it for your own purposes.

I'm a little surprised to see it, since most times this software is NOT included in third-party firmware, and so you need to install it from optware (e.g., Entware).

Nice, I have tried reading up on Avahi, but I haven't found any good guides for setting up this:
https://wiki.khicks.net/w/Chromecast
Found that guide, but it doesn't describe how to set it up for specific IP adresses in the main network, as one of my Chromcast is ethernet and the other is Wifi, so I cannot point at a specific port on the router.

 

[ColinTaylor]

Also, some of my Chromecast devices are ethernet (Android TV boxes).

Even if you manage to work around the WiFi guest network problems the Ethernet devices will still be unresolved. All the Ethernet devices are connected to the same switch. There are some community hacks that attempt to reconfigure the switch ports into separate VLANs but that's going to lead to quite a complicated setup.

 

[CaptainSTX]

If you really need to segregate the Chromecasts but have them available from your guest and primary network have you considered just plugging a second Chromecast or similar generic device into another HDMI port on your TV? For as little as US$22 the problem would be solved. One Chromecast connects to your trusted network and the second to your guest network.

While no one likes buying additional hardware IMHO you either have to buy additional Chromecasts, a smart switch or a router with Pfsense or similar OS.

 

[skeal]

If you really need to segregate the Chromecasts but have them available from your guest and primary network have you considered just plugging a second Chromecast or similar generic device into another HDMI port on your TV? For as little as US$22 the problem would be solved. One Chromecast connects to your trusted network and the second to your guest network.

While no one likes buying additional hardware IMHO you either have to buy additional Chromecasts, a smart switch or a router with Pfsense or similar OS.

+1 I agree a tp-link switch or a second chromecast is the answer.

 

[JoQ]

I have another idea, if I remove the Guest network, and allow my guests into the main Wifi, they will have access to Chromecasts.
Would it be possible to limit their access to only the Chromecasts with the Firewall.
I am thinking something like this:
- All my own devices has a static local IP-adress, they should be allowed access to everything.
- Guest devices, which are provided a dynamic local IP-adress, should not be allowed any access except two Chromecast devices.

Can you do this with the firewall in Merlin?

 

[CaptainSTX]

I don't think what you are suggesting would work. Devices connected to the LAN use the switch in the router and not the router function where the firewall comes into play.

 

[Martineau]

I have another idea, if I remove the Guest network, and allow my guests into the main Wifi, they will have access to Chromecasts.
Would it be possible to limit their access to only the Chromecasts with the Firewall.
I am thinking something like this:
- All my own devices has a static local IP-adress, they should be allowed access to everything.
- Guest devices, which are provided a dynamic local IP-adress, should not be allowed any access except two Chromecast devices.

Can you do this with the firewall in Merlin?

I use a script to block/allow non-guest WiFi access from/to nominated LAN devices RT-AC68U - Block IP Range from Accessing Another IP Range, so it is possible to achieve using firewall rules.

However, for your original query, you can map a Guest WiFi SSID and a router switch port to a new (separate subnet) VLAN bridge e.g. br1

Now the firewall will allow rules to be created if you need to allow devices in your LAN (br0) to access devices in your 'Chromecast' LAN (br1).
NOTE: You may need at least one VLAN capable switch attached to the nominated VLAN switch port depending on the number of wired Chromecast devices.

 

[CaptainSTX]

The wrinkle with the OPs request is that their Chromecast connect using Ethernet so any rules need to apply to both the WiFi guest networks and hardwired devices.

 

[Martineau]

The wrinkle with the OPs request is that their Chromecast connect using Ethernet so any rules need to apply to both the WiFi guest networks and hardwired devices.

That's why a bridge should be created.

 

[JoQ]

I use a script to block/allow non-guest WiFi access from/to nominated LAN devices RT-AC68U - Block IP Range from Accessing Another IP Range, so it is possible to achieve using firewall rules.

I feel like this is the best solution for me. As this would not need guest wifi either.
Say I have devices with static local IP-adress in the range of 192.168.1.2-192.168.1.50 (note that not all these IP-adresses are used).
Can I do something to make sure that new devices that are given an IP-adress won't get an IP in this range? And then use your script to block access to everything except two IP-adresses for devices in the range 192.168.1.51-192.168.1.255

How would this be done?

 

[Grisu]

set DHCP IP-range to what you need 192.168.1.51-192.168.1.254
but if you set a fix IP out of this range on such clients it wont work.

 

[JoQ]

set DHCP IP-range to what you need 192.168.1.51-192.168.1.254
but if you set a fix IP out of this range on such clients it wont work.

Yes, found that option!

@Martineau can you share the script you have made?
Thank you!

 

[ColinTaylor]

I feel like this is the best solution for me. As this would not need guest wifi either.
Say I have devices with static local IP-adress in the range of 192.168.1.2-192.168.1.50 (note that not all these IP-adresses are used).
Can I do something to make sure that new devices that are given an IP-adress won't get an IP in this range? And then use your script to block access to everything except two IP-adresses for devices in the range 192.168.1.51-192.168.1.255

How would this be done?

Bear in mind that this still doesn't block traffic between two wired devices.

 

[JoQ]

Bear in mind that this still doesn't block traffic between two wired devices.

That's no issue. None of my guests will be doing wired connection.
Would love to get the script @Martineau made to test it out!