Guest networks and DHCP

[Fitz Mutch]

Thank you. I used your script as base, optionally TOR enable a Guest Network.

/jffs/scripts/enable_tor_for_guests.sh
https://cryptobin.co/a0y3u295, password is lol

 

[mlord]

Beautiful!

 

[Fitz Mutch]

Beautiful!

Your Ebtables configuration has the following rules. It works great, but I'm curious.

/usr/sbin/ebtables -t broute $1 BROUTING -p ipv4 -i $2 -j DROP
/usr/sbin/ebtables -t broute $1 BROUTING -p ipv6 -i $2 -j DROP
/usr/sbin/ebtables -t broute $1 BROUTING -p arp  -i $2 -j DROP

Because I do not want leaks onto (br0), when I tried to un-bridge ALL Ethertypes, it didn't work. Why? I found that Ethertype 0x886c (ETHER_TYPE_BRCM) must stay bridged (br0) or else the Guest Wi-Fi does not authenticate.

/usr/sbin/ebtables -t broute $1 BROUTING -i $2 -p ! 0x886c -j DROP

Do you have any information on this Ethertype (0x886c)? Do you know if it's specific to the ARM models only? My router is RT-AC68U and it works great. I wonder if it works with the MIPS models too.

 

[mlord]

#define ETHER_TYPE_BRCM 0x886c /* Broadcom Corp. */
#define ETH_P_LINK_CTL 0x886c /* HPNA, wlan link local tunnel */

That's all I know. But it does make sense that *something* needs to traverse from the guest wlan to the primary bridge, because the WPA/WPA2 authentication daemons most likely are listening there. So perhaps that ethertype is how Broadcom routes the link/crypto negotiations to their binary blob?

/usr/sbin/ebtables -t broute $1 BROUTING -i $2 -p ! 0x886c -j DROP

If you find that rule above does the trick, then I think I'll adopt it too in place of the original three. Fewer rules is better, less overhead usually. I got the three rules in the script from other posts earlier in this thread (I think it was this thread, haven't looked back again).

Thanks

 

[mlord]

Mmm.. I tried replacing the three original rules with the "! 0x886c" rule, but then my guest wifi stopped working. Switched it back, and all okay again. Also on an RT-AC68U.

 

[john9527]

Mmm.. I tried replacing the three original rules with the "! 0x886c" rule, but then my guest wifi stopped working. Switched it back, and all okay again. Also on an RT-AC68U.

Try moving the '!' before -p

/usr/sbin/ebtables -t broute $1 BROUTING -i $2 ! -p 0x886c -j DROP

 

[Fitz Mutch]

Mmm.. I tried replacing the three original rules with the "! 0x886c" rule, but then my guest wifi stopped working.

Oh well. My RT-AC68U is an original model running 380.63-alpha2. Testing with 2.4GHz Guest Network#2 (wl0.2). If you want to see all the Ethernet frame types, this will fill up your system log pretty fast. You could probably narrow it down to 2 or 3 Ethertypes that must stay bridged (br0).

/usr/sbin/ebtables -t broute -I BROUTING -i wl0.2 -j CONTINUE --log --log-level 7

 

[mlord]

Try moving the '!' before -p

/usr/sbin/ebtables -t broute $1 BROUTING -i $2 ! -p 0x886c -j DROP

The manpage seems to specify placing it after the -p rather than before, as does the built-in help text. So probably have the syntax okay thanks.

/usr/sbin/ebtables -t broute -I BROUTING -i wl0.2 -j CONTINUE --log --log-level 7

Great! I was trying to puzzle out the syntax for that, but it's been a while for me.

 

[mecasull]

After having the same problem -- no DHCP for guest networks when main LAN has its own DHCP server -- I came up with a script to automatically take care of things. This works for up to three guest networks per band, or six in total, same as the Merlin GUI.

It puts the 2.4GHz guests onto 192.168.10.*, 192.168.11.*, 192.168.12.*
and the 5GHz guests onto 192.168.20.*, 192.168.21.*, 192.168.22.*

Grab the script from here: http://rtr.ca/merlin/enable_dhcp_for_guests.sh
(snbforums won't allow it to be posted directly here, so..).

I invoke it from /jffs/scripts/firewall-start

Cheers

Thanks for posting that. I have been tinkering off and on for the last year with my ac87u (see my post upthread). This finally did the trick... somewhat.

as far as assignment of guests to xx.xx.10.*, 11.*, 12.* and so forth, the IPs being assigned are defaulting to what the router DHCP dictates ie xx.xx.250.* regardless of which guest network you connect to. Any idea on how to resolve that?

Additionally the router DHCP is taking over for non-static leases from my network DHCP. I have my network DHCP server set to offer xx.xx.200.* the router 250.*... Everything recieves an address in the 250 range, regardless of on the LAN or guest network

lastly, this doesnt work for the 5GHz bands on the ac87u. I suspect this is because it runs the two separate chipsets. it looks like VLAN4000, VLAN 4001, VLAN4002 are the interfaces tied to the 5GHz range.

The last one might be too big of a pain to resolve, but i can live without it. The devices I want to put on the guest network are all IOT devices that dont use much bandwidth, so theres no need for 802.11ac. Id like to resolve the other issues though, if anyone has any suggestions.

 

[mlord]

That script of mine is only for the situation where the router's DHCP server is DISABLED in the GUI, and DHCP is handled (non-guests) by a separate DHCP server on the LAN.

You mentioned "..the router DHCP is taking over..", which suggests that the router's DHCP server has NOT been DISABLED. In which case, my script isn't really applicable there.

If that's how you are running it (router's DHCP disabled in GUI), then perhaps the script is messing up instead, or your router has a radically different version of Merlin on it (?).

Cheers

 

[mecasull]

That script of mine is only for the situation where the router's DHCP server is DISABLED in the GUI, and DHCP is handled (non-guests) by a separate DHCP server on the LAN.

You mentioned "..the router DHCP is taking over..", which suggests that the router's DHCP server has NOT been DISABLED. In which case, my script isn't really applicable there.

If that's how you are running it (router's DHCP disabled in GUI), then perhaps the script is messing up instead, or your router has a radically different version of Merlin on it (?).

Cheers

Ok, I had a suspicion that was the case. I had tried that previously and came up empty. Gave it another shot, and wasn't being served an IP address.

So, I started sniffing around a little more. I manually ran the script, and its serving IP addresses, which is a great sign. I ran chmod a+rx /jffs/scripts/* to set it as executable, am I missing something? (Scripts are enabled in Merlin GUI).

Edit:

Looks like it has been running on reboot based on the router log. I guess the question now is, why is it not effective then, but it works well when I manually execute it? Maybe firewall-start isn't the best place?

 

[mecasull]

Okay, I'm an idiot. Here's how I screwed up, so that I might help someone else who is also screwing around with custom scripts in merlin for the first time...

/jffs/scripts/firewall-start is not the directory for the script. Firewall-start *is* the script. I got thrown off because I was expecting a .sh or something. This is where I went wrong.

Other notes that I'll make:
1) run chmod a+rx /jffs/scripts/* to set the script as executable.
2) disable router dhcp
3) wl0.2 gets assigned x.x.20.* , wl0.3 x.x.30.*
4) this doesn't work on ac87u 5GHz guest networks.

 

[mlord]

/jffs/scripts/firewall-start is not the directory for the script. Firewall-start *is* the script.

Yeah.

On a related note, things run from those scripts may still fail somewhat randomly, because Merlin launches the scripts asynchronously.. so things run from the scripts don't necessarily run in any particular sequence w.r.t. anything else on the router.

 

[sam.stevens1001]

Yeah.

On a related note, things run from those scripts may still fail somewhat randomly, because Merlin launches the scripts asynchronously.. so things run from the scripts don't necessarily run in any particular sequence w.r.t. anything else on the router.

I have some odd behavior going on with the guest SSID with this script - everything looks to be working fine and devices get an IP address in the new range and can access the internet, but it never loads pages from certain addresses (really odd, I know). Before anyone thinks differently, I have tried with multiple devices, browsers, my internet connection is fine, if I disconnect those devices and put them on the LAN wifi (same router AC87U, just not the guest SSID), everything is fine. Google is fine, YouTube is fine, Facebook is fine. microsoft.com or speedtest.net for example *never* go anywhere, but also don't time out - the page load just stays indefinitely. DNS resolves fine for those domains.

Any thoughts?

 

[Rugidz]

After having the same problem -- no DHCP for guest networks when main LAN has its own DHCP server -- I came up with a script to automatically take care of things. This works for up to three guest networks per band, or six in total, same as the Merlin GUI.

It puts the 2.4GHz guests onto 192.168.10.*, 192.168.11.*, 192.168.12.*
and the 5GHz guests onto 192.168.20.*, 192.168.21.*, 192.168.22.*

Grab the script from here: http://rtr.ca/merlin/enable_dhcp_for_guests.sh
(snbforums won't allow it to be posted directly here, so..).

I invoke it from /jffs/scripts/firewall-start

Cheers

Hi, I'm brand new to this forum

After having the same problem -- no DHCP for guest networks when main LAN has its own DHCP server -- I came up with a script to automatically take care of things. This works for up to three guest networks per band, or six in total, same as the Merlin GUI.

It puts the 2.4GHz guests onto 192.168.10.*, 192.168.11.*, 192.168.12.*
and the 5GHz guests onto 192.168.20.*, 192.168.21.*, 192.168.22.*

Grab the script from here: http://rtr.ca/merlin/enable_dhcp_for_guests.sh
(snbforums won't allow it to be posted directly here, so..).

I invoke it from /jffs/scripts/firewall-start

Cheers

Hi, I'm brand new to this forum and stumbled across your script. It is exactly the setup I've been trying to achieve, but have been unable to due to lack of knowledge/experience. I do enjoy the read and learn of this all, and hopefully, one day will have the knowledge/experience to assist others by posting scripts like you have. Thanks again for the post; I'm sure I am not the only one benefiting from it.

I do have one question regarding the script though.....As mentioned, the script does achieve my desired setup, with exception of one thing, it is not routed through my VPN. All other devices that connect through my router do route through VPN. If at all possible, I'd like my guest networks (both bands) to also route through VPN. Currently, guest networks appear to be routed directly to WAN. I was hoping that you could help me with the necessary script modification(s) to achieve this. If additional info on my part is required please let me know. Thanks in advance.

 

[mlord]

I have not yet attempted to use the VPN client functionality of the router, so I don't know anything about it. I cannot help you there at this time, but perhaps others here can/will do so.

 

[Rugidz]

I have not yet attempted to use the VPN client functionality of the router, so I don't know anything about it. I cannot help you there at this time, but perhaps others here can/will do so.

OK Thanks! Your script works great, but somehow when the script is applied it routes to WAN bypassing VPN. If I eliminate the use of your script and just run with the the stock guest network(s)/settings it routes through VPN.

 

[Tjustice]

I followed the guide here: https://github.com/RMerl/asuswrt-me...dicated-DHCP-options-bind-to-a-specific-SSID?

Everything seems to work with DHCP, but none of the clients are able to get out to the internet. Something that makes this even harder, is the fact that I'm trying to implement all of this remotely.

 

[ColinTaylor]

I followed the guide here: https://github.com/RMerl/asuswrt-me...dicated-DHCP-options-bind-to-a-specific-SSID?

Everything seems to work with DHCP, but none of the clients are able to get out to the internet. Something that makes this even harder, is the fact that I'm trying to implement all of this remotely.

Duplicate post here : https://www.snbforums.com/threads/help-with-dedicated-dhcp-options-bind-to-a-specific-ssid.38572/

 

[Jack Yaz]

Duplicate post here : https://www.snbforums.com/threads/help-with-dedicated-dhcp-options-bind-to-a-specific-ssid.38572/

Same issue for me, I've made my own thread but like Tjustice no responses. DHCP assigns the proper ranges, but no internet access. In my case I want them to use ISP WAN, just a different subnet. I followed the guide but substituted tun11 for eth0, but no dice, any ideas?