SSID for VPN and 1 for ISP

[jazzy_jeff_81]

Hello,

I am new to the forums, but I have been searching previous threads without being able to solve my issue. As the title suggests, I am looking to setup my router so one of the Guest Networks broadcasts an SSID that connects to a VPN service I subscribe to, and the other SSID's connect to my ISP web service.

I am running firmware 378.50.

I have been following the guide at this url, but unfortunately it is not working.
https://github.com/RMerl/asuswrt-me...or-VPN-and-SSID-for-Regular-ISP-using-OpenVPN.

I have my OpenVPN connection working on the router, but it is using the vpn connection for all SSID's. I only want it to work for my Guest network.

I have created this script and saved it as wifi.sh in the /jffs/scripts directory.

#!/bin/sh
####### Interface Specific Settings #######
WRLSS_IF=wl1.1                   # Name of the wireless interface that will be used.
WRLSS_IF_NTWK_ADDR=192.168.1.0   # Network address that the wireless interface will be on.
WRLSS_IF_INET_ADDR=192.168.1.1   # IP address that will be assigned to the wireless interface.
WRLSS_IF_NETMASK=255.255.255.0   # Netmask of the wireless network to be added.
TUN_IF=tun11                     # Name of tunnel interface.
########## DHCP Specific Settings ###########
DHCP_OPT1=3                      # dnsmasq option to specify router.
LS_TIME=86400s                   # Duration of the dhcp leases.
LS_START=192.168.1.200           # Start address of leases. This needs to be within the same network as above.
LS_END=192.168.1.254            # End address of leases. This needs to be within the same network as above.
######## Hide SSID of Guest Network ########
HIDE_SSID=0                      # This option is to hide the SSID of a guest network if a guest network is used. Input 1 to hide and 0 to make it visible.

##########################################################################################################
##########################################################################################################                
########################################## DHCP Server ###################################################

if [ `cat /etc/dnsmasq.conf | grep -c $WRLSS_IF` == 0 ]; then
	killall dnsmasq
	sleep 2
	echo "interface=$WRLSS_IF" >> /etc/dnsmasq.conf
	echo "dhcp-range=$WRLSS_IF,$LS_START,$LS_END,$WRLSS_IF_NETMASK,$LS_TIME" >> /etc/dnsmasq.conf
	echo "dhcp-option=$WRLSS_IF,$DHCP_OPT1,$WRLSS_IF_INET_ADDR" >> /etc/dnsmasq.conf
	dnsmasq --log-async
fi
sleep 2
### Check to see if tun interface is available ###
while [ ! -n "`ifconfig | grep $TUN_IF`" ]; do
	sleep 1
done
############################################ IP ROUTING ##################################################
ifconfig $WRLSS_IF $WRLSS_IF_INET_ADDR netmask $WRLSS_IF_NETMASK
ip route show table main | grep -Ev ^default | while read ROUTE; do 
ip route add table 10 $ROUTE; 
done
ip route del 0.0.0.0/1 table main          # Uncomment this line if you are not using the route-nopull option. 
# Many VPN service providers push this route to redirect internet traffic over the tunnel.                                          
ip route add default dev $TUN_IF table 10    
ip rule add dev $WRLSS_IF table 10
ip route flush cache
####################################### ETHERNET BRIDGE TABLES RULES #####################################

EBT_BRULE1="-p ipv4 -i $WRLSS_IF -j DROP"
EBT_BRULE2="-p arp -i $WRLSS_IF -j DROP"
if [ -n "$EBT_BRULE1" ] && [ `ebtables -t broute -L | grep -ice "$EBT_BRULE1"` != 1 ]; then
	ebtables -t broute -I BROUTING $EBT_BRULE1
fi
if [ -n "$EBT_BRULE2" ] && [ `ebtables -t broute -L | grep -ice "$EBT_BRULE2"` != 1 ]; then
	ebtables -t broute -I BROUTING $EBT_BRULE2
fi
############################################ IP TABLES RULES #############################################

if [ `iptables -L -v | grep -c $WRLSS_IF` == 0 ]; then
	iptables -I INPUT -i $WRLSS_IF -m state --state NEW -j ACCEPT
	iptables -I FORWARD -i $WRLSS_IF -o $TUN_IF -j ACCEPT
fi
if [ `iptables -t nat -L -v | grep -c $TUN_IF` == 0 ]; then
	iptables -t nat -I POSTROUTING -s $WRLSS_IF_NTWK_ADDR/24 -o $TUN_IF -j MASQUERADE  # Change /24 to the subnet that you will be using.
fi
############################################### HIDE SSID ################################################

if [ `nvram get "$WRLSS_IF"_closed` != 1 ] && [ $HIDE_SSID == 1 ]; then
	nvram set "$WRLSS_IF"_closed=1
	nvram commit
fi
if [ `nvram get "$WRLSS_IF"_closed` != 0 ] && [ $HIDE_SSID == 0 ]; then
	nvram set "$WRLSS_IF"_closed=0
	nvram commit
fi

I have also create a file called "services-start.sh" in the /jffs/scripts directory. This points to the location of my wifi.sh file.
This is the code:

#!/bin/sh
/jffs/scripts/wifi.sh

After making these changes I restart the router, but it still doesn't work.

I feel like I don't have something setup right. FYI the /jffs/scripts folder was empty when I first started playing with this. The information didn't suggest whether /jffs/scripts dir should be empty or not. A lot of information I can find on this suggests a larger understanding than perhaps I have. I think I just need a little more help. I wouldn't consider myself a complete tech noob

Thanks

 

[jazzy_jeff_81]

I wanted to add that I am using the following dhcp scope on my router.
192.168.1.2 - 192.168.1.199

The remainder of the scope for the Guest network would be:
192.168.1.200-192.168.1.254

I am think this shouldn't be a problem, but perhaps it needs to be on a different subnet ?

 

[ciechom]

Hello,
I have also create a file called "services-start.sh" in the /jffs/scripts directory. This points to the location of my wifi.sh file.
This is the code:

#!/bin/sh
/jffs/scripts/wifi.sh

Please rename "services-start.sh" to "services-start" ... without ".sh" at the end and try again.
Additionally don't forget to set any script you create as being executable

chmod a+rx /jffs/scripts/*

 

[jazzy_jeff_81]

Thanks Ciechom. I am waiting for a call right now, and my phone is connected to the router I'll test this out asap!

Thanks again.

 

[jazzy_jeff_81]

I tried renaming the services-start file and making sure I ran the chmod command through ssh, but neither of this resolved the problem.
It' like I add those files, but it doesn't perform any different to when I didn't have those files in place. Every device gets an IP from the dhcp scope in the Asus/Merlin GUI and they all use the vpn that is specified in the OpenVpn client setting. I've tried turning it on and off, and depending on what I have this set to it affects all machines and not just one wireless ssid.

Thanks.

 

[RMerlin]

Make sure you enabled support for Custom Scripts under System -> Administration.

Also, insert a "logger myscript "Starting script"" line right after the #!/bin/sh shebang, so you can validate through the System Log if the script actually does get run.

 

[jazzy_jeff_81]

Merlin,

Thanks for your response. I confirmed that I had the "Custom Scripts" box checked in the web interface.

I added the logging to the "services-start" file.

Here is what I got in the log:

Feb 22 21:02:01 rc_service: ntp 975:notify_rc restart_upnp
Feb 22 21:02:01 rc_service: ntp 975:notify_rc restart_diskmon
Feb 22 21:02:01 rc_service: waitting "restart_upnp" via ntp ...
Feb 22 21:02:01 miniupnpd[978]: shutting down MiniUPnPd
Feb 22 21:02:01 kernel: * Make sure sizeof(struct sw_struct)=160 is consistent
Feb 22 21:02:02 miniupnpd[1001]: HTTP listening on port 45679
Feb 22 21:02:02 miniupnpd[1001]: Listening for NAT-PMP/PCP traffic on port 5351
Feb 22 21:02:02 kernel: IDPfw: TrendMicro forward module ver-1.0.26
Feb 22 21:02:02 kernel: IDPfw: Apply module param dev_wan=eth0
Feb 22 21:02:02 kernel: IDPfw: Apply module param sess_num=30000
Feb 22 21:02:02 kernel: IDPfw: Init chrdev /dev/idpfw with major 191
Feb 22 21:02:02 kernel: IDPfw: IDPfw is ready
Feb 22 21:02:02 kernel: sizeof forward param = 160
Feb 22 21:02:04 dnsmasq-dhcp[935]: DHCPREQUEST(br0) 192.168.1.177 e0:b9:ba:36:33:0e 
Feb 22 21:02:04 dnsmasq-dhcp[935]: DHCPACK(br0) 192.168.1.177 e0:b9:ba:36:33:0e iPad
Feb 22 21:02:04 dnsmasq-dhcp[935]: DHCPREQUEST(br0) 192.168.1.177 e0:b9:ba:36:33:0e 
Feb 22 21:02:04 dnsmasq-dhcp[935]: DHCPACK(br0) 192.168.1.177 e0:b9:ba:36:33:0e iPad
Feb 22 21:02:05 disk monitor: be idle
Feb 22 21:02:05 dnsmasq-dhcp[935]: DHCPREQUEST(br0) 192.168.1.20 30:a8:db:8c:c7:24 
Feb 22 21:02:05 dnsmasq-dhcp[935]: DHCPACK(br0) 192.168.1.20 30:a8:db:8c:c7:24 android-9fc142c5b2551c35
Feb 22 21:02:05 rc_service: udhcpc 891:notify_rc start_firewall
Feb 22 21:02:05 dhcp client: bound myWANIP via myWANIP during 3600 seconds.
Feb 22 21:02:07 start_nat_rules: apply the nat_rules(/tmp/nat_rules_eth0_eth0)!
Feb 22 21:02:07 dnsmasq[935]: exiting on receipt of SIGTERM
Feb 22 21:02:07 dnsmasq[1246]: started, version 2.73test6 cachesize 1500
Feb 22 21:02:07 dnsmasq[1246]: warning: interface wl1.1 does not currently exist
Feb 22 21:02:07 dnsmasq[1246]: warning: interface ppp1* does not currently exist
Feb 22 21:02:07 dnsmasq[1246]: asynchronous logging enabled, queue limit is 5 messages
Feb 22 21:02:07 dnsmasq-dhcp[1246]: DHCP, IP range 192.168.1.200 -- 192.168.1.254, lease time 1d
Feb 22 21:02:07 dnsmasq-dhcp[1246]: DHCP, IP range 192.168.1.2 -- 192.168.1.199, lease time 1d
Feb 22 21:02:07 dnsmasq[1246]: read /etc/hosts - 5 addresses
Feb 22 21:02:07 dnsmasq[1246]: using nameserver 71.10.216.2#53 for domain local
Feb 22 21:02:07 dnsmasq[1246]: using nameserver 71.10.216.2#53 for domain gha.chartermi.net
Feb 22 21:02:07 dnsmasq[1246]: using nameserver 71.10.216.1#53 for domain local
Feb 22 21:02:07 dnsmasq[1246]: using nameserver 71.10.216.1#53 for domain gha.chartermi.net
Feb 22 21:02:07 dnsmasq[1246]: using nameserver 71.10.216.1#53
Feb 22 21:02:07 dnsmasq[1246]: using nameserver 71.10.216.2#53
Feb 22 21:02:11 dfs: start dfs scan
Feb 22 21:02:11 nodfs_scan: complete
Feb 22 21:02:16 dfs: start dfs scan
Feb 22 21:02:17 nodfs_scan: complete
Feb 22 21:02:21 dnsmasq-dhcp[1246]: DHCPREQUEST(br0) 192.168.1.20 30:a8:db:8c:c7:24 
Feb 22 21:02:21 dnsmasq-dhcp[1246]: DHCPACK(br0) 192.168.1.20 30:a8:db:8c:c7:24 android-9fc142c5b2551c35
Feb 22 21:02:51 rc_service: rc 1455:notify_rc restart_wrs
Feb 22 21:02:53 crond[801]: time disparity of 121081 minutes detected
Feb 22 21:03:00 dropbear[1743]: Child connection from 192.168.1.176:60995
Feb 22 21:03:02 dnsmasq-dhcp[1246]: DHCPREQUEST(br0) 192.168.1.176 00:23:14:b0:c1:b8 
Feb 22 21:03:02 dnsmasq-dhcp[1246]: Ignoring domain domain.com for DHCP host name myLaptop
Feb 22 21:03:02 dnsmasq-dhcp[1246]: DHCPACK(br0) 192.168.1.176 00:23:14:b0:c1:b8 myLaptop
Feb 22 21:03:06 dnsmasq-dhcp[1246]: DHCPREQUEST(br0) 192.168.1.177 e0:b9:ba:36:33:0e 
Feb 22 21:03:06 dnsmasq-dhcp[1246]: DHCPACK(br0) 192.168.1.177 e0:b9:ba:36:33:0e iPad

So I see that it picked up the scopes:

Feb 22 21:02:07 dnsmasq-dhcp[1246]: DHCP, IP range 192.168.1.200 -- 192.168.1.254, lease time 1d
Feb 22 21:02:07 dnsmasq-dhcp[1246]: DHCP, IP range 192.168.1.2 -- 192.168.1.199, lease time 1d

I also see that it doesn't see the wireless interface, which is strange because I have it enabled:

Feb 22 21:02:07 dnsmasq[1246]: warning: interface wl1.1 does not currently exist
Feb 22 21:02:07 dnsmasq[1246]: warning: interface ppp1* does not currently exist

I have attached a screenshot to show I have the guest network added, and I also have my openvpn settings attached.

The issue still persists in that no matter what network I connect to I get the vpn IP address and not my ISP address if the VPN is on and if I have the VPN off everything gets the ISP IP.

 

[jazzy_jeff_81]

So I am wondering if part of the issue is that my client devices that connect to my guest network ssid never get an IP address from the scope 192.168.1.200 - 192.168.1.254. They always get an IP address from the 192.168.1.2 - 192.168.1.254 range.
Any idea what I can do to resolve that and then perhaps the rest will fall into place?

Thanks,

Jeff

 

[Martineau]

So I am wondering if part of the issue is that my client devices that connect to my guest network ssid never get an IP address from the scope 192.168.1.200 - 192.168.1.254. They always get an IP address from the 192.168.1.2 - 192.168.1.254 range.
Any idea what I can do to resolve that and then perhaps the rest will fall into place?

Thanks,

Jeff

Try manually adding entries to /jffs/configs/dnsmasq.conf.add:

# 5Ghz Guest #1 uses DHCP pool 192.168.51.200 - 192.168.51.254
interface=wl1.1
dhcp-range=wl1.1,192.168.51.200,192.168.51.254,255.255.255.0,2 1600s
dhcp-option=wl1.1,3,192.168.51.1


then issue

service restart_dnsmasq

ifconfig wl1.1 192.168.51.1 netmask 255.255.255.0

ebtables -t broute -I BROUTING -p ipv4 -i wl1.1 -j DROP

then connect to the Guest 5Ghz SSID #1 and see if you are assigned a 192.168.51.* I/P address and can connect to the Internet.

 

[jazzy_jeff_81]

Thanks Martineau.
I added the DHCP pool code to the dnsmasq.conf.add file, I wasn't too sure how to do the 2nd part, so I added that below in the same.

service restart_dnsmasq

ifconfig wl1.1 192.168.51.1 netmask 255.255.255.0

ebtables -t broute -I BROUTING -p ipv4 -i wl1.1 -j DROP

When I added that 2nd part, things didn't go to well and I couldn't access any Internet . I removed it and just kept the dhcp pool settings, but I still didn't get an IP from the correct range.

So I guess it's very likely I have messed up that 2nd part. Does that need to be added to the services-start file?

 

[Martineau]

Thanks Martineau.
I added the DHCP pool code to the dnsmasq.conf.add file, I wasn't too sure how to do the 2nd part, so I added that below in the same.



When I added that 2nd part, things didn't go to well and I couldn't access any Internet . I removed it and just kept the dhcp pool settings, but I still didn't get an IP from the correct range.

So I guess it's very likely I have messed up that 2nd part. Does that need to be added to the services-start file?

Not sure what you mean by the '2nd' part?

If /etc/dnsmasq.conf now shows that the lines from /jffs/confis/dnsmasq.config.add then if you issue

ifconfig

wl1.1 should show that the ipconfig statement was correcty executed to assign 192.168.53.1 to the interface.

Essentially we are trying to eliminate script issues by performing the configuration steps manually.

(No idea why you would refer to services-start?)

 

[jazzy_jeff_81]

Ah geez what an idiot I am I'm a little embarrassed that I just didn't get what you were asking but now I see it was so clear!

Ok, so I added the dhcp scope to the dnsmasq.conf.add file and i could see that it transferred to the /etc/dnsmasq.conf file.

I manually ran the other commands that I previously referred to as the "2nd part" . This gave me the following message after running "ifconfig wl1.1 192.168.51.1 netmask 255.255.255.0"

ifconfig wl1.1 192.168.51.1 netmask 255.255.
255.0
ifconfig: SIOCSIFADDR: No such device

This seems like something didn't work right, but I am unsure what it means.

So I ran an ifconfig in putty and got the results below. I never ran this before so I am unsure of what to compare this too, but by having 2 vlans now, does that mean something worked? vlan2 doesn't appear to be sending or receiving any data.

br0 Link encap:Ethernet HWaddr 10:C3:7B:51:7D:B0
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:14170 errors:0 dropped:0 overruns:0 frame:0
TX packets:14490 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1113479 (1.0 MiB) TX bytes:8088085 (7.7 MiB)

br0:0 Link encap:Ethernet HWaddr 10:C3:7B:51:7D:B0
inet addr:169.254.39.9 Bcast:169.254.39.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1

eth0 Link encap:Ethernet HWaddr 00:23:14:B0:C1:B8
inet addr:97.83.97.146 Bcast:97.83.99.255 Mask:255.255.252.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:22885 errors:0 dropped:0 overruns:0 frame:0
TX packets:17268 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4022359 (3.8 MiB) TX bytes:8511800 (8.1 MiB)
Interrupt:180 Base address:0x5000

eth1 Link encap:Ethernet HWaddr 10:C3:7B:51:7D:B0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1400 errors:0 dropped:0 overruns:0 frame:428
TX packets:3204 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:287780 (281.0 KiB) TX bytes:829383 (809.9 KiB)
Interrupt:163

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1
RX packets:161 errors:0 dropped:0 overruns:0 frame:0
TX packets:161 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:19681 (19.2 KiB) TX bytes:19681 (19.2 KiB)

vlan1 Link encap:Ethernet HWaddr 10:C3:7B:51:7D:B0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:13385 errors:0 dropped:0 overruns:0 frame:0
TX packets:14367 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1040860 (1016.4 KiB) TX bytes:7888202 (7.5 MiB)

vlan2 Link encap:Ethernet HWaddr 10:C3:7B:51:7D:B0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)