How to use a different subnet for WiFi guest network?

[sn2018]

The normal guest networks will do that. No need for any extra scripts.

But I have an AP. I seems to be able to access any and all of PCs from guest network. I thought I can use one of these script, maybe not.

 

[ColinTaylor]

These scripts are for "router" mode, not "access point" mode.

 

[sn2018]

These scripts are for "router" mode, not "access point" mode.

I have a RT-AC68U as router and an ASUS n56u as AP. If I power down the n56u, I believe the guest network is isolated but not if the n56u is up.

I guess I should add that I want my guests to be able to see each other's devices because I have some kids want to play internet game (mindcraft?) with each other.

 

[ColinTaylor]

I have a RT-AC68U as router and an ASUS n56u as AP. If I power down the n56u, I believe the guest network is isolated but not if the n56u is up.

You can't create isolated guest networks on the N56U when it is in AP mode. Yes, I know it has a menu option for guest networks but it only creates a "normal" Wi-Fi network. It's a technical limitation of running in AP mode.

If you create a guest network only on the AC68U with a unique SSID and let the kids connect to that it will work.

 

[vc1234]

I have a RT-AC68U as router and an ASUS n56u as AP. If I power down the n56u, I believe the guest network is isolated but not if the n56u is up.

I guess I should add that I want my guests to be able to see each other's devices because I have some kids want to play internet game (mindcraft?) with each other.

You can do what you want but at a cost.

1. You'd need to create a separate guest vlan on both n66 and ac68 using CLI.

2. This functionality would only be possible if you sacrifice CTF(performance).

Btw, I use exactly the same hardware for the same purpose.

 

[Jack Yaz]

https://gist.github.com/jackyaz/e0032dde93729104189e7e32d0192143

Added support for custom DHCP pools (albeit still limited to a 255.255.255.0 mask for the time being)

 

[marelit]

First attempt here: https://pastebin.com/WnEeg41E

Usage notes and further commenting for which bits to edit will follow - tonight was not a good night, most of it spent in the hospital visiting a very poorly relative =[

General usage is:

./GuestWifi.sh wl0.2
./GuestWifi.sh wl0.1 vpnall 1 #redirects all wl0.1 over VPN client 1 N.B. subnet/clients must be added in Policy Routing (i have been working on the ip rule lookup bit to save this step, lets call that v2)
./GuestWifi.sh wl0.3 vpn 1 #allows wl0.3 to be routed over VPN client 3, for use with selective port routing over VPN N.B. same as example above

Thanks for the continuously updated script, Jack Yaz! I would like to use it but I am still unsure where and how to call the script. Is it sufficient to edit the variables in the first section or do I have to specify the guest network as an argument? And would "wan-start" be a good place to call it? Thank you!

 

[Jack Yaz]

Thanks for the continuously updated script, Jack Yaz! I would like to use it but I am still unsure where and how to call the script. Is it sufficient to edit the variables in the first section or do I have to specify the guest network as an argument?

You just need to edit the variables and enable the networks as you see fit, I've left 3 networks enabled in the posted script, I will add an example with explanations of each option in a future version.

Then all you need to do is save the file in /jffs/scripts, e.g. /jffs/scripts/GuestWifi.sh

Ensure it is executable, then just call the script. I have mine called in firewall-start so things are applied on boot and if the firewall restarts for whatever reason.

I will likely make a new thread dedictaed to the script and will include install +usage instructions.

 

[Alfsu]

@Jack Yaz,

So finally got around to test your script in my AC68P, set it up to have wl0.1 routing to a VPN client and it all worked right away without any problems... Awesome script.

Cheers!

 

[Jack Yaz]

@Jack Yaz,

So finally got around to test your script in my AC68P, set it up to have wl0.1 routing to a VPN client and it all worked right away without any problems... Awesome script.

Cheers!

Glad you like it! I'm going to be updating it a little in the next couple of days, though this is mainly tidying up of Guest Networks that were enabled and have since been disabled, so no impact to networks that are enabled are anticipated.

 

[Alfsu]

Different DHCP range of different WLAN

@Martineau, is this still your latest script:

VER="v01.01b (Public Beta)"

 

[Martineau]

@Martineau, is this still your latest script:

VER="v01.01b (Public Beta)"

Yes

 

[schmerg]

But I have an AP. I seems to be able to access any and all of PCs from guest network. I thought I can use one of these script, maybe not.

If your AP can tag the packets with a VLAN identifier, then I wrote up my process for doing this here.

My extra access point supports multiple SSIDs (TPLink 801ND) and can tag each SSID with a different VLAN, so I have it broadcast my "home" wifi (it puts those on the wire with no VLAN tag), and some extra guest wifi SSIDs (it puts that traffic down the same wire, but with VLAN tags). The thread above explains how I then get the ASUS router to handle the internal tagged traffic, hand out IPs on a different subnet, and allow tagged VLANS to access the WAN but not the LAN.

Alternatively, if your AP can't do VLAN tagging, but only broadcasts your "guest SSID", then you can configure the ASUS router to automatically tag all traffic on a single physical port (ie one of 1-4 on the back) and then use similar VLAN rules to keep that port isolated from the rest of the LAN... I don't cover that in the thread above but you can find ppl who've done that here on this forum I believe.

 

[HardCat]

Yes

@Martineau, Has it been confirmed GuestSubnet.sh works with RT-AC86U ?

Either way I would like to give it a try.

 

[Martineau]

@Martineau, Has it been confirmed GuestSubnet.sh works with RT-AC86U ?

I'm not aware of any reported failures/negative feedback from RT-AC86U owners but you are most welcome to be the first!

 

[HardCat]

I'm not aware of any reported failures/negative feedback from RT-AC86U owners but you are most welcome to be the first!

@Martineau results as follows for 2 WeMo devices I have attached to wl0.1

admin@RT-AC86U:/jffs/scripts# ./GuestSubnet.sh GNet241

(GuestSubnet.sh): 21749 ***ERROR Guest Wifi SSID: GNet241 (wl0.1) not defined in '/etc/dnsmasq.conf' - use 'autodnsmasq' command arg

OK - So I ran it again with autodnsmasq switch as directed.

admin@RT-AC86U:/jffs/scripts# ./GuestSubnet.sh GNet241 autodnsmasq

(GuestSubnet.sh): 21821 ***ERROR*** Guest WiFi 2.4GHz Client 1 SSID='GNet241' WIFI_IF='wl0.1' WIFI_IP='' WIFI_MASK='' WIFI_SUBNET_PREFIX='.0/24'

OK - Not sure I should have got the error here, but ran it once more...

admin@RT-AC86U:/jffs/scripts# ./GuestSubnet.sh GNet241

(GuestSubnet.sh): 21969 Guest WiFi 2.4GHz Client 1 SSID: GNet241 (wl0.1) 192.168.241.0/24 subnet created, using DNS 208.67.220.220,8.8.8.8

Success!

I checked /etc/dnsmasq.conf and /jffs/configs/dnsmasq.conf.add and the entries are there as expected.

Connected the devices and checked Syslog/DHCP Leases and the devices have their new subnet IP's.

Is the result of the following OK, I am not quite sure...

admin@RT-AC86U:/jffs/scripts# ./GuestSubnet.sh wl0.1 status

        Guest WiFi GNet241 wl0.1 Status
        ===============================
wl0.1     Link encap:Ethernet  HWaddr B0:6E:XX:XX:XX:F1
          inet addr:192.168.241.1  Bcast:192.168.241.255  Mask:255.255.255.0
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:6807 errors:0 dropped:0 overruns:0 frame:0
          TX packets:24443 errors:0 dropped:29 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1182842 (1.1 MiB)  TX bytes:3059320 (2.9 MiB)

    Guest WiFi GNet241 wl0.1 Statistics
    ===================================
21: wl0.1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UNKNOWN mode DEFAULT group default qlen 1000
    link/ether b0:6e:xx:xx:xx:f1 brd ff:ff:ff:ff:ff:ff
    RX: bytes  packets  errors  dropped overrun mcast  
    1182842    6807     0       0       0       2907  
    TX: bytes  packets  errors  dropped carrier collsns
    3059320    24443    0       29      0       0      

    Guest WiFi GNet241 wl0.1 -t filter INPUT rules
    ==============================================
    9  2952 ACCEPT     udp  --  wl0.1  *       0.0.0.0/0            0.0.0.0/0            multiport dports 53,67
    0     0 ACCEPT     tcp  --  wl0.1  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:53
  101 22857 logdrop    all  --  wl0.1  *       0.0.0.0/0            0.0.0.0/0            state NEW

    Guest WiFi GNet241 wl0.1 -t filter FORWARD rules
    ================================================
  485 63537 ACCEPT     all  --  wl0.1  eth0    0.0.0.0/0            0.0.0.0/0          

    Guest WiFi GNet241 wl0.1 ebtables -t broute
    ===========================================
1. -p ARP -i wl0.1 -j DROP , pcnt = 50 -- bcnt = 1472
2. -p IPv4 -i wl0.1 -j DROP , pcnt = 811 -- bcnt = 120959
3. -p IPv6 -i wl0.1 -j DROP , pcnt = 90 -- bcnt = 15993
4. -p IPv4 -i wl0.1 --ip-dst 192.168.225.1 --ip-proto icmp -j ACCEPT , pcnt = 1 -- bcnt = 48
5. -p IPv4 -i wl0.1 --ip-dst 192.168.225.0/24 --ip-proto icmp -j DROP , pcnt = 0 -- bcnt = 0
6. -p IPv4 -i wl0.1 --ip-dst 192.168.225.0/24 --ip-proto tcp -j DROP , pcnt = 0 -- bcnt = 0

    Guest WiFi GNet241 wl0.1 ebtables -t filter FORWARD
    ===================================================
1. -i wl0.1 -j DROP , pcnt = 7169 -- bcnt = 393481
2. -o wl0.1 -j DROP , pcnt = 80317 -- bcnt = 14579242

One other perhaps minor detail - they still show in Syslog/Wireless log with the LAN DHCP IP addresses. Strange because I checked the devices themselves and they have the new subnet IP's.

Thank You once again kind Sir!

 

[Martineau]

(GuestSubnet.sh): 21969 Guest WiFi 2.4GHz Client 1 SSID: GNet241 (wl0.1) 192.168.241.0/24 subnet created, using DNS 208.67.220.220,8.8.8.8

Success!

I did try to make it as easy as possible for (non-technical) users to create the Guest WiFi subnets by simply specifying the Guest WiFi instance e.g. 2.4GHz Guest #1

./GuestSubnet.sh wl0.1 autodnsmasq

without the need for them to edit scripts etc., but unfortunately I think use of the SSID 'GNet241' rather than the physical interface 'wl0.1' during the initial creation of the subnet isn't fully tested, so I suggest you always specify the physical interface until I get around to investing the minor issue.

I checked /etc/dnsmasq.conf and /jffs/configs/dnsmasq.conf.add and the entries are there as expected.

Connected the devices and checked Syslog/DHCP Leases and the devices have their new subnet IP's.

Is the result of the following OK, I am not quite sure...!

Yes the statistics look fine.

P.S. Thanks for being the first (known) successful RT-AC86U Beta tester!

 

[Alfsu]

Glad you like it! I'm going to be updating it a little in the next couple of days, though this is mainly tidying up of Guest Networks that were enabled and have since been disabled, so no impact to networks that are enabled are anticipated.

Had to make a minor change for when the script is re-run:

        # Add dnsmasq entries for this interface:
        if grep -q "### Start of script-generated configuration for interface $IFACE ###" $TMPCONF; then
          #sed -i -e '/'"$BEGIN"'/,/'"$END"'/c\'"$BEGIN"'\n'"$CONFSTRING"'\n'"$END"'\n' $TMPCONF
            sed -i -e '/'"$BEGIN"'/,+6d' $TMPCONF
            echo -e "\n$BEGIN\n$CONFSTRING\n$END\n" >> $TMPCONF
        else...

Otherwise the original sed command creates only one line containing all the instructions.

Cheers!

 

[Jack Yaz]

Had to make a minor change for when the script is re-run:

        # Add dnsmasq entries for this interface:
        if grep -q "### Start of script-generated configuration for interface $IFACE ###" $TMPCONF; then
          #sed -i -e '/'"$BEGIN"'/,/'"$END"'/c\'"$BEGIN"'\n'"$CONFSTRING"'\n'"$END"'\n' $TMPCONF
            sed -i -e '/'"$BEGIN"'/,+6d' $TMPCONF
            echo -e "\n$BEGIN\n$CONFSTRING\n$END\n" >> $TMPCONF
        else...

Otherwise the original sed command creates only one line containing all the instructions.

Cheers!

Odd, I haven't come across that, I have the script re-rerun hourly at the moment. Can you post contents of the files when it doesn't run correctly please? (i.e. pre-your edit)

 

[Alfsu]

Odd, I haven't come across that, I have the script re-rerun hourly at the moment. Can you post contents of the files when it doesn't run correctly please? (i.e. pre-your edit)

I should have done it, but unfortunately didn't. It was replacing the existing seven lines in the config file with just one line containing a concatenation of all instructions, with '\n' located between instructions.

This was happening on my AC86U, diferent sed command version, may be?

Does your script creates a cron job to restart any VPN client referenced to in the config settings?

I am using one guest wifi to route via a VPN client, and every time router is rebooted a cron job is created for that VPN client.

I looked into the script but couldn't find any indication of that.

Sent from my ONEPLUS A3000 using Tapatalk