Guest Network has no internet access unless I enable access to intranet

Newbie_21

Occasional Visitor
My AX92U runs as a VPN client on the company VPN server.
When the VPN client is active, all Internet traffic goes through it. So my home network IP range and the guest network IP range. Theorethically! The home network works via the VPN client, but the guest network is blocked. Perhaps there are no routing rules.
 

bbunge

Part of the Furniture
My AX92U runs as a VPN client on the company VPN server.
When the VPN client is active, all Internet traffic goes through it. So my home network IP range and the guest network IP range. Theorethically! The home network works via the VPN client, but the guest network is blocked. Perhaps there are no routing rules.
Most likely a DNS failure on the guest network..

When using Guest 1 the clients are assigned IP's in the (2.4 GHz) 192.168.101.x or (5 GHz) 192.168.102.x range. The DHCP server for the guest clients is then set to 192.168.101.1 or 192.168.102.1 .

My guess is that, when running the VPN client, the DNS is set to the work DNS server. For LAN clients this is OK but the guest clients they are still trying to use the router DNS and that is blocked by the VPN client. You need to modify the VPN settings to not use the work DNS.
 

Newbie_21

Occasional Visitor
Yes but how. Is it possible to use a script to route the guest network IP range via the router's DNS? Otherwise there is only the possibility to switch off the vpn client. Or there is the possibility in the router settings. Merlin FW does not exist for the AX92U.
 

oaoutpost0

New Around Here
Hello everyone,

I too have had this problem and I found a solution, although it may or may not work for you. I had originally had my LAN configured to use 192.168.0.0/16 (subnet mask of 255.255.0.0). You will note that this allows an IP address range of 192.168.0.0-192.168.255.255. However, the guest network feature will place your guests in a 192.168.101.x (or similar) range. For me, the solution was to change the subnet mask to 255.255.254.0, though I suppose any subnet smaller than 255.255.192.0 should work. These mask ranges free up the 101.x range and higher (and the guest network will still be created in that range). Note that I have a single router and am not using AI Mesh.
 

addohm

Occasional Visitor
I ran into this issue today. It turns out that when you specify your own DNS, the guest network just can’t access the internet. Will follow up.
 

addohm

Occasional Visitor
Confirmed. When I specify my own dns (pihole), the guest network breaks. If I add google dns as the second dns server, it starts working again. This only happens to the guest network. The main network follows the rules properly. I wonder if we need a separate dns designation for guests?
 

eibgrad

Part of the Furniture
Confirmed. When I specify my own dns (pihole), the guest network breaks. If I add google dns as the second dns server, it starts working again. This only happens to the guest network. The main network follows the rules properly. I wonder if we need a separate dns designation for guests?

If by "your own DNS", you mean an IP on the *private* network, well that makes sense, at least if you have intranet access disabled (most ppl do). IOW, guests typically have NO access to local/private resources, by definition.
 

addohm

Occasional Visitor
If by "your own DNS", you mean an IP on the *private* network, well that makes sense, at least if you have intranet access disabled (most ppl do). IOW, guests typically have NO access to local/private resources, by definition.
I see. So you’re saying basically that the “access intranet“ rules are being applied in this case. maybe I’ll make my pihole a public dns to circumvent this. Kind of unfortunate. To be honest, I thought the rule would be applied from within the router.
 

eibgrad

Part of the Furniture
I see. So you’re saying basically that the “access intranet“ rules are being applied in this case. maybe I’ll make my pihole a public dns to circumvent this. Kind of unfortunate. To be honest, I thought the rule would be applied from within the router.

I don't know what you mean by "applied from within the router". When intranet access is denied, the router uses its ethernet (layer 2) firewall (specifically, ebtables) to prevent communications between the wireless guest network interfaces (e.g., wl0.1) and the private network. I haven't tried it, but it may be possible to add a rule w/ ebtables (using the firewall-start script) to make an exception for that particular IP.

Code:
ebtables -t broute -I BROUTING -p IPv4 -i wl0.1 --ip-dst 192.168.1.100 -j ACCEPT

Of course, I'm assuming guest #1 (2.4GHz) in the above example. Adjust accordingly.

You could test it using SSH prior to committing to the firewall-start script.

Or perhaps multihome both the router and pihole to a secondary IP network, thus bypassing the rules that are specifically blocking access to the default private network.

P.S. To be honest, I'm NOT sure if it should be the firewall-start script. I'm just guessing. It might be better suited to some wireless event, like any (re)start. I'd have to play around w/ it to be sure.
 

addohm

Occasional Visitor
I don't know what you mean by "applied from within the router". When intranet access is denied, the router uses its ethernet (layer 2) firewall (specifically, ebtables) to prevent communications between the wireless guest network interfaces (e.g., wl0.1) and the private network. I haven't tried it, but it may be possible to add a rule w/ ebtables (using the firewall-start script) to make an exception for that particular IP.

Code:
ebtables -t broute -I BROUTING -p IPv4 -i wl0.1 --ip-dst 192.168.1.100 -j ACCEPT

Of course, I'm assuming guest #1 (2.4GHz) in the above example. Adjust accordingly.

You could test it using SSH prior to committing to the firewall-start script.

Or perhaps multihome both the router and pihole to a secondary IP network, thus bypassing the rules that are specifically blocking access to the default private network.

P.S. To be honest, I'm NOT sure if it should be the firewall-start script. I'm just guessing. It might be better suited to some wireless event, like any (re)start. I'd have to play around w/ it to be sure.
Sounds like it’s getting over my head.

I guess this Would be easier if there were more customization available for the guest network. I don’t care at all what kind of mess the guests on the guest network get tangled in. I wish I could just specify dns for the internal network only.

what do you mean by the whole multihome thing? Run two separate networks?
 

eibgrad

Part of the Furniture
Sounds like it’s getting over my head.

I guess this Would be easier if there were more customization available for the guest network. I don’t care at all what kind of mess the guests on the guest network get tangled in. I wish I could just specify dns for the internal network only.

what do you mean by the whole multihome thing? Run two separate networks?

I just realized you are probably using the OEM firmware, NOT Merlin. All my suggestions assume the use of Merlin since they involve changes required outside the GUI.
 

addohm

Occasional Visitor
I just realized you are probably using the OEM firmware, NOT Merlin. All my suggestions assume the use of Merlin since they involve changes required outside the GUI.
def using Merlin. I switched to Merlin in 2016 I think. Can’t remember why though. .

C694A691-50C4-409B-A4BF-E4C74E42ED55.jpeg


Don’t mind the model number. I had to replace my AC-68U while living in China and this was the model equivalent. The only thing I do outside of the GUI these days is iperf.
 

ColinTaylor

Part of the Furniture

ColinTaylor

Part of the Furniture
Also, I set up and use pihole just fine internally. It’s the guest networks that suffer when intranet access is prohibited.
If you didn't want to create custom ebtables rules as described above a different approach would be that shown in the Asus FAQ I linked to. In that case all LAN clients (including guests) use the router for DNS which in turn has the PiHole set as its WAN DNS server. The downside of this is that that the PiHole perceives all traffic as originating from the router.
 

jmpr

Regular Contributor
I have this settings in WAN:

1641544134919.png


In LAN, the DNS servers is blank, so clients use the router IP as dns server, and it uses the two above.

This have been this way always, and have had no problems at all with guests (with no lan access).

BUT I would like to use the "DNS privacy" (DOT), but when trying, guests loose internet access. So I do not use DOT until a firmware update that solves it.
 

bbunge

Part of the Furniture
If it ain’t broke…

Also, I set up and use pihole just fine internally. It’s the guest networks that suffer when intranet access is prohibited.
It may not be broke but it sure isn't secure! Please upgrade your firmware..

Your Pi-Hole IP address should be in the LAN/DHCP Server/DNS Server settings. Not the WAN DNS Server 1 or 2. If you upgrade the firmware you can run DNS DoT from the WAN setup which will give you DNS security. Quad 9 runs well on DoT as well as Cloudflare Secure.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top