Guest Network on AP

[smitty870]

I have an Ubiquity Edgerouter connected to my ISP Modem and would like to use the ASUS Router as an AP.
I currently have another firmware on it with 3 SSIDS (Private, IOT, Guest).
1 - private picks up it's IP address from the Edgerouter. Firewall rules permit access to any device on the other 2 networks.

2 - IOT with it's own DCHP subnet of 192.168.20.0/24 and firewall rules that allow for backup to a device on 192.168.10.0/24.

3. Guest is 192.168.30.0/24

I was checking out a couple of articles here, but I am not sure if I am doing the configuration correctly.
https://github.com/RMerl/asuswrt-merlin/wiki/User-scripts
https://github.com/RMerl/asuswrt-me...dicated-DHCP-options-bind-to-a-specific-SSID?
Based on How to have dedicated DHCP options bind to a specific SSID?, my config files are as follows"

dnsmasq.postconf
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
logger "dnsmasq-dhcp: Configure wl0.1 to have special DHCP"
ifconfig wl0.1 192.168.70.2 netmask 255.255.255.0
iptables -D INPUT -i wl0.1 -j ACCEPT
iptables -I INPUT -i wl0.1 -j ACCEPT
ebtables -t broute -D BROUTING -i wl0.1 -p ipv4 -j DROP
ebtables -t broute -I BROUTING -i wl0.1 -p ipv4 -j DROP
pc_append "
log-dhcp
interface=wl0.1
dhcp-range=wl0.192.168.70.200,192.168.70.240,255.255.255.0,86400s
dhcp-option=wl0.1,3,192.168.70.1
dhcp-option=wl0.1,6,192.168.10.1,8.8.8.8,8.8.4.4
" /tmp/etc/dnsmasq.conf

services-start
#!/bin/sh
service restart_dnsmasq

I have never edited or created Unix based files before. I configured my NotePad++ Edit-->EOL Conversion to Unix LF. I also saved the files as Unix Scripts then renamed to the proper file names.

Rebooted the router and presto Guest SSID still gets a 192.168.10.0/24 address.
After not working and doing a deeper dig in the forums, it sounds like in AP mode it this will not work.

Is it my understanding that you cannot use the Asus with Merlin firmware as an AP attached to the router with a guest network? May I have configured something incorrectly?

 

[Zonkd]

AP mode isn’t that smart and disables firewall and these features because that’s the edgerouters job. Afaik If you want to create all these different networks subnets and routing and firewall rules and use dnsmasq then the ASUS can’t be in AP mode. Must be in router mode. Leaving it in router mode is ok but will create double NAT.

 

[ColinTaylor]

Is it my understanding that you cannot use the Asus with Merlin firmware as an AP attached to the router with a guest network?

Correct. The concept of guest networks is meaningless in AP mode as that is a function of the device doing the routing.

 

[smitty870]

dnsmasq.postconf
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
logger "dnsmasq-dhcp: Configure wl0.1 to have special DHCP"
# ifconfig br1 192.168.80.2 netmask 255.255.255.0
iptables -D INPUT -i br1 -j ACCEPT
iptables -I INPUT -i br1 -j ACCEPT
ebtables -t broute -D BROUTING -i br1 -p ipv4 -j DROP
ebtables -t broute -I BROUTING -i br1 -p ipv4 -j DROP
pc_append "
log-dhcp
interface=br1
dhcp-range=br1,192.168.80.200,192.168.80.254,255.255.255.0,6h
dhcp-option=br1,3,192.168.80.1
dhcp-option=br1,6,192.168.80.1,192.168.10.1,8.8.8.8
" /tmp/etc/dnsmasq.conf

services-start
#!/bin/sh
service restart_dnsmasq
/jffs/scripts/wifiguest2

wifiguest2 - This script I found in a thread and I apologize to the original owner. I lost the thread to give credit to for the original script.
!#/bin/sh

PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

# Remove port 4 from VLAN1
# robocfg vlan 1 ports "0 1 2 5t"

# Create VLAN20, and add port 4t(tagged) or 4 (untagged)
robocfg vlan 20
# ports "4t 5t"

#VLAN-port setup - add VLAN as an interface connected to eth0
vconfig add eth0 20

# up interface vlan20
ifconfig vlan20 up

# create br1
brctl addbr br1
# enable stp
#brctl stp br1 on

# Remove wl0.1 (the named guest network) from br0
brctl delif br0 wl0.1

# add wl0.1 to br1
brctl addif br1 wl0.1

# up interface
ifconfig br1 up

# add vlan20 to br1
brctl addif br1 vlan20

# Configure an IP address to the bridge and enable (up) it - alternate just ipconfig br1 up
ifconfig br1 192.168.80.1 netmask 255.255.255.0 up

# Mapped vlan20ports
# nvram set vlan20ports="4t 5t"
nvram set vlan20hwname=et0

# Cleanup (remove the wl0.1 from "lan_ifnames")
#nvram set lan_ifnames="vlan1 eth1 eth2"

#  Create lan1_ifnames & make eapd to listen to the existing bridge br0
nvram set lan_ifnames="vlan1 eth1 eth2 wl0.2 wl1.2"
nvram set lan_ifname="br0"

#   Create lan1_ifnames &  make eapd to listen to the new bridge br1
nvram set lan1_ifnames="vlan20 wl0.1"
nvram set lan1_ifname="br1"

# save nvram settings
nvram commit

Doing a little searching I found the following possible scripts. I can see the SSID, but not able to connect Android eventually response with authentication problem.
However they do not seem to be working correctly, I cannot seem to authenticate.

 

[Zonkd]

dnsmasq.postconf
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
logger "dnsmasq-dhcp: Configure wl0.1 to have special DHCP"
# ifconfig br1 192.168.80.2 netmask 255.255.255.0
iptables -D INPUT -i br1 -j ACCEPT
iptables -I INPUT -i br1 -j ACCEPT
ebtables -t broute -D BROUTING -i br1 -p ipv4 -j DROP
ebtables -t broute -I BROUTING -i br1 -p ipv4 -j DROP
pc_append "
log-dhcp
interface=br1
dhcp-range=br1,192.168.80.200,192.168.80.254,255.255.255.0,6h
dhcp-option=br1,3,192.168.80.1
dhcp-option=br1,6,192.168.80.1,192.168.10.1,8.8.8.8
" /tmp/etc/dnsmasq.conf

services-start
#!/bin/sh
service restart_dnsmasq
/jffs/scripts/wifiguest2

wifiguest2 - This script I found in a thread and I apologize to the original owner. I lost the thread to give credit to for the original script.
!#/bin/sh

PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

# Remove port 4 from VLAN1
# robocfg vlan 1 ports "0 1 2 5t"

# Create VLAN20, and add port 4t(tagged) or 4 (untagged)
robocfg vlan 20
# ports "4t 5t"

#VLAN-port setup - add VLAN as an interface connected to eth0
vconfig add eth0 20

# up interface vlan20
ifconfig vlan20 up

# create br1
brctl addbr br1
# enable stp
#brctl stp br1 on

# Remove wl0.1 (the named guest network) from br0
brctl delif br0 wl0.1

# add wl0.1 to br1
brctl addif br1 wl0.1

# up interface
ifconfig br1 up

# add vlan20 to br1
brctl addif br1 vlan20

# Configure an IP address to the bridge and enable (up) it - alternate just ipconfig br1 up
ifconfig br1 192.168.80.1 netmask 255.255.255.0 up

# Mapped vlan20ports
# nvram set vlan20ports="4t 5t"
nvram set vlan20hwname=et0

# Cleanup (remove the wl0.1 from "lan_ifnames")
#nvram set lan_ifnames="vlan1 eth1 eth2"

#  Create lan1_ifnames & make eapd to listen to the existing bridge br0
nvram set lan_ifnames="vlan1 eth1 eth2 wl0.2 wl1.2"
nvram set lan_ifname="br0"

#   Create lan1_ifnames &  make eapd to listen to the new bridge br1
nvram set lan1_ifnames="vlan20 wl0.1"
nvram set lan1_ifname="br1"

# save nvram settings
nvram commit

Doing a little searching I found the following possible scripts. I can see the SSID, but not able to connect Android eventually response with authentication problem.
However they do not seem to be working correctly, I cannot seem to authenticate.

AP mode can’t do routing. You must be set to router mode. You cannot do any of that in AP mode.

 

[smitty870]

AP mode can’t do routing. You must be set to router mode. You cannot do any of that in AP mode.

Thanks, I had to try of course!