Hi Fitz Mutch (or anyone interested),
I've been digging into it and found some interesting things... First, it's a little strange... After reboot, I can see the "broute" is ok, but iptables does not have any "wl0.1"-rules in it despite that I have "service restart_dnsmasq" in the bottom of my /jffs/scripts/services-start... But I can manually run "service restart_dnsmasq" and I now do that, after reboot until I have a solution. My script, now looks something like this (I think this is very nice):
Code:
wrt54g@router:/jffs/scripts# cat dnsmasq.postconf
#!/bin/sh
# -------------
WRLSS_IF=wl0.1 # Name of the wireless interface that will be used.
WRLSS_IF_NETMASK=255.255.255.0 # Netmask of the wireless network to be added.
WRLSS_IF_NTWK_ADDR=172.16.0.2 # Network address that the wireless interface will be on.
WRLSS_IF_INET_ADDR=172.16.0.1 # IP address that will be assigned to the wireless interface.
LS_START=172.16.0.100 # Start address of leases. This needs to be within the same network as above.
LS_END=172.16.0.250 # End address of leases. This needs to be within the same network as above.
DHCP_OPT1=3 # dnsmasq option to specify router.
LS_TIME=86400s # Duration of the dhcp leases.
# -------------
CONFIG=$1
source /usr/sbin/helper.sh
logger "dnsmasq-dhcp: Configure $WRLSS_IF to have special DHCP"
ifconfig $WRLSS_IF $WRLSS_IF_INET_ADDR netmask $WRLSS_IF_NETMASK
IPT_RULE1="-I INPUT -i $WRLSS_IF -j ACCEPT"
if [ -n "$IPT_RULE1" ] && [ `iptables-save | grep -ice "$WRLSS_IF"` == 0 ]; then
iptables $IPT_RULE1
fi
# ============================================
EBT_RULE1="-p IPv4 -i $WRLSS_IF -j DROP"
if [ -n "$EBT_RULE1" ] && [ `ebtables -t broute -L | grep -ice "$EBT_RULE1"` != 1 ]; then
ebtables -t broute -I BROUTING $EBT_RULE1
fi
# ----------------
pc_append "
log-dhcp
log-queries
interface=$WRLSS_IF
dhcp-range=$WRLSS_IF,$LS_START,$LS_END,$WRLSS_IF_NETMASK,$LS_TIME
dhcp-option=$WRLSS_IF,$DHCP_OPT1,$WRLSS_IF_INET_ADDR
dhcp-option=$WRLSS_IF,6,8.8.8.8,8.8.4.4
log-async=5
" /tmp/etc/dnsmasq.conf
I'm 100% sure now, that something is wrong with my ARP-packages - and I think I need a little help, interpreting the below and fixing my script (maybe it's something with broute, I think so), please read my findings and explanation: From wireshark, I notice the below behaviour, by comparing what happens when I take my (Samsung)-phone and connect to a non-guest SSID (this works) and later to the guest SSID (this doesn't work, this is where I'm tryint to make my script work):
The non-guest SSID-capture...
1. On the working (=non-guest) SSID, first two DHCP (Discover followed by Request) packets are send: source address is 0.0.0.0 and destination is 255.255.255.255.
2. Then wireshark doesn't show source 0.0.0.0 anymore, this time it sends an ARP-broadcast package and source is SamsungE_(last 3 bytes of MAC-address), destination is "Broadcast". In the info field it says: "Who has 192.168.1.1? Tell 192.168.1.241, and the latter is from later on the assigned IP address.
3. Then the Samsung phone sends out 5-6 packages using MDNS protocol (I have no idea what it's doing).
4. Then the Samsung phone sends out a few SSDP packages (still, I don't know what this is).
5. There's also something called "Router Solicitation" using ICMPv6-protocol (I don't know what this is, probably it's normal, I guess).
6. I can browse the internet from the Samsung-phone - everything is ok, so no need to include more capture-info...
Now, compare this with the guest SSID-capture:
1. On the guest SSID, again first two DHCP (Request followed by ACK) packets are send: Source address is 0.0.0.0 and destination is again 255.255.255.255.
2. As above, after the ARP-broadcast package, source is SamsungE_(last 3 bytes of MAC-address), destination is "Broadcast". In the info field it says: "Who has 172.16.0.1? Tell 172.16.0.119, and the latter is from later on the assigned IP address.
3. As (3) above, but it only sends out 3 MDNS-packages.
4a. The ARP-messages are interesting I think: My package 31 says the Samsung phone says: "Who has 172.16.0.1? Tell 172.16.0.119" - so it's looking for the router MAC address, right (172.16.0.1)?
4b. Then in package 33, AsustekC_cb:40:41 (router, I guess, this matches below HWaddr from ifconfig) says: Who has 172.16.0.119? Tell 172.16.0.1.
wl0.1 Link encap:Ethernet HWaddr XX:XX:XX:CB:40:41
inet addr:172.16.0.1 Bcast:172.16.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:4241 errors:0 dropped:0 overruns:0 frame:203446
TX packets:2410 errors:3 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:196616 (192.0 KiB) TX bytes:195658 (191.0 KiB)
4c. In package 34, Samsung-phone sends ARP-broadcast: "Who has 172.16.0.1? Tell 172.16.0.119".
4d. In package 38, AsustekC-router sends ARP: "Who has 17216.0.119? Tell 172.16.0.1".
4e. In package 39, Samsung sends ARP: "172.16.0.119 is at ....:3f" - the MAC-address.
4f. in package 40, Samsung sends ARP: "Who has 172.16.0.1? Tell 172.16.0.119" - Samsung phone is looking for the router MAC-address, right?
4g. Then I have 2 MDNS, 1 ICMPv6 and 1 SSDP-packages, I think these can be ignored.
4h. In package 45, AsustekC-router sends ARP: "Who has 172.16.0.119? Tell 172.16.0.1"?
4i. In package 46, Samsung sends ARP: "172.16.0.119 is at ..... MAC-address" - completely as package 39 - so packages must have been lost, right?
4j. In package 52, Samsung sends ARP, completely as package 40 - so packages must have been lost, right?
4k. In package 55, 57, 63, 65, 67 and 73: All are completely as package 52 and 40, i.e: Samsung sends ARP: "Who has 172.16.0.1? Tell 172.16.0.119" - Samsung phone is looking for the router MAC-address, right? But it doesn't receive any answer (I'm guessing), right or not?
...
So - something is wrong with my ARP-packages, it's like they're not correctly being send to the router? I also need to ask you experts, when I use dnsmasq for this, is it correct that the router on the new "guest-LAN" should see my router on 172.16.0.1 which is the address for interface wl0.1 ? Or do I need to broute DROP or something (to take ARP-packages from wl0.1 to the bridge-interface) or maybe use my router address 192.168.1.1 in this config-file, somewhere? Also, please notice that I got errors from ifconfig and wl0.1, i.e. "TX packets:2410 errors:3 dropped:0 overruns:0 carrier:0" - so something is clearly wrong... I just don't know exactly what is wrong... Please help with ideas/suggestions, thanks!