Guest Networks Issue

[WRobertE]

I'm running 384.14 on a RT-AC68U.

When I set the option "Access Intranet" on a Guest Network to Disable the devices connected to the Guest Network cannot access the WAN (I.E. Internet).

Same behavior on both the 2.4 and 5 GHz networks.

I thought that option would disable client-to-client connections but would still enable devices on the Guest Network to access the WAN connection.

What am I missing? And how can I accomplish the desired behavior - no client-to-client but access to the WAN?

Updated:
I see the option named "Set AP Isolated" under Wireless->Professional which I guess is what prevents client-to-client communication but this doesn't seem to just be restricted to clients on the Guest Network.

Here's what I'm trying to accomplish ... I have some "smart switches" that I want to isolate to a Guest Network and also prevent them from accessing my local LAN. However, they also need to access the WAN.

So right now I have set the option "Access Intranet" on a Guest Network to Enable (both 2.4 an 5 GHz) so they can access the WAN and I have also set the option "Set AP Isolated" to YES (also both 2.4 and 5 GHz) and this configuration appears to work.

So it seems like the option named "Access Intranet" on a Guest Network settings should say "Access Internet (WAN)" instead.

 

[ColinTaylor]

That behaviour is wrong, so it may be a bug. Regardless of those settings, clients on a guest network should always be able to access the internet. I don't remember anyone else reporting this problem (and it would be immediately obvious to most users of guest networks) so perhaps it's a bug in the current version. Try going back to the previous release and testing that.

Have you tried testing this with a phone or laptop connected to the guest network (rather than an IoT device)?

 

[Grisu]

AFAIK "Access Intranet" means to allow guest clients to communicate each other: https://www.snbforums.com/threads/h...-access-intranet-feature-actually-work.49882/

Here similar postings about this topic: https://www.snbforums.com/threads/toggling-access-intranet-in-guest-network-setup-kills-wifi.60637/

 

[ColinTaylor]

AFAIK "Access Intranet" means to allow guest clients to communicate each other: https://www.snbforums.com/threads/h...-access-intranet-feature-actually-work.49882/

Not quite. "Set AP Isolated" is what determines whether or not wireless clients connected to the same SSID can talk to each other. "Access Intranet" determines whether guest clients can talk to clients on the "normal" LAN (and vice versa).

 

[Grisu]

Thanks for this good explanation. Got confused with other manufacturers functionality.

 

[WRobertE]

Have you tried testing this with a phone or laptop connected to the guest network (rather than an IoT device)?

I tested both with my phone and laptop.

I'll do a complete reset and reconfigure on 384.14 and see if that fixes the issue. But it'll be a day or so before I can do that - too many football games on today. Thanks for the reply.

 

[ColinTaylor]

Merlin just released 384.14_2. Try that.

 

[WRobertE]

I have a Belkin Wemo Mini and a TP-Link Kasa HS105

 

[TNCS]

@ColinTaylor already answered your question, if you want to isolate the guest Wifi to the rest of the client, you must not enable 'Access Intranet'. And you guest client will have internet access even with intranet disabled.

As for the switch, if you didn't configure anything and just plugin out of the box, they're as good as a dumb switch. Unless there's specific complex setup you have in mind like multiple VLAN setup, than keep 'Access Intranet' disabled are already achieving what you want to do.

 

[WRobertE]

Your making a mountain out of instation. It’s just a simple switch remotely controlled.

No it's not. It's a computer running embedded Linux that COULD become a security risk.

 

[WRobertE]

I think I understand what's going on but I'm not sure how to address it.

First, my setup.

My router's IP address is 10.10.10.1 (not really but this is an example).
I have a RaspberryPi setup on 10.10.10.2 which runs Pihole as a network-wide adblocker and the Pi also runs unbound as my DNS server.

If I do not enable 'Access Intranet', clients on the guest network can't access 10.10.10.2 and therefore they can't get to my DNS server.

So, in my setup, how do I allow devices on a Guest Network to get to my DNS server but still isolate them from the rest of my network?

 

[dosborne]

how do I allow devices on a Guest Network to get to my DNS server but still isolate them from the rest of my network?

Configure your router to use the Pi-Hole DNS server and configure the client devices to to use the router IP as DNS server?

 

[WRobertE]

The router is already setup to use the Pi as the DNS server.

But changing the setting "Advertise router's IP in addition to user-specified DNS" to YES seems to do the trick. Thanks!

 

[Jack Yaz]

Configure your router to use the Pi-Hole DNS server and configure the client devices to to use the router IP as DNS server?

Won't this show the router as the sole client in PiHole?

 

[WRobertE]

Won't this show the router as the sole client in PiHole?

If I understand your question, you're asking if clients will bypass Pihole due to this setting. That's a good question.

When I tested this with my laptop connected to the guest network, both the router and the Raspberry Pi addresses were given to my laptop as DNS servers. Since the Pi is setup as the DNS server on the router, what actually happens?

For example, if a client contacts the router directly for DNS services, does the router just forward that request to the Pi since the Pi is setup as the DNS server on the router? Or does the router use the DNS servers provided by my ISP to resolve the DNS request. That's really the question. If the router just forwards the DNS request to the Pi then everything's good. Then clients on the guest network use the Pi indirectly even though they can't connect to the Pi directly if "Access Intranet" is Disable.

But if a client that's not on the Guest Network ends up contacting the router for DNS services and the router doesn't just forward the request to the Pi, then the Pi running Pihole could get bypassed.

Anyone know the answer?

 

[ColinTaylor]

@WRobertE Assuming that the DHCP clients honour the DNS addresses they receive from the server (which is not always the case) they will receive 10.10.10.2 and 10.10.10.1.

So DHCP clients on the LAN will try to use 10.10.10.2 by preference.

Guest clients on the other hand will also initially try to use 10.10.10.2 but fail because that is blocked to them. So after one second they will retry the request using the second server, 10.10.10.1, which will work (because that isn't blocked). The router is configured with the PiHole as its upstream server.

PiHole will see DNS requests from intranet clients as coming from their own addresses. Whereas requests from guest clients will all appear to be coming from the router, 10.10.10.1. EDIT: This assumes that you have configured the router's WAN DNS server with the address of your PiHole.

 

[WRobertE]

@WRobertE
EDIT: This assumes that you have configured the router's WAN DNS server with address of your PiHole.

Yep ... that's the way I had it setup.

Just curious ... what happens if I select "Connect to DNS Server automatically" = Yes?

In that case I assume Pihole COULD get bypassed if a client ends up using the router's address as the DNS server instead of the Pi's address. So, in that scenario, wouldn't a client potentially use my ISP's DNS servers instead of the Pi, whether they're on a Guest Network or not?

I appreciate your responses.

 

[ColinTaylor]

Just curious ... what happens if I select "Connect to DNS Server automatically" = Yes?

In that case I assume Pihole COULD get bypassed if a client ends up using the router's address as the DNS server instead of the Pi's address. So, in that scenario, wouldn't a client potentially use my ISP's DNS servers instead of the Pi, whether they're on a Guest Network or not?

With "Connect to DNS Server automatically" = Yes the router will forward any non-local requests it receives to your ISP's DNS servers.

So in the case of the guest clients they will always end up going there (after failing to connect to the PiHole).

Intranet clients might also go there, but only if they didn't receive any response from the PiHole. Which is the purpose of specifying a second DNS server address (which is implied with "Advertise router's IP in addition to user-specified DNS").

EDIT: And then you've got clients like Android that just flat out ignore DHCP specified IP addresses and go to Google's servers anyway when it suits them.