Guest networks and DHCP

[Skydoc]

Hi all,

Forgive me but I haven't lurked here before my first post! I have a question / observation regarding the way my Asus RT-N66U currently running Merlin 3.0.0.4.374.35_4 handles guest networks that deny access to the LAN.

I have an existing internal LAN which has a DHCP server that allocates in the 192.168.1.0 subnet and serves a default gateway on a UTM device on the perimeter. For wireless clients connected to the Asus who have access to the LAN I can turn off the Asus DHCP server and IP's are allocated to wireless clients from the existing LAN DHCP server.

The problem with this is if I turn off the Asus DHCP server, clients connecting to a guest SSID (without LAN access) wont see the LAN DHCP server and so don't get allocated an IP address.

My current solution is to run both DHCP servers, each with the same static IP addresses defined and each serving dynamic addresses from different ranges on the same (LAN) subnet. Why not simply close down the LAN DHCP server and use the Asus one? - simply because the default gateway on the LAN is different to the Asus, which wont allow a default gateway that isn't the Asus itself.

What would the ideal solution be? Well, please shoot me down if this isn't the neatest solution, but for me the ability to disable DHCP on the Asus LAN segment but be able to enable the DHCP server on each of the guest SSID instances so that clients connecting to them can obtain an IP - for me it wouldn't matter if this was in the LAN subnet because the wireless guests cant 'see' that subnet anyway, but if this was in a subnet unique to each guest wireless instance then this would also be OK because in restricted guest mode all the traffic just goes out over the Asus WAN port anyway.

I have tried to do this with dd-wrt but it seemed really tricky to set up and didn't work for me - I couldn't get any connectivity to the WAN from guest wireless connections, although they did get served unique IP addresses.

I was wondering if:

1) My current solution is technically viable given potential conflicts between the two DHCP servers (although I have tried to pre-empt these as far as possible).

2) If there is another, simpler work around that I'm missing?

3) If there is any chance that this DHCP functionality might make its way into the Merlin builds - I would have thought that running this wireless router on a LAN with an existing DHCP server was a pretty common situation?

Thanks in advance for any help, suggestions and comments - I'm just not capable enough with this sort of networking to be sure if I'm on the right track!

 

[sinshiva]

i have not tried this: with merlin + jffs enabled, you should be able to drop in a dnsmasq configuration to only run on whatever subinterface the guest ssid's use/create. you'd want to pull the existing config and make edits, as it will replace the old upon boot.

 

[seth_space]

Do you have the asus in AP mode or Router mode?

 

[Skydoc]

Thanks!

Hi sinshiva and seth_space thanks for your replies.

I currently have the Asus in router mode - because I need to route internet traffic from guests to the internet via its WAN port rather than over the LAN to the global gateway - because I don't want the guests to gave access to the LAN at all.

Modification of dnsmasq does seem the way to go, thanks sinshiva- in fact I have a configuration from my experiments with dd-wrt that went something like this:

interface=br4
dhcp-option=br4,3,192.168.70.1
dhcp-range=br1,192.168.70.120,192.168.70.150,255.255.255.0,24h
dhcp-option=6, 62.6.X.XX, 194.72.X.XX

The problem is that in the Asus SSH environment (and in the absence of SFTP - which makes these things easy ) I wasn't able to find the config files or determine the names of the interfaces. I'm assuming that the Merlin firmware uses dnsmasq out of the box for DHCP?

Im sure if someone could point me in the direction of the dnsmasq config and how to find out the names of the configured interfaces I could get this to work. You can see how this would be useful to have built into the Merlin GUI though cant you? - Even if it was hidden in a set of advanced options.

Thanks again for all your help.

 

[Skydoc]

Solved - running a DHCP server just for guests

So, sinshiva was absolutely right. For those of you who are having the same problem as I described this is actually not that hard to achieve it turns out. From a base Merlin build you don't need to add anything else - just need to be able to use Vi as an editor and read around the dnsmasq manual for the right syntax of the commands. In brief -

Activate jffs from the administration section of the web interface, and format on next boot. Reboot the router.

Make sure that you activate the SSH server - you need to connect to the router using SSH (I use bitvise SSH client but Putty is another option). Connect to the router using SSH with the username and password that you use for the web admin interface.

Then open the standard dnsmasq.conf file in /etc and use the content as a template. Dont modify this file - it will be overwritten at each boot.

Merlin provides a great alternative config structure. This is documented elsewhere but if you simply create your modified version of dnsmasq.cong in the /jffs/configs directory it will persist between reboots.

Next check the interfaces available by running ifconfig and you can see the bridge that they are attached to by running brctl show.

Lastly rewrite the dnsmasq.config file in /jffs/configs so that the DHCP server wont serve IP's to your LAN but will serve them to the virtual wireless interfaces of your guests (named something like wl0.1 or wl1.1 etc). An example is below:

pid-file=/var/run/dnsmasq.pid
user=nobody
resolv-file=/tmp/resolv.conf
no-poll
interface=wl0.1 << Lets use this virtual wireless interface as an example
bind-dynamic
min-port=4096
dhcp-lease-max=500 <<maximum number of permissable leases
domain=yourdomain
expand-hosts
no-negcache
cache-size=1500
dhcp-range=wl0.1,192.168.1.190,192.168.1.220,255.255.255.0,86400s << the scope of the ip's that will be allocated to this interface
dhcp-authoritative
dhcp-option=wl0.1,15,yourdomain
dhcp-option=wl0.1,3,192.168.XXX.XXX << your wireless gateway IP
dhcp-option=wl0.1,6,194.XXX.XXX.XXX,0.0.0.0 << your DNS servers
dhcp-option=wl0.1,44,192.168.XXX.XXX << your WinS server
read-ethers
addn-hosts=/etc/hosts.dnsmasq

Obviously remove my comments and use your own appropriate IP's.

Then save the file and reboot the router.

My outcome is that clients connected to the primary wireless network SSID's get access to the LAN and obtain their IP's from the pre-existing DHCP server and then have access to the LAN and WAN and those connecting to the guest SSID's get their IP's from dnsmasq as above and cant see any LAN resources. The only side effect, which I cant get to the bottom of, is that there is no display of the DHCP leases in the web interface - if anyone can solve that one for me I would be grateful!

Hope this helps and thanks again to sinshiva who set me on the right track.

 

[95coupe]

So are you running the asus as an AP/wireless router or are do you have other APs on the network? I am just in a similar situation but I am using the Asus as mainly a router that is driving DHCP for my 3 other APs and I am trying to create guest access. Right now they work great with just primary access and one ssid but I am trying to add 2 ssids and split the networks apart.

 

[Skydoc]

Multiple Access Points

Hi 95coupe
Im running in router mode with the wireless clients passing internet traffic either to the main gateway on the LAN or back out through the Asus WAN port. The solution that I describe should work fine in the situation that you describe though. Simply set up the guest networks and then set the DHCP server as I describe and connect your cascaded wireless routers to the guest nodes.
There are more sophisticated ways of doing this but this should work.

 

[95coupe]

great! I will give it a shot tonight and see what I can come up with.

 

[95coupe]

How are you guys logging into the router to do the Vi edits? I am used to just using putty/zterm or screen. Any advice?

 

[JRusso]

So, sinshiva was absolutely right. For those of you who are having the same problem as I described this is actually not that hard to achieve it turns out. From a base Merlin build you don't need to add anything else - just need to be able to use Vi as an editor and read around the dnsmasq manual for the right syntax of the commands. In brief -

Activate jffs from the administration section of the web interface, and format on next boot. Reboot the router.

Make sure that you activate the SSH server - you need to connect to the router using SSH (I use bitvise SSH client but Putty is another option). Connect to the router using SSH with the username and password that you use for the web admin interface.

Then open the standard dnsmasq.conf file in /etc and use the content as a template. Dont modify this file - it will be overwritten at each boot.

Merlin provides a great alternative config structure. This is documented elsewhere but if you simply create your modified version of dnsmasq.cong in the /jffs/configs directory it will persist between reboots.

Next check the interfaces available by running ifconfig and you can see the bridge that they are attached to by running brctl show.

Lastly rewrite the dnsmasq.config file in /jffs/configs so that the DHCP server wont serve IP's to your LAN but will serve them to the virtual wireless interfaces of your guests (named something like wl0.1 or wl1.1 etc). An example is below:

pid-file=/var/run/dnsmasq.pid
user=nobody
resolv-file=/tmp/resolv.conf
no-poll
interface=wl0.1 << Lets use this virtual wireless interface as an example
bind-dynamic
min-port=4096
dhcp-lease-max=500 <<maximum number of permissable leases
domain=yourdomain
expand-hosts
no-negcache
cache-size=1500
dhcp-range=wl0.1,192.168.1.190,192.168.1.220,255.255.255.0,86400s << the scope of the ip's that will be allocated to this interface
dhcp-authoritative
dhcp-option=wl0.1,15,yourdomain
dhcp-option=wl0.1,3,192.168.XXX.XXX << your wireless gateway IP
dhcp-option=wl0.1,6,194.XXX.XXX.XXX,0.0.0.0 << your DNS servers
dhcp-option=wl0.1,44,192.168.XXX.XXX << your WinS server
read-ethers
addn-hosts=/etc/hosts.dnsmasq

Obviously remove my comments and use your own appropriate IP's.

Then save the file and reboot the router.

My outcome is that clients connected to the primary wireless network SSID's get access to the LAN and obtain their IP's from the pre-existing DHCP server and then have access to the LAN and WAN and those connecting to the guest SSID's get their IP's from dnsmasq as above and cant see any LAN resources. The only side effect, which I cant get to the bottom of, is that there is no display of the DHCP leases in the web interface - if anyone can solve that one for me I would be grateful!

Hope this helps and thanks again to sinshiva who set me on the right track.

Thank you for posting this. I ran into the same issue yesterday. However when I followed your instructions I got an error in the log when dnsmasq started saying wl0.1 does not exist and dhcp would fail to work on the guest network. I ran brctl show and it is there. Any thoughts on why I would receive that error?

 

[JRusso]

How are you guys logging into the router to do the Vi edits? I am used to just using putty/zterm or screen. Any advice?

I used putty.

 

[mecasull]

Solved - running a DHCP server just for guests

So, sinshiva was absolutely right. For those of you who are having the same problem as I described this is actually not that hard to achieve it turns out. From a base Merlin build you don't need to add anything else - just need to be able to use Vi as an editor and read around the dnsmasq manual for the right syntax of the commands. In brief -

Activate jffs from the administration section of the web interface, and format on next boot. Reboot the router.

Make sure that you activate the SSH server - you need to connect to the router using SSH (I use bitvise SSH client but Putty is another option). Connect to the router using SSH with the username and password that you use for the web admin interface.

Then open the standard dnsmasq.conf file in /etc and use the content as a template. Dont modify this file - it will be overwritten at each boot.

Merlin provides a great alternative config structure. This is documented elsewhere but if you simply create your modified version of dnsmasq.cong in the /jffs/configs directory it will persist between reboots.

Next check the interfaces available by running ifconfig and you can see the bridge that they are attached to by running brctl show.

Lastly rewrite the dnsmasq.config file in /jffs/configs so that the DHCP server wont serve IP's to your LAN but will serve them to the virtual wireless interfaces of your guests (named something like wl0.1 or wl1.1 etc). An example is below:

pid-file=/var/run/dnsmasq.pid
user=nobody
resolv-file=/tmp/resolv.conf
no-poll
interface=wl0.1 << Lets use this virtual wireless interface as an example
bind-dynamic
min-port=4096
dhcp-lease-max=500 <<maximum number of permissable leases
domain=yourdomain
expand-hosts
no-negcache
cache-size=1500
dhcp-range=wl0.1,192.168.1.190,192.168.1.220,255.255.255.0,86400s << the scope of the ip's that will be allocated to this interface
dhcp-authoritative
dhcp-option=wl0.1,15,yourdomain
dhcp-option=wl0.1,3,192.168.XXX.XXX << your wireless gateway IP
dhcp-option=wl0.1,6,194.XXX.XXX.XXX,0.0.0.0 << your DNS servers
dhcp-option=wl0.1,44,192.168.XXX.XXX << your WinS server
read-ethers
addn-hosts=/etc/hosts.dnsmasq

Obviously remove my comments and use your own appropriate IP's.

Then save the file and reboot the router.

My outcome is that clients connected to the primary wireless network SSID's get access to the LAN and obtain their IP's from the pre-existing DHCP server and then have access to the LAN and WAN and those connecting to the guest SSID's get their IP's from dnsmasq as above and cant see any LAN resources. The only side effect, which I cant get to the bottom of, is that there is no display of the DHCP leases in the web interface - if anyone can solve that one for me I would be grateful!

Hope this helps and thanks again to sinshiva who set me on the right track.

Dragging up an old topic...

I used a nearly identical configuration file, verifying via ifconfig that the guest network I was trying to assign dhcp leases to was wl0.1, went and assigned dns servers to Google 8.8.8.8, 8.8.4.4... Defined the range of IP addresses I wanted to make available....

Then I load into the /jffs/configs directory, reboot, verify that after reboot the dnsmasq.conf file in /etc is overwritten...

Nothing. My device hangs trying to acquire an IP address from the router. On LAN settings, dhcp is on.

Any ideas??

 

[babgvant]

Just curious if this is still the best solution to this problem. I have run across it myself recently.

Thanks

 

[babgvant]

I haven't been able to get it to work. With this I don't get DHCP on the guest network.

pid-file=/var/run/dnsmasq.pid
user=nobody
interface=wl0.1
interface=ppp1*
bind-dynamic
no-dhcp-interface=ppp1*
resolv-file=/tmp/resolv.conf
servers-file=/tmp/resolv.dnsmasq
no-poll
no-negcache
cache-size=1500
min-port=4096
domain=domain.local
expand-hosts
bogus-priv
local=/ibhungry.local/
dhcp-range=wl0.1,192.168.2.100,192.168.2.150,255.255.255.0,21600s
dhcp-option=wl0.1,3,192.168.2.1
dhcp-option=wl0.1,6,208.122.23.23,208.122.23.22,0.0.0.0
dhcp-option=wl0.1,15,domain.local
dhcp-option=wl0.1,44,192.168.2.1
dhcp-option=wl0.1,252,"\n"
dhcp-authoritative
read-ethers
addn-hosts=/etc/hosts.dnsmasq
interface=tun21

Also tried with "interface=br0", which provides DHCP on guest and normal wireless.

Adding "no-dhcp-interface=br0" (which I didn't expect to fix it) after that puts it back in the no DHCP state.

Anyone know what the problem is?

 

[TechLifeWeb]

Hmmm... same issues. I just tried enabling Guest Networking on my AC66U and I can't connect to it which brought me here via Google. I am running one of Merlin's builds so I should probably double check what version.

 

[SirAce135]

Hello! I have finally quit lurking and made an account lol I honestly wonder how many hundreds of thousands of people lurk on these forums without ever posting

I am really sorry to dredge up a really old thread, but this is EXACTLY my same situation and am I really trying hard to make this work.

I tried the detailed info kindly shared by Skydoc but for some reason my dnsmasq.conf file seems to be deleted after reboot.

I am running an ASUS AC5300 with Merlin 380.61.

Thanks a ton in advance for the help

 

[ColinTaylor]

but for some reason my dnsmasq.conf file seems to be deleted after reboot.

What directory is your file in? If it's /etc then that's to be expected (as explained in post #5).

https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files

 

[SirAce135]

What directory is your file in? If it's /etc then that's to be expected (as explained in post #5).

https://github.com/RMerl/asuswrt-merlin/wiki/Custom-config-files

Thanks for the quick reply

I am fairly new to this interface, haven't done command line editing in quite some time so I will be as detailed as possible.

In the terminal window I used the following commands:

cd /etc
cp dnsmasq.conf /jffs/configs/dnsmasq.conf
cd /jffs/configs
vi dnsmasq.conf
{edited the file as intructed}
:wq


In my mind this shouldve made a copy of the config file in the correct directory and then once edited it would've saved and quit the changes.


Secondary question, when I run the ifconfig command I see bro1 on the left, and on the right I see vlan, wl0.1, wl1.1. How do I know which is the guest network? I am broadcasting 3 total SSID's 1x 2.4ghz, and 2x 5ghz. I am also broadcasting 2 guest networks, one on each band.

Thanks again!

 

[SirAce135]

That custom config files link you mentioned is pretty awesome, certainly help clear up some questions I had. I REALLY like the idea of post conf scripts. Can this process be achieved using post conf scripts? I would think it would be a bit more flexible and quite honestly newbie proof that way lol.

 

[ColinTaylor]

It looks like you are creating the dnsmasq.conf file correctly. You said it is deleted after the reboot. Do you mean that it no longer exists in /jffs/configs? How are you checking? You haven't set the GUI option to reformat the JFFS partition?

Are you sure you're issuing the ifconfig command, the output seems wrong, more like the output of "brctl show"?

I don't have the same hardware as you so my interface names are a bit different, but generally..

eth1 = 2.4GHz non-guest
wl0.x = 2.4GHz guest networks
eth2 = 5GHz non-guest
wl1.x = 5GHz guest networks

Yes it probably could be done better with postconf scripts, but for the moment try and get what you've got working.