Help on DHCP for custom bridge.

[BatKing]

Hi,

I got a AC68U. Instead of AP isolation for Guest network, I would like to create a bridge for Guest network and control the access by iptables. also I would like the guest network has its own ip range and DHCP server.

So here is what I did. in firewall-start script I do something like this

exec 1>>/tmp/firewall-start.log 2>&1
date
set -x
WANIP=$(/sbin/ifconfig eth0|grep 'inet addr'|cut -d':' -f2|awk '{print $1}')
# remove guest1/guest2 2.4Ghz/5Ghz from br0
brctl delif br0 wl0.1
# create br1 and br2
brctl addbr br1
brctl addif br1 wl0.1
ifconfig br1 192.168.2.1 netmask 255.255.255.0 broadcast 192.168.2.255

iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to $WANIP
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT

iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d 192.168.1.0/24 -m state --state NEW -j DROP

then in dnsmasq.conf.add

log-facility=/tmp/dnsmasq.log
log-queries
interface=br1
dhcp-range=br1,192.168.2.2,192.168.2.254,255.255.255.0,86400s
dhcp-option=br1,3,192.168.2.1

But the real problem is connected client not getting proper ip. Whenever I try to connect to wl0.1 guest AP, I get a ip as 169.254.211.250 and with limited access. it seems the DHCP change is not working. but I am sure my custom config is added as the dnsmasq.conf is updated with my custom config.

pid-file=/var/run/dnsmasq.pid
user=nobody
bind-dynamic
interface=br0
interface=ppp1*
no-dhcp-interface=ppp1*
resolv-file=/tmp/resolv.conf
servers-file=/tmp/resolv.dnsmasq
no-poll
no-negcache
cache-size=1500
min-port=4096
dhcp-range=lan,192.168.1.2,192.168.1.254,255.255.255.0,86400s
dhcp-option=lan,3,192.168.1.1
dhcp-option=lan,252,"\n"
dhcp-authoritative
read-ethers
addn-hosts=/etc/hosts.dnsmasq
# Logging
log-facility=/tmp/dnsmasq.log
log-queries
interface=br1
dhcp-range=br1,192.168.2.2,192.168.2.254,255.255.255.0,86400s
dhcp-option=br1,3,192.168.2.1

here is my bridge config

admin@RT-AC68U-B778:/tmp/home/root# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.54a050cfb778       yes             vlan1
                                                        eth1
                                                        eth2
br1             8000.54a050cfb779       no              wl0.1

Any help is appreciated.

Thanks
Leon

 

[Puppa]

Just to be clear, your AC68P needs to be in router mode, not bridge mode. Basically, you are looking for another level of NAT for the guest range. I haven't messed around with this, but I am pretty sure that DHCP doesn't function on a router set to Media Bridge mode--that task is covered by your single DHCP server on the main router.

Also, please be aware that this method of isolating Guests from your main network could be bypassed by a naughty guest who sets his IP address to static and plunks himself into the main network ip range instead of your guest subnet. If you NAT the guest range, you can prevent this.

You could, however, take advantage of the main router's Guest network setting to isolate everything on the bridge by instead bridging to the Guest network with your bridging router, no fancy scripts necessary.

 

[BatKing]

Just to be clear, your AC68P needs to be in router mode, not bridge mode. Basically, you are looking for another level of NAT for the guest range. I haven't messed around with this, but I am pretty sure that DHCP doesn't function on a router set to Media Bridge mode--that task is covered by your single DHCP server on the main router.

Also, please be aware that this method of isolating Guests from your main network could be bypassed by a naughty guest who sets his IP address to static and plunks himself into the main network ip range instead of your guest subnet. If you NAT the guest range, you can prevent this.

You could, however, take advantage of the main router's Guest network setting to isolate everything on the bridge by instead bridging to the Guest network with your bridging router, no fancy scripts necessary.

I router is in wireless Router mode. the bridge here is not media bridge but rather a network bridge created similar to this doc (https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/bridge/doc/HOWTO)

 

[Puppa]

Looks like you might have to define some additional tags in dnsmasq.conf to define which dhcp settings apply to which subnet.
Sample dnsmasq.conf file here http://oss.segetech.com/intra/srv/dnsmasq.conf has some examples of a "red" network with additional lines defining which specific dhcp-host applies to which subnet. I haven't dug into it though. I'd be surprised if someone on here hasn't already done this but didn't notice your post.

 

[BatKing]

Still stuck after trying to clean nvram and start from scratch and even updated to latest 378.56-2 fw. However the result is the same. it seems once I remove wl0.1 from br0 and create br1 and add wl0.1 to br1. then the DHCP for wl0.1 is not working anymore. I even try to manually run the firewal-start script in SSH. then service dnsmasq_restart to enable my custom config. I am pretty sure both my script running ok as the log exist in /tmp and doesn't seem to have any error.

the dnsmasq.log does give avaliable dhcp range for about 192.168.2.2 to 192.168.2.254 and 192.168.1.2 to 192.168.1.254. However when connecting to wl0.1, it doesn't have any log. but when connecting to my main wireless network, the DHCP request is logged.

I can connect to wl0.1, and wl0.1 is currently set to Open Network to avoid the need for create/update nvram variable (remove wl0.1 from lan_iframes and create lan1_iframes for wl0.1 and lan1_iframe for br1 for wireless security to work)

It seems it is my dnsmasq.conf.add isn't correct. Also one more thing, the eth0 is not my WAN interface anymore. after nvram clear and upgrade to 56-2, now it is vlan2?

I really want this to work as I want to share some common network resource but still maintain 2 separated network.

 

[BatKing]

Finally got it working. Credit to following thread. I can't believe only one user had this issue when everyone else do not need this particular rule?

http://www.snbforums.com/threads/dnsmasq-and-ssid.27069/

# fix dnsmasq not listen to br1 and br2 -D prevent duplicate rules if previously already exist
iptables -D INPUT -i br1 -j ACCEPT
iptables -I INPUT -i br1 -j ACCEPT

Now I have br0, br1 and br2. br0 the main lan, br1 and br2 2 individual network. br0 can access anything but br1 and br2 both isolated to its own network.

Here is the final scripts. Just one questions, how is it possible to store the log in USB drive instead of /tmp? it seems the USB is mount very late in the router bootup sequence, which causes both dnsmasq and firewall-start failed sometime.

firewall-start :

#!/bin/sh
#exec 1>>/tmp/mnt/data/logs/firewall-start.log 2>&1
exec 1>>/tmp/firewall-start.log 2>&1
date
set -x
WANIP=$(/sbin/ifconfig vlan2|grep 'inet addr'|cut -d':' -f2|awk '{print $1}')
# remove guest1/guest2 2.4Ghz/5Ghz from br0
brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl delif br0 wl0.2
brctl delif br0 wl1.2

# create br1 and br2
brctl addbr br1
brctl addif br1 wl0.1
brctl addif br1 wl1.1

# create br2
brctl addbr br2
brctl addif br2 wl0.2
brctl addif br2 wl1.2

ifconfig br1 192.168.3.1 netmask 255.255.255.0 broadcast 192.168.3.255
ifconfig br2 192.168.4.1 netmask 255.255.255.0 broadcast 192.168.4.255

# Fix WPA2 on guest wifi
nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="wl0.1 wl1.1"
nvram set lan1_ifname="br1"
nvram set lan2_ifnames="wl0.2 wl1.2"
nvram set lan2_ifname="br2"
nvram commit
killall eapd
eapd

# fix dnsmasq not listen to br1 and br2 -D prevent duplicate rules if previously already exist
iptables -D INPUT -i br1 -j ACCEPT
iptables -I INPUT -i br1 -j ACCEPT
iptables -D INPUT -i br2 -j ACCEPT
iptables -I INPUT -i br2 -j ACCEPT
# seems no need ebtables
# ebtables -t broute -D BROUTING -i br1 -p ipv4 -j DROP
# ebtables -t broute -I BROUTING -i br1 -p ipv4 -j DROP
# ebtables -t broute -D BROUTING -i br2 -p ipv4 -j DROP
# ebtables -t broute -I BROUTING -i br2 -p ipv4 -j DROP


# br1 and br2 WAN access
iptables -t nat -I POSTROUTING -o eth0 -j SNAT --to $WANIP
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br2 -m state --state NEW -j ACCEPT

# block br1 and br2 access br0
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br2 -o br0 -m state --state NEW -j DROP

# Keep br1 and br2 from accessing the router
#iptables -I FORWARD -i br1 -d 192.168.1.0/24 -m state --state NEW -j DROP
#iptables -I FORWARD -i br2 -d 192.168.1.0/24 -m state --state NEW -j DROP

# block br1 and br1 access br2 and vice versa
iptables -I FORWARD -i br1 -o br2 -m state --state NEW -j DROP
iptables -I FORWARD -i br2 -o br1 -m state --state NEW -j DROP

# Keep br1 from accessing the router:
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset

# Keep br2 from accessing the router:
iptables -I INPUT -i br2 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br2 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br2 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br2 -p tcp --dport https -j REJECT --reject-with tcp-reset

dnsmasq.conf.add

# Logging
# log-facility=/tmp/mnt/data/logs/dnsmasq.log
log-facility=/tmp/dnsmasq.log
log-dhcp
interface=br1
dhcp-range=br1,192.168.3.100,192.168.3.199,255.255.255.0,86400s
dhcp-option=br1,3,192.168.3.1

interface=br2
dhcp-range=br2,192.168.4.100,192.168.4.199,255.255.255.0,86400s
dhcp-option=br2,3,192.168.4.1