Custom DNS for Guest Network Possible?

[pjd50]

Set-up: RT-AC68U running 386.12_4 (Router) connected to one other RT-AC68U running 386.12_4 (AiMesh Node) via Ethernet Backhaul
Connected to this Router is a Synology NAS, running AdGuard Home

Goal: I want to create a VLAN for all the IoT devices in my house. I don't want the devices connected to this VLAN to be able to access the intranet (or better articulated, I don't want them to "see" my connected computers, phones, etc.), and additionally, I want to use a custom DNS on the VLAN that points to the AdGuard Home instance running on docker/portainer on the Synology NAS. Essentially, I want security by ensuring the IoT devices are (1) on a "separate network" from other devices in the home and (2) filtered by a rather strict AdGuard Home blocking list instance

A couple of summary points:
1. I can't use YazFi; that's out the window because I am using AiMesh, and YazFi does NOT support AiMesh
2. The only way to create a "VLAN" (as far as I can tell) that is compatible with AiMesh is to use ASUS' built-in "Guest WiFi" network option
3. Initially, my guest Wi-Fi network was not working (no internet access); after some searching, I found a solution (for anyone else still looking):

SSH into your router and run the following command:

robocfg vlan 501 ports "1t 2t 3t 4t 7t 8t"

(see: https://www.snbforums.com/threads/rt-ac68p-fios-wan-dropouts-on-386-x.73214/page-2#post-727742 and https://www.snbforums.com/threads/asuswrt-merlin-386-2_6-is-now-available.72962/page-10#post-696360 for an explanation on why this fix is required)

EDIT/Update: Although the above command fixed things, it did so only temporarily. When I woke up today, had the same issue with no internet access on the Guest WiFi network. I found a thread somewhere saying it had to do with "the first device connecting to this network" causing an issue, but it was a bit over my head/complex and I didn't think it would be worth chasing down...


Okay, great, now I have (1) my private wifi network broadcasting for my own devices and (2) a guest wifi I will use for IoT devices, and both networks can connect to the internet

• My "private" LAN is 192.168.75.1 (RT-AC68U Router IP Address)
• My Synology is at 196.168.75.100 (where AdGuard home is running and the address it is "listening to" - running on docker/portainer)
• My "guest" LAN/wifi network has a (default) address of 192.168.101.1

The problem: Perhaps as an unintended consequence, devices connecting to the "Guest/IoT Wifi" see a router IP address and DNS of 192.168.101.1 and are assigned an IP address of 192.168.101.x, and as far as I can tell, do not get filtered by the AdGuard Home DNS server running on 192.168.75.100. I am not able to manually configure the DNS server of the Guest WiFi (and point it to 192.168.75.100), which seems to be an option for ASUS Routers with "Guest Network Pro":

https://www.asus.com/support/FAQ/1049414/, see images:

My question: Is it possible to set the DNS server of the ASUS Guest Network 1 to that of the AdGuard Home running on the Synology (192.168.75.1) rather than the Guest Network DNS default of 192.168.101.1 (even if I have to do so through commands/a script via SSH, rather than the Router WebUI)?

Hopefully, my question made sense, and I appreciate any help or insight!

EDIT/Update: I was reading a bunch of other threads, and it seems what I am trying to achieve is impossible. By the very fact the Guest Network has its own subnet and is separate from the Trusted Network, there is no way it can connect to a DNS server (AdGuard Home) running on the Trusted Network. I think this ASUS PRO option only lets you connect to a PUBLIC DNS server (e.g., Cloudflare) instead of its own "router, ISP-provided" DNS.

 

[glens]

Goal: I want to create a VLAN for all the IoT devices in my house. I don't want the devices connected to this VLAN to be able to access the intranet, and additionally, I want to use a custom DNS on the VLAN that points to the AdGuard Home instance running on docker/portainer on the Synology NAS.

You have conflicting goals unless you're okay with the NAS not available on the intranet, methinks.

 

[pjd50]

You have conflicting goals unless you're okay with the NAS not available on the intranet, methinks.

Good point. I guess it's one or the other then? Option 1: Guest network VLAN "isolated" from the normal network or Option 2: Put the IoT devices on the same network as all other devices, and just rely on a good blocking list/filtering list?

Just trying to make sense of the screenshots I showed, where presumably with ASUS Pro, you could have a Guest network withOUT intranet and with a separate DNS:

1. Create/select a guest network pro on list.

2. Click [Advanced settings].

3. Disable [Connect to DNS server automatically], and[assign]a DNS server you want, or you can input customized DNS server.

4. Click [Apply] to save the setting.

 

[glens]

Yeah, but with the separate DNS server /not/ on the /excluded/ LAN.

 

[pjd50]

Yeah, but with the separate DNS server /not/ on the /excluded/ LAN.

The DNS server lives on the Synology. It's plugged via ethernet into the ASUS Router. I can't connect the Synology to the Guest Wifi, can I?

Isn't there also "Client Isolation" which would prevent the devices on the Guest Network from seeing the DNS server on the Synology, even if I could achieve this?

 

[pjd50]

I guess the only other option would be to set-up a pi-hole on a different device (raspberrypi) and have it connected and dedicated to the guest WiFi?

 

[glens]

Yes, (to the second post above) you could put the NAS on guest. And you can isolate guest from main, but IOT's don't need NAS, do they (unless it's /for/ cameras or something)? I can't readily think of a way to have the NAS that way be available to both (isolated) networks unless it's got two network interfaces.

 

[pjd50]

Thanks @glens. I guess what you're saying makes sense. No, I don't want the IoT devices to have access to the NAS per se - just the Ad-Blocking DNS server that's being run on the NAS (I see the contradiction within this sentence! )

I suppose my only lingering question (maybe someone else who is familiar with the newer Asus "PRO" devices could confirm?), is whether or not what I described is possible (see screenshots and post here: https://www.asus.com/support/FAQ/1049414/) with newer routers? With the screenshot... "Guest Network Pro" - it certainly looks like you can manually change the DNS server ... (but maybe this is a complex answer where the Guest Network on the RT-AC68U is not at all equivalent to the VLANs/Guest Wifi Pro on newer routers)...

 

[glens]

Hey, it might be possible, don't rightly know.

I just figured /that/ DNS assignment would be something (else) the other side of the router.

 

[pjd50]

Thanks, @glens. I played around with a lot of stuff, and in the end, I think I'm just going to turn off the Guest WiFi. Despite the "fix" I posted aboe, it would simply drop its internet connection too often.

It's possible the newer ASUS Routers (PRO models) have proper VLAN management options for IoT devices, but it still looks early and in-development.

AiMesh adds a whole extra layer of complexity and I don't think ASUS has it completely figured out yet (AiMesh Network that also broadcasts a guest network / VLAN).

I'll just use my standard 2.4GHz and 5.0GHz WiFi bands, and hope it isn't too much of an issue that the IoT device (Ring cams, Nest etc.) can "see" my computers, phone, NAS etc.

Perhaps AdGuard Home + SkyNet is giving me a bit more security (hopefully not a "false one!").

 

[Rhialto]

I'm curious too about this if we can assign a different DNS from the DHCP table to a device that is in the list but connected to Guest WiFi. Firmware current in use is 3004.388.4

I still have an issue with the garage door opener. 2 days ago I thought I found the issue by reading a post on reddit saying that DNS-over-TLS was the issue and to manually assign a DNS to it to solve the issue so I did that but today I still see on my phone that I can't control the door.

My only hope is that the manually assigned DNS does not work for devices connected on Guest WiFi. Why it's on the Guest WiFi is only because at first I thought the issue was the fact I now use WPA3/WPA2 so I created a Guest WPA2 only to connect the garage door but that didn't help and left it on Guest still trying to solve the issue.

So if I move it back on regular Wifi and kill the Guest WiFi do you think it will finally work 100% like it was on my previous router?

 

[pjd50]

I'm curious too about this if we can assign a different DNS from the DHCP table to a device that is in the list but connected to Guest WiFi. Firmware current in use is 3004.388.4

I still have an issue with the garage door opener. 2 days ago I thought I found the issue by reading a post on reddit saying that DNS-over-TLS was the issue and to manually assign a DNS to it to solve the issue so I did that but today I still see on my phone that I can't control the door.

My only hope is that the manually assigned DNS does not work for devices connected on Guest WiFi. Why it's on the Guest WiFi is only because at first I thought the issue was the fact I now use WPA3/WPA2 so I created a Guest WPA2 only to connect the garage door but that didn't help and left it on Guest still trying to solve the issue.

So if I move it back on regular Wifi and kill the Guest WiFi do you think it will finally work 100% like it was on my previous router?

Try killing the Guest WiFi and test it out... I have a feeling it will work 100%

 

[Rhialto]

Try killing the Guest WiFi and test it out... I have a feeling it will work 100%

Exactly what I did 10 minutes ago after getting back from work. It took over 5 minutes for it to connect to internet, I don't know why but now it's done so I really hope this time is the good one.

 

[pjd50]

Exactly what I did 10 minutes ago after getting back from work. It took over 5 minutes for it to connect to internet, I don't know why but now it's done so I really hope this time is the good one.

Does garage door opener work now?

 

[Rhialto]

Does garage door opener work now?

It always work after a new setup or reset but after a few hours or days the app on our phone stop working because the box is no more connected to the router for a reason I don't know and I hope it was DoT I enabled after getting the new router and that DNS bypass will make it work flawless now, just like before when on old router.

 

[Rhialto]

It stopped working again. But yesterday I've opened port 8883 so I hope it was only that. I wish I could access settings on my previous router and see if I had this port open. Strange that it works fine a few days then stop without having that port open.
Anyway I'm getting offtopic now that I moved it back on regular WiFi.