How to use a different subnet for WiFi guest network?

[Jack Yaz]

I should have done it, but unfortunately didn't. It was replacing the existing seven lines in the config file with just one line containing a concatenation of all instructions, with '\n' located between instructions.

This was happening on my AC86U, diferent sed command version, may be?

Does your script creates a cron job to restart any VPN client referenced to in the config settings?

I am using one guest wifi to route via a VPN client, and every time router is rebooted a cron job is created for that VPN client.

I looked into the script but couldn't find any indication of that.

Sent from my ONEPLUS A3000 using Tapatalk

I suspect you're onto something with the 86U.

Cron job is something I've manually done for now, it just calls the script hourly. I should make it more graceful rather than harshly replace rules, which causes any connections on the guest interfaces to drop as the script runs.

If you've set a Poll Interval on a VPN client, that creates a cron job (but I believe this is being removed by Merlin in 384.5)

 

[esco]

@Jack Yaz, this is amazing! Took me 5 minutes to provide Internet access via VPN to IOT devices on dedicated subnet (86U with the latest Merlin's ), thank you!

 

[Netbug]

Hi @Jack Yaz ,

Interested in trying your script on my rt-ac86u. Just to clarify before trying, the point of this script is so i can put 1 or more guest networks in different dhcp pool ranges as per the configuration file (is this to stop guests being able to connect to other devices on lan?) and run that guest network if i wish over one of my vpn clients? and obviously using whatever dns i wish, although not sure how dns will work if running over vpn?

What i am after and i think this script does what i am looking for is i want to setup one guest network to run over vpn so when family/friends come they connect to the guest network and there traffic is being run via the vpn client i have setup so basically one guest network run over vpn. If i set wlxx_REDIRECTALLTOVPN= to true do i still need to set up policy routing via vpn client configuration?

Thank you.

 

[Jack Yaz]

Hi @Jack Yaz ,

Interested in trying your script on my rt-ac86u. Just to clarify before trying, the point of this script is so i can put 1 or more guest networks in different dhcp pool ranges as per the configuration file

Correct, e.g. my main network is 10.14.16.0/24, guest 1 is 10.14.17.0/24

(is this to stop guests being able to connect to other devices on lan?)

It was mainly to satisfy my OCD, to be honest! Asus has built-in disabling of LAN access for Guest WiFi networks, which did work. This script currently blocks all LAN access for guest-connected clients, but it is on my to-do to make LAN client access configurable.

and run that guest network if i wish over one of my vpn clients?

Correct.

and obviously using whatever dns i wish, although not sure how dns will work if running over vpn?

It depends on the "Accept DNS" setting on the VPN client I believe. I have my VPN clients set to exclusive, so by extension Guest Wifi clients on the SSID for the VPN will use VPN dns.

What i am after and i think this script does what i am looking for is i want to setup one guest network to run over vpn so when family/friends come they connect to the guest network and there traffic is being run via the vpn client i have setup so basically one guest network run over vpn.

Yes, e.g.

wl01_ALLOWVPN=true
wl01_VPNCLIENTNUMBER=2
wl01_REDIRECTALLTOVPN=true

will mean any clients on wl01 (2.4ghz guest 1) will send all traffic over vpn client 2.

If i set wlxx_REDIRECTALLTOVPN= to true do i still need to set up policy routing via vpn client configuration?

If I've coded it properly, no, the script should handle that for you. That being said, at a minium you need to set the client to Redirect Internet Traffic: Policy Rules (either normal or strict). This is perhaps something I can allow for in the code, by checking the relevant GUI settings.

Thank you.

You're welcome!

By the way, you may need this edit for an 86U: https://www.snbforums.com/threads/h...r-wifi-guest-network.38944/page-3#post-392851

But what I advise is, try the script as is (with your configuration applied), and if it's not working, please post/PM me a copy of this file

/jffs/configs/dnsmasq.conf.add

 

[Netbug]

Amazing going to try it later on or next few days when i get some time, thank you.

Edit: @Jack Yaz

Sorry to bother you. Just been reading entire thread.

I configured GuestWiFi.sh script and uploaded to /jffs/scripts/ chmod 0755.

dnsmasq.conf.add did not exist so created it with name dnsmasq.conf.add with no extensions obviously and chmod 0755 and placed in /jffs/configs/

------

1) Now i'm not quite sure, i see you mention a few pages back to call the GuestWifi.sh script in firewall-start, i got a firewall-start file but not sure how i call it? i do not know the syntax/code to call the GuestWifi.sh script.

2) You mention in previous post i may need to make edit, i wont do that as advised at this point just see if it works with current configuration, but if i need to, what do i do with that code mentioned in the link? add it to the dnsmasq.conf.add file or something?

3) Final question, my vpn client is setup to dns 'exclusive' and policy rules 'strict' and have one single device already routed via the vpn client under 'Rules for routing client traffic through the tunnel' (it's connected via ethernet not wifi), seeing as the vpn client is setup to use vpn dns and block traffic if tunnel goes down, will i need to add a dns for dns1 and dns2 in the GuestWifi.sh script or can they be left blank?

Thank you. Much appreciate your work and assistance.

 

[JaimeZX]

OK - just read all four pages. Couple of follow-ups... from one of the scripts, it looks like I MIGHT be able to set up one of the guest networks to be a whitelist-only thing? Specifically, for my IoT devices I'd like them to only have access to the WAN IPs required for their functionality. So if I set up a guest network specifically called JaimeZXIoT or something, then they could only connect to 1.2.3.4, 1.2.3.5, etc...? Thanks. This looks promising.

 

[Jack Yaz]

Amazing going to try it later on or next few days when i get some time, thank you.

Edit: @Jack Yaz

Sorry to bother you. Just been reading entire thread.

I configured GuestWiFi.sh script and uploaded to /jffs/scripts/ chmod 0755.

dnsmasq.conf.add did not exist so created it with name dnsmasq.conf.add with no extensions obviously and chmod 0755 and placed in /jffs/configs/

This should be created by the script during first run.

------

1) Now i'm not quite sure, i see you mention a few pages back to call the GuestWifi.sh script in firewall-start, i got a firewall-start file but not sure how i call it? i do not know the syntax/code to call the GuestWifi.sh script.

The contents of my firewall-start is

#!/bin/sh

#Load firewall rules for guest wifi
/jffs/scripts/GuestWifi.sh &

#Load QoS improvement script
/jffs/scripts/FreshJR_QOS -start &

which just makes sure that the script is ran should firewall start for whatever reason.

2) You mention in previous post i may need to make edit, i wont do that as advised at this point just see if it works with current configuration, but if i need to, what do i do with that code mentioned in the link? add it to the dnsmasq.conf.add file or something?

This would need changing in GuestWifi.sh itself. If it turns out you need it, then I'm happy to make an edited version and send to you.

3) Final question, my vpn client is setup to dns 'exclusive' and policy rules 'strict' and have one single device already routed via the vpn client under 'Rules for routing client traffic through the tunnel' (it's connected via ethernet not wifi), seeing as the vpn client is setup to use vpn dns and block traffic if tunnel goes down, will i need to add a dns for dns1 and dns2 in the GuestWifi.sh script or can they be left blank?

Good question, with v2.0.4 (https://gist.github.com/jackyaz/e0032dde93729104189e7e32d0192143) you can now leave DNS blank and it'll default to the router's IP (dnsmasq requires an IP). If you have exclusive set, then this will be overriden to VPN anyway.

Thank you. Much appreciate your work and assistance.

No problem at all, I'm just glad I can give back to the community, that has helped me learn a lot!

 

[Jack Yaz]

OK - just read all four pages. Couple of follow-ups... from one of the scripts, it looks like I MIGHT be able to set up one of the guest networks to be a whitelist-only thing? Specifically, for my IoT devices I'd like them to only have access to the WAN IPs required for their functionality. So if I set up a guest network specifically called JaimeZXIoT or something, then they could only connect to 1.2.3.4, 1.2.3.5, etc...? Thanks. This looks promising.

Martinaeu's script allows for that, mine doesn't have any LAN access in it yet, it allows clients WAN/VPN access only. It's on my to-do though!

 

[Netbug]

I noticed on reboot for some reason vpnclient2 is trying to start or something even though i have never used it, so i went to vpn client 2 and pressed 'default' and did another restart of router and that seems to have stopped vpnclient2 from starting.

 

[Alfsu]

@JackYaz

Ready when you are to test YazFi in the 86U !

 

[Jack Yaz]

@JackYaz

Ready when you are to test YazFi in the 86U !

Sure, you can thank @Netbug for being a very diligent tester, and helping me iron out bug after bug. I certainly can't thank him enough for the time and effort he's committed so far! What started out with fixing the sed issue has turned into oh so much more! As you've obviously spotted, I've moved it from gist to a proper GitHub repo (namely to force those cursed line endings to Unix!), but also to make it a proper script/release (again, on persuasion from @Netbug !)

 

[Alfsu]

This is the resulting dnsmasq.conf.add following the first run in the 86U:

### Start of script-generated configuration for interface wl0.2 ###
interface=wl0.2
dhcp-range=wl0.2,10.8.242.10.8.242.65,10.8.242.10.8.242.126,255.255.255.0,43200s
dhcp-option=wl0.2,3,10.8.242.1
dhcp-option=wl0.2,6,188.132.234.170,46.166.189.68
dhcp-option=wl0.2,252,"\n"
### End of script-generated configuration for interface wl0.2 ###


### Start of script-generated configuration for interface wl0.1 ###
interface=wl0.1
dhcp-range=wl0.1,10.8.241.10.8.241.65,10.8.241.10.8.241.126,255.255.255.0,43200s
dhcp-option=wl0.1,3,10.8.241.1
dhcp-option=wl0.1,6,54.93.169.181,212.71.249.225
dhcp-option=wl0.1,252,"\n"
### End of script-generated configuration for interface wl0.1 ###

It brakes the guests wifi connectivity, I believe the concatenation of the dhcp-range might be incorrect. It somehow also broke access to the router web UI.

This is the content of the Config file:

####################################################################
######                 Guest Network 1 (wl0.1)                 #####
####################################################################
wl01_ENABLED="true"
wl01_IPADDR="10.8.241.0"
wl01_DHCPSTART="10.8.241.65"
wl01_DHCPEND="10.8.241.126"
wl01_DNS1="54.93.169.181"
wl01_DNS2="212.71.249.225"
wl01_REDIRECTALLTOVPN="true"
wl01_VPNCLIENTNUMBER="2"
####################################################################
######                 Guest Network 2 (wl0.2)                 #####
####################################################################
wl02_ENABLED="true"
wl02_IPADDR="10.8.242.0"
wl02_DHCPSTART="10.8.242.65"
wl02_DHCPEND="10.8.242.126"
wl02_DNS1="188.132.234.170"
wl02_DNS2="46.166.189.68"
wl02_REDIRECTALLTOVPN="false"
wl02_VPNCLIENTNUMBER=

The config file in the github is named YazFi.config while the script references are made to GuestWifi.config. Not knowing if you meant this to be like that, I opted for changing the reference in the script to YazFi.config to keep both files one after another in the directory list.

 

[Jack Yaz]

Maybe I should make the repo private until I've finished the refactoring. Sorry!

 

[Netbug]

@Alfsu
The file names are incorrect at the moment and Jack has not yet quite finished it.

Edit: actually i think these maybe the new file names, either way it just needs a little polish before Jack releases it prime time.

@Jack Yaz
Think it maybe worth while just until you sort out the page and file names

oh and thanks for the mention, it's been great testing it out, it's a great script to be fair

 

[Alfsu]

@Alfsu
The file names are incorrect at the moment and Jack has not yet quite finished it.

@Jack Yaz
Think it maybe worth while just until you sort out the page and file names

oh and thanks for the mention, it's been great testing it out, it's a great script to be fair

Not a problem, I am happy to help.

Sent from my ONEPLUS A3000 using Tapatalk

 

[Jack Yaz]

Not a problem, I am happy to help.

Sent from my ONEPLUS A3000 using Tapatalk

I'm going to make a separate thread once I'm happy the script is stable. If you're willing to run it in "alpha" status (though I'm fairly confident it's release ready from my testing, then you can grab the latest script using the one-liner on

https://github.com/jackyaz/YazFi

 

[.TT.]

@Jack Yaz Nice script! Been testing it on my ac86u and it has been working great.
I have a small request if possible.
Mostly i run my main ssid+2 guest ssid.
In my config i have prepared a third network, however if i enable it (in gui) the rules are not applied on this ssid utill reboot. Any chane the script can detect this change? Not really an issue more of a "nice to have" feature.
Thanks

 

[Jack Yaz]

@Jack Yaz Nice script! Been testing it on my ac86u and it has been working great.
I have a small request if possible.
Mostly i run my main ssid+2 guest ssid.
In my config i have prepared a third network, however if i enable it (in gui) the rules are not applied on this ssid utill reboot. Any chane the script can detect this change? Not really an issue more of a "nice to have" feature.
Thanks

I'll have to see if any events are triggered by the f/w, at the moment it gets called by firewall-start, but I guess the firewall doesn't get restarted on a new iface up.

 

[esco]

Another happy user running YazFi on 86U, thank you @Jack Yaz

 

[Jack Yaz]

I have made a separate thread for this script here: https://www.snbforums.com/threads/yazfi-enhanced-asuswrt-merlin-guest-wifi-networks.45924/