Is it possible to defina a custom dhcp-range for Guest networks?

MVD

New Around Here
Hi everyone,

I've recently installed merlin on my brand new AC87U, and I gotta say I love it!

A small project I've been trying to do is to have a separate SSID that tunnels all traffic through the OpenVPN client I configured in my router. My idea was the following:
  1. Create a separate Guest network
  2. Specify an IP range, dedicated to this Guest network
  3. Tunnel all IP addresses in this range through the VPN client, using Policy Routing
1. and 3. were easy (3. I tried with some devices on the main SSID), 2. however, I could not get it to work. What I tried was using this from the GitHub wiki, and adding a dhcp-range, but I could not get that to work properly. Can anyone help me to modify this approach or tell me if there is a better approach for 2. ?

Thanks in advance!
 

Martineau

Part of the Furniture
  1. Create a separate Guest network
  2. Specify an IP range, dedicated to this Guest network
  3. Tunnel all IP addresses in this range through the VPN client, using Policy Routing
1. and 3. were easy .

Can anyone help me to modify this approach or tell me if there is a better approach for 2. ?

A2. Technically yes.

The screenprint should show three laptops connected by Wifi, with two as guests and all three are on different subnets.
Hopefully the text isn't too small :eek:


Wifi Subnets.png


This was done yesterday as a proof of concept:

RT-AC56U Firmware 380.58-Alpha1.
LAN 192.168.1.1 255.255.255.0
BR1 10.1.245.1 SSID:BR1G241,BR1G51 Wifi Clients 1 2.4GHz and 5GHz
BR2 10.2.245.1 SSID:BR2G242,BR2G52 Wifi Clients 2 2.4GHz and 5GHz
BR3 10.3.0.1 SSID:BR3G53 Wifi Client 3 5GHz ONLY


Factory reset, configure Internet and VPN Client 1, then manually run script.
Disclaimer: When using the VPN routing not 100% sure that the firewall rules are sufficient?

#!/bin/sh

# Credit the contributions of SNB forum Members Batking, Coldwizard and starfall etc. that provided the bulk of these commands.

logger -st "($(basename $0))" $$ "Martineau Wifi Bridge configuration Starting...." [[email protected]]

WAN_IF=$(nvram get wan0_interface)
WANIP=$(/sbin/ifconfig $WAN_IF | grep 'inet addr' | cut -d':' -f2 | awk '{print $1}')

logger -st "($(basename $0))" $$ " Create br1 and br2...." [[email protected]]

# Remove WiFi 2.4Ghz and 5Ghz Guests 1 and 2 from br0
brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl delif br0 wl0.2
brctl delif br0 wl1.2

# Create br1 for WiFi 2.4Ghz and 5Ghz Guest 1
brctl addbr br1
brctl addif br1 wl0.1
brctl addif br1 wl1.1

# Create br2 for WiFi 2.4Ghz and 5Ghz Guest 2
brctl addbr br2
brctl addif br2 wl0.2
brctl addif br2 wl1.2

logger -st "($(basename $0))" $$ " Ifconfig...." [[email protected]]

ifconfig br1 10.1.254.1 netmask 255.255.255.0 broadcast 10.1.254.255
ifconfig br2 10.2.254.1 netmask 255.255.255.0 broadcast 10.2.254.255

# Fix WPA2 on Guest WiFi
nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="wl0.1 wl1.1"
nvram set lan1_ifname="br1"
nvram set lan2_ifnames="wl0.2 wl1.2"
nvram set lan2_ifname="br2"
nvram commit
killall eapd
eapd

# Allow dnsmasq to listen to br1 and br2
iptables -D INPUT -i br1 -j ACCEPT 2> /dev/null > /dev/null
iptables -I INPUT -i br1 -j ACCEPT
iptables -D INPUT -i br2 -j ACCEPT 2> /dev/null > /dev/null
iptables -I INPUT -i br2 -j ACCEPT

ebtables -t broute -D BROUTING -i br1 -p ipv4 -j DROP 2> /dev/null > /dev/null
ebtables -t broute -I BROUTING -i br1 -p ipv4 -j DROP
ebtables -t broute -D BROUTING -i br2 -p ipv4 -j DROP 2> /dev/null > /dev/null
ebtables -t broute -I BROUTING -i br2 -p ipv4 -j DROP


# Allow br1 and br2 WAN access
iptables -t nat -I POSTROUTING -o $WAN_IF -j SNAT --to $WANIP
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br2 -m state --state NEW -j ACCEPT

# Block br1 and br2 access to br0
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br2 -o br0 -m state --state NEW -j DROP


# Isolate br1 and br2 from each other
iptables -I FORWARD -i br1 -o br2 -m state --state NEW -j DROP
iptables -I FORWARD -i br2 -o br1 -m state --state NEW -j DROP

# Block br1 and br2 from accessing the router
#iptables -I FORWARD -i br1 -d 192.168.1.0/24 -m state --state NEW -j DROP
#iptables -I FORWARD -i br2 -d 192.168.1.0/24 -m state --state NEW -j DROP


# Block br1 from accessing the router by port:
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset

# Block br2 from accessing the router by port:
iptables -I INPUT -i br2 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br2 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br2 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br2 -p tcp --dport https -j REJECT --reject-with tcp-reset

service restart_dnsmasq

logger -st "($(basename $0))" $$ "Martineau Wifi Bridge configuration Complete."

Basically the script creates two bridges, using the appropriate dnsmasq.conf.add directives:

Code:
# Bridge br1 uses DHCP pool 10.1.245.2 - 10.1.245.20 DNS is Google
interface=br1
dhcp-range=br1,10.1.245.2,10.1.245.20,255.255.255.0,86400s
dhcp-option=br1,3,10.1.245.1
dhcp-option=br1,6,8.8.8.8,8.8.4.4

# Bridge br2 uses DHCP pool 10.2.245.2 - 10.2.245.20 DNS is ISP (default)
interface=br2
dhcp-range=br2,10.2.245.2,10.2.245.20,255.255.255.0,86400s
dhcp-option=br2,3,10.2.245.1

# Bridge br3 uses DHCP pool 10.3.0.1 - 10.3.0.20 DNS is ISP (default)
interface=br3
dhcp-range=br3,10.3.0.2,10.3.0.20,255.255.255.0,86400s
dhcp-option=br3,3,10.3.0.1

Internet access from all three laptops seemed fine, and (according to dnsleaktest) HP-X360 was correctly using Google DNS whilst the other two were using my ISP's DNS

P.S. This is not my main router, so this test configuration using the 380.58 Alpha was only in use for less than an hour to prove that different Guest subnets are possible!.

(I did encounter some quirks with SSH access to the router, but this may be due to the test firmware?)
 
Last edited:

beady_uk

Occasional Visitor
This is exactly what i have been looking to do. Can someone supply a bit of info on how to create the bridges and how to create the dnsmasq.conf file. I know it would need to go into the jffs folder but im a bit new to this.

Also would this be possible using wl0.1 for the 2.4 guest network rather than creating bridges eg;
interface = wl0.1
dhcp - range=wl0.1, 10.3.0.2,10.3.0.20,255.255.255.0,86400s
dhcp - option=wl0.1,3,10.3.0.1

Thanks
 
Last edited:

Martineau

Part of the Furniture
Last edited:

MVD

New Around Here
Thanks for the reply! I got some of it to work, but I ran into some problems.

Bad argument `SNAT'
Try `iptables -h' or 'iptables --help' for more information.

This is what I get when the script runs. Not sure what the problem is here. I am able to connect my client the guest network, but it does not show up in the client list on the router, and the client does not have internet access. Looking at the client's ifconfig, it did get the desired IP-address, but the Default Gateway is empty.

Any thoughts on this?
 

Martineau

Part of the Furniture
Thanks for the reply! I got some of it to work, but I ran into some problems.



This is what I get when the script runs. Not sure what the problem is here. I am able to connect my client the guest network, but it does not show up in the client list on the router, and the client does not have internet access. Looking at the client's ifconfig, it did get the desired IP-address, but the Default Gateway is empty.

Any thoughts on this?

Unable to test at the moment, but unless the router address specified isn't correct etc. then I can't think of a reason...........short of wiping your RT-87U :p........then do the test scenario as I described without anything else configured such as VPNs etc. :(

Did you try restarting dnsmasq? and check the logs for errors?
 

beady_uk

Occasional Visitor
Unable to test at the moment, but unless the router address specified isn't correct etc. then I can't think of a reason...........short of wiping your RT-87U :p........then do the test scenario as I described without anything else configured such as VPNs etc. :(

Did you try restarting dnsmasq? and check the logs for errors?
i have set this up now on a Rt-AC87u running HGGomes firmware and it is working perfect. I have not set the VPN up yet but the guest network is using a different DHCP range and has internet access but no intranet access.

Is there any way to expand on this to restrict the bandwidth of the guest networks (br1)

Many thanks
 

Martineau

Part of the Furniture
i have set this up now on a Rt-AC87u running HGGomes firmware and it is working perfect. I have not set the VPN up yet but the guest network is using a different DHCP range and has internet access but no intranet access.

Is there any way to expand on this to restrict the bandwidth of the guest networks (br1)

Many thanks

Depends.....

I briefly played with manually emulating QOS with a script probably >18 months ago, but I think at the time RMerlin said that IMQ (Ingress) wasn't (yet) supported on ARM?

Clearly ASUS have done an awful lot of design changes to their Traditional/Adaptive QOS so things have undoubtedly moved on so I haven't revisited the way QOS is now currently implemented via the GUI.

I'm sure appropriate 'tc qdisc' etc. commands should work....but as the saying goes

"In theory, there is no difference between theory and practice, but in practice, there is" !:cool:

P.S. I suggest you open a separate Bandwidth Restriction thread rather than hijack this thread! :p
 
Last edited:

beady_uk

Occasional Visitor
Unable to test at the moment, but unless the router address specified isn't correct etc. then I can't think of a reason...........short of wiping your RT-87U :p........then do the test scenario as I described without anything else configured such as VPNs etc. :(

Did you try restarting dnsmasq? and check the logs for errors?

I had this working fine but after a while I get this

Code:
Jan 28 19:09:43 rc_service: httpd 759:notify_rc restart_wireless
Jan 28 19:09:45 kernel: br0: port 2(eth1) entering forwarding state
Jan 28 19:09:45 kernel: device eth1 left promiscuous mode
Jan 28 19:09:45 kernel: br0: port 2(eth1) entering disabled state
Jan 28 19:09:45 kernel: br1: port 1(wl0.1) entering forwarding state
Jan 28 19:09:45 kernel: device wl0.1 left promiscuous mode
Jan 28 19:09:45 kernel: br1: port 1(wl0.1) entering disabled state
Jan 28 19:09:47 kernel: wl_module_init: passivemode set to 0x0
Jan 28 19:09:47 kernel: wl_module_init: igs set to 0x0
Jan 28 19:09:47 kernel: wl_module_init: txworkq set to 0x1
Jan 28 19:09:47 kernel: eth1: Broadcom BCM4360 802.11 Wireless Controller 6.37.14.105 (r485445)
Jan 28 19:09:54 kernel: device eth1 entered promiscuous mode
Jan 28 19:09:54 kernel: br0: topology change detected, propagating
Jan 28 19:09:54 kernel: br0: port 2(eth1) entering forwarding state
Jan 28 19:09:54 kernel: br0: port 2(eth1) entering forwarding state
Jan 28 19:10:00 kernel: device wl0.1 entered promiscuous mode
Jan 28 19:10:00 kernel: br0: topology change detected, propagating
Jan 28 19:10:00 kernel: br0: port 3(wl0.1) entering forwarding state
Jan 28 19:10:00 kernel: br0: port 3(wl0.1) entering forwarding state

And my guest network is assigned an IP address in the normal range. Nothing in router adjusted or fiddled with. It was working fine then not.

Any idea?

Thanks
 

Martineau

Part of the Furniture
I had this working fine but after a while I get this

Code:
Jan 28 19:09:43 rc_service: httpd 759:notify_rc restart_wireless
Jan 28 19:09:45 kernel: br0: port 2(eth1) entering forwarding state
Jan 28 19:09:45 kernel: device eth1 left promiscuous mode
Jan 28 19:09:45 kernel: br0: port 2(eth1) entering disabled state
Jan 28 19:09:45 kernel: br1: port 1(wl0.1) entering forwarding state
Jan 28 19:09:45 kernel: device wl0.1 left promiscuous mode
Jan 28 19:09:45 kernel: br1: port 1(wl0.1) entering disabled state
Jan 28 19:09:47 kernel: wl_module_init: passivemode set to 0x0
Jan 28 19:09:47 kernel: wl_module_init: igs set to 0x0
Jan 28 19:09:47 kernel: wl_module_init: txworkq set to 0x1
Jan 28 19:09:47 kernel: eth1: Broadcom BCM4360 802.11 Wireless Controller 6.37.14.105 (r485445)
Jan 28 19:09:54 kernel: device eth1 entered promiscuous mode
Jan 28 19:09:54 kernel: br0: topology change detected, propagating
Jan 28 19:09:54 kernel: br0: port 2(eth1) entering forwarding state
Jan 28 19:09:54 kernel: br0: port 2(eth1) entering forwarding state
Jan 28 19:10:00 kernel: device wl0.1 entered promiscuous mode
Jan 28 19:10:00 kernel: br0: topology change detected, propagating
Jan 28 19:10:00 kernel: br0: port 3(wl0.1) entering forwarding state
Jan 28 19:10:00 kernel: br0: port 3(wl0.1) entering forwarding state

And my guest network is assigned an IP address in the normal range. Nothing in router adjusted or fiddled with. It was working fine then not.

Any idea?

Thanks

Conspiracy theorists are probably screaming at their screens shouting "Well that's what happens when using contentious software!" ;)
They may even go so far to reach unsubstantiated conclusions that perhaps the firmware got miffed and decided you should have all traffic back on the same LAN subnet where it can be more easily tracked etc. - but I personally couldn't possibly comment! :p

Anyway I left a laptop permanently running connected to br3 (with CONNECT AUTOMATICALLY=NO) last night on my main router, on the basis that if there was any overnight reverting to the normal LAN address, then I would be able to confirm it, and reboot the router before work.
However, after 12 hours the laptop was still connected to br3 with its isolated subnet.

Clearly if you didn't make the setting up of the Guest bridges persistent, i.e. if the router restarted then that would certainly explain it!, otherwise check /etc/dnsmasq.conf to see if the DHCP pools for your bridges are still intact; if not then you will need to find out how/why/when it got changed.

As for the above messages in your logs, I don't think that shows anything untoward, but here is a link to a very good tutorial on how to interpret the Kernel bridge messages - particularly Example 21 etc.

http://www.tldp.org/HOWTO/BRIDGE-STP-HOWTO/practical-example.html#BRIDGE-INIT-SCRIPT
 

beady_uk

Occasional Visitor
Conspiracy theorists are probably screaming at their screens shouting "Well that's what happens when using contentious software!" ;)
They may even go so far to reach unsubstantiated conclusions that perhaps the firmware got miffed and decided you should have all traffic back on the same LAN subnet where it can be more easily tracked etc. - but I personally couldn't possibly comment! :p

Anyway I left a laptop permanently running connected to br3 (with CONNECT AUTOMATICALLY=NO) last night on my main router, on the basis that if there was any overnight reverting to the normal LAN address, then I would be able to confirm it, and reboot the router before work.
However, after 12 hours the laptop was still connected to br3 with its isolated subnet.

Clearly if you didn't make the setting up of the Guest bridges persistent, i.e. if the router restarted then that would certainly explain it!, otherwise check /etc/dnsmasq.conf to see if the DHCP pools for your bridges are still intact; if not then you will need to find out how/why/when it got changed.

As for the above messages in your logs, I don't think that shows anything untoward, but here is a link to a very good tutorial on how to interpret the Kernel bridge messages - particularly Example 21 etc.

http://www.tldp.org/HOWTO/BRIDGE-STP-HOWTO/practical-example.html#BRIDGE-INIT-SCRIPT

Thanks for testing that. If you could leave your router set up like that and disconnect your laptop, leave it for half and hour and then reconnect. Maybes disconnect and reconnect a couple times over a couple hours. That's how mine tripped up I think. Nothing was connected to the guest network and it went funky.

The log shows
Jan 28 19:09:45 kernel: br1: port 1(wl0.1) entering disabled state
I think that is when it went funky
 

Martineau

Part of the Furniture
Thanks for testing that. If you could leave your router set up like that and disconnect your laptop, leave it for half and hour and then reconnect. Maybes disconnect and reconnect a couple times over a couple hours. That's how mine tripped up I think. Nothing was connected to the guest network and it went funky.

The log shows
Jan 28 19:09:45 kernel: br1: port 1(wl0.1) entering disabled state
I think that is when it went funky

If /etc/dnsmasq.conf wasn't trashed then you will need to periodically check the state of the bridges with a cron job

Code:
 brctl   show

brctl   showstp   <bridge>

If any bridge port shows as 'disabled' for an extended period then you should be able to issue the appropriate command to manually set it back to 'forwarding' state

Code:
  ip   link   set   <bridge>   up
 
Last edited:

beady_uk

Occasional Visitor
If /etc/dnsmasq.conf wasn't trashed then you will need to periodically check the state of the bridges with a cron job

Code:
 brctl   show

brctl   showstp   <bridge>

If any bridge port shows as 'disabled' for an extended period then you should be able to issue the appropriate command to manually set it back to 'forwarding' state

Code:
  ip   link   set   <bridge>   up
Thanks for all the help so far. Running them commands gives me this
Code:
/$ brctl show
bridge name    bridge id                      STP enabled    interfaces
br0                  8000.14dda9c94df8    yes                   eth1
                                                                                    vlan1
                                                                                   wl0.1
br1                  8000.000000000000    no      

/$ brctl showstp br1
br1
bridge id        8000.000000000000
designated root    8000.000000000000
root port           0            path cost           0
max age          20.00            bridge max age          20.00
hello time           2.00            bridge hello time       2.00
forward delay          15.00            bridge forward delay      15.00
ageing time         300.00
hello timer           1.50            tcn timer           0.00
topology change timer       0.00            gc timer          68.66
flags          


/$ brctl showstp br0
br0
bridge id        8000.14dda9c94df8
designated root    8000.14dda9c94df8
root port           0            path cost           0
max age          20.00            bridge max age          20.00
hello time           2.00            bridge hello time       2.00
forward delay           0.00            bridge forward delay       0.00
ageing time         300.00
hello timer           1.34            tcn timer           0.00
topology change timer       0.00            gc timer          77.05
flags
The guest network br1 is currently using ip address's in normal range. wl0.1 is currently in br0 but i dont know why because if i reboot router it will be in br1 and start using ip address's in my specified range (192.168.2.2 - .30). I see the forward delay and bridge forward delay are different between br0 and br1. not sure if that makes a difference.

Hopefully this is a simple fix that i have overlooked.

Thanks
 

Martineau

Part of the Furniture
Code:
brctl show
bridge name    bridge id            STP enabled  interfaces
br0            8000.14dda9c94df8    yes          eth1
                                                 vlan1
                                                 wl0.1
br1            8000.000000000000    no
/

Hopefully this is a simple fix that i have overlooked.


So have you actually enabled the Guest network instance in the GUI that you are trying to assign to br1 ?

Try enabling ALL 6 Guests, then if br1 doesn't get a WiFi interface then I suspect you have probably mistyped the interface?

e.g. The following statement won't work!

Code:
brctl   addif   br1   w11.1

and you will get an error message! :rolleyes:
 

beady_uk

Occasional Visitor
So have you actually enabled the Guest network instance in the GUI that you are trying to assign to br1 ?

Try enabling ALL 6 Guests, then if br1 doesn't get a WiFi interface then I suspect you have probably mistyped the interface?

e.g. The following statement won't work!

Code:
brctl   addif   br1   w11.1

and you will get an error message! :rolleyes:
Yeah as i said this works perfect after a reboot. This is what i get after a reboot when everything is working
Code:
/tmp/home/root$ brctl show
bridge name          bridge id              STP enabled        interfaces
br0                  8000.14dda9c94df8      yes                 eth1
                                                                vlan1
br1                  8000.14dda9c94df9       no                 wl0.1

/tmp/home/root$ brctl showstp br1
br1
bridge id        8000.14dda9c94df9
designated root    8000.14dda9c94df9
root port           0            path cost           0
max age          20.00            bridge max age          20.00
hello time           2.00            bridge hello time       2.00
forward delay          15.00            bridge forward delay      15.00
ageing time         300.00
hello timer           0.33            tcn timer           0.00
topology change timer       0.00            gc timer         264.32
flags    


wl0.1 (1)
port id        8001            state             forwarding
designated root    8000.14dda9c94df9    path cost         100
designated bridge    8000.14dda9c94df9    message age timer       0.00
designated port    8001            forward delay timer       0.00
designated cost       0            hold timer           0.00
flags

As you can see wl0.1 is now in br1. Now after a few connections and disconnections from my guest network (br1) this goes wonky and puts wl0.1 into br0.

I am currently running HGGomes 380.57.2 so i may try merlin firmware tomorrow and see if it makes a difference.

Thanks again for all the help
 
Last edited:

dougruns

Occasional Visitor
I want to apply this solution, but I have a question about the script you provided. Your instructions say "reset, configure internet and vpn, then run this." Do I need to put this script somewhere to run on every boot or will the new bridges persist through a power loss?

A2. Technically yes.

The screenprint should show three laptops connected by Wifi, with two as guests and all three are on different subnets.
Hopefully the text isn't too small :eek:


View attachment 5419

This was done yesterday as a proof of concept:

RT-AC56U Firmware 380.58-Alpha1.
LAN 192.168.1.1 255.255.255.0
BR1 10.1.245.1 SSID:BR1G241,BR1G51 Wifi Clients 1 2.4GHz and 5GHz
BR2 10.2.245.1 SSID:BR2G242,BR2G52 Wifi Clients 2 2.4GHz and 5GHz
BR3 10.3.0.1 SSID:BR3G53 Wifi Client 3 5GHz ONLY


Factory reset, configure Internet and VPN Client 1, then manually run script.
Disclaimer: When using the VPN routing not 100% sure that the firewall rules are sufficient?

#!/bin/sh

# Credit the contributions of SNB forum Members Batking, Coldwizard and starfall etc. that provided the bulk of these commands.

logger -st "($(basename $0))" $$ "Martineau Wifi Bridge configuration Starting...." [[email protected]]

WAN_IF=$(nvram get wan0_interface)
WANIP=$(/sbin/ifconfig $WAN_IF | grep 'inet addr' | cut -d':' -f2 | awk '{print $1}')

logger -st "($(basename $0))" $$ " Create br1 and br2...." [[email protected]]

# Remove WiFi 2.4Ghz and 5Ghz Guests 1 and 2 from br0
brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl delif br0 wl0.2
brctl delif br0 wl1.2

# Create br1 for WiFi 2.4Ghz and 5Ghz Guest 1
brctl addbr br1
brctl addif br1 wl0.1
brctl addif br1 wl1.1

# Create br2 for WiFi 2.4Ghz and 5Ghz Guest 2
brctl addbr br2
brctl addif br2 wl0.2
brctl addif br2 wl1.2

logger -st "($(basename $0))" $$ " Ifconfig...." [[email protected]]

ifconfig br1 10.1.254.1 netmask 255.255.255.0 broadcast 10.1.254.255
ifconfig br2 10.2.254.1 netmask 255.255.255.0 broadcast 10.2.254.255

# Fix WPA2 on Guest WiFi
nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="wl0.1 wl1.1"
nvram set lan1_ifname="br1"
nvram set lan2_ifnames="wl0.2 wl1.2"
nvram set lan2_ifname="br2"
nvram commit
killall eapd
eapd

# Allow dnsmasq to listen to br1 and br2
iptables -D INPUT -i br1 -j ACCEPT 2> /dev/null > /dev/null
iptables -I INPUT -i br1 -j ACCEPT
iptables -D INPUT -i br2 -j ACCEPT 2> /dev/null > /dev/null
iptables -I INPUT -i br2 -j ACCEPT

ebtables -t broute -D BROUTING -i br1 -p ipv4 -j DROP 2> /dev/null > /dev/null
ebtables -t broute -I BROUTING -i br1 -p ipv4 -j DROP
ebtables -t broute -D BROUTING -i br2 -p ipv4 -j DROP 2> /dev/null > /dev/null
ebtables -t broute -I BROUTING -i br2 -p ipv4 -j DROP


# Allow br1 and br2 WAN access
iptables -t nat -I POSTROUTING -o $WAN_IF -j SNAT --to $WANIP
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br2 -m state --state NEW -j ACCEPT

# Block br1 and br2 access to br0
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br2 -o br0 -m state --state NEW -j DROP


# Isolate br1 and br2 from each other
iptables -I FORWARD -i br1 -o br2 -m state --state NEW -j DROP
iptables -I FORWARD -i br2 -o br1 -m state --state NEW -j DROP

# Block br1 and br2 from accessing the router
#iptables -I FORWARD -i br1 -d 192.168.1.0/24 -m state --state NEW -j DROP
#iptables -I FORWARD -i br2 -d 192.168.1.0/24 -m state --state NEW -j DROP


# Block br1 from accessing the router by port:
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset

# Block br2 from accessing the router by port:
iptables -I INPUT -i br2 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br2 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br2 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br2 -p tcp --dport https -j REJECT --reject-with tcp-reset

service restart_dnsmasq

logger -st "($(basename $0))" $$ "Martineau Wifi Bridge configuration Complete."

Basically the script creates two bridges, using the appropriate dnsmasq.conf.add directives:

Code:
# Bridge br1 uses DHCP pool 10.1.245.2 - 10.1.245.20 DNS is Google
interface=br1
dhcp-range=br1,10.1.245.2,10.1.245.20,255.255.255.0,86400s
dhcp-option=br1,3,10.1.245.1
dhcp-option=br1,6,8.8.8.8,8.8.4.4

# Bridge br2 uses DHCP pool 10.2.245.2 - 10.2.245.20 DNS is ISP (default)
interface=br2
dhcp-range=br2,10.2.245.2,10.2.245.20,255.255.255.0,86400s
dhcp-option=br2,3,10.2.245.1

# Bridge br3 uses DHCP pool 10.3.0.1 - 10.3.0.20 DNS is ISP (default)
interface=br3
dhcp-range=br3,10.3.0.2,10.3.0.20,255.255.255.0,86400s
dhcp-option=br3,3,10.3.0.1

Internet access from all three laptops seemed fine, and (according to dnsleaktest) HP-X360 was correctly using Google DNS whilst the other two were using my ISP's DNS

P.S. This is not my main router, so this test configuration using the 380.58 Alpha was only in use for less than an hour to prove that different Guest subnets are possible!.

(I did encounter some quirks with SSH access to the router, but this may be due to the test firmware?)
 

nukleuz

New Around Here
Hi, I have used your script to be able to separate the WiFi networks from each other. Thank you so much! :)

But regarding the third question he had (using a VPN for one of these networks) doesn't work with this? I have tried to fill in «Routing policy» for the whole subnet (e.g 10.1.0.1/24) and for one unique IP address, but when I connect one client to this subnet/IP there is no internet connection. I have tried to connection and it works

Code:
$ curl --interface tun11 https://api.ipify.org?format=json
{"ip":"196.52.2.44"}

I can mention that I have tried to toggle the «Create NAT on tunnel» option with no luck.

Do I need some additional rules set up to make this work? The best thing would have been if I could use the GUI interface.

A2. Technically yes.

The screenprint should show three laptops connected by Wifi, with two as guests and all three are on different subnets.
Hopefully the text isn't too small :eek:


View attachment 5419

This was done yesterday as a proof of concept:

RT-AC56U Firmware 380.58-Alpha1.
LAN 192.168.1.1 255.255.255.0
BR1 10.1.245.1 SSID:BR1G241,BR1G51 Wifi Clients 1 2.4GHz and 5GHz
BR2 10.2.245.1 SSID:BR2G242,BR2G52 Wifi Clients 2 2.4GHz and 5GHz
BR3 10.3.0.1 SSID:BR3G53 Wifi Client 3 5GHz ONLY


Factory reset, configure Internet and VPN Client 1, then manually run script.
Disclaimer: When using the VPN routing not 100% sure that the firewall rules are sufficient?

#!/bin/sh

# Credit the contributions of SNB forum Members Batking, Coldwizard and starfall etc. that provided the bulk of these commands.

logger -st "($(basename $0))" $$ "Martineau Wifi Bridge configuration Starting...." [[email protected]]

WAN_IF=$(nvram get wan0_interface)
WANIP=$(/sbin/ifconfig $WAN_IF | grep 'inet addr' | cut -d':' -f2 | awk '{print $1}')

logger -st "($(basename $0))" $$ " Create br1 and br2...." [[email protected]]

# Remove WiFi 2.4Ghz and 5Ghz Guests 1 and 2 from br0
brctl delif br0 wl0.1
brctl delif br0 wl1.1
brctl delif br0 wl0.2
brctl delif br0 wl1.2

# Create br1 for WiFi 2.4Ghz and 5Ghz Guest 1
brctl addbr br1
brctl addif br1 wl0.1
brctl addif br1 wl1.1

# Create br2 for WiFi 2.4Ghz and 5Ghz Guest 2
brctl addbr br2
brctl addif br2 wl0.2
brctl addif br2 wl1.2

logger -st "($(basename $0))" $$ " Ifconfig...." [[email protected]]

ifconfig br1 10.1.254.1 netmask 255.255.255.0 broadcast 10.1.254.255
ifconfig br2 10.2.254.1 netmask 255.255.255.0 broadcast 10.2.254.255

# Fix WPA2 on Guest WiFi
nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"
nvram set lan1_ifnames="wl0.1 wl1.1"
nvram set lan1_ifname="br1"
nvram set lan2_ifnames="wl0.2 wl1.2"
nvram set lan2_ifname="br2"
nvram commit
killall eapd
eapd

# Allow dnsmasq to listen to br1 and br2
iptables -D INPUT -i br1 -j ACCEPT 2> /dev/null > /dev/null
iptables -I INPUT -i br1 -j ACCEPT
iptables -D INPUT -i br2 -j ACCEPT 2> /dev/null > /dev/null
iptables -I INPUT -i br2 -j ACCEPT

ebtables -t broute -D BROUTING -i br1 -p ipv4 -j DROP 2> /dev/null > /dev/null
ebtables -t broute -I BROUTING -i br1 -p ipv4 -j DROP
ebtables -t broute -D BROUTING -i br2 -p ipv4 -j DROP 2> /dev/null > /dev/null
ebtables -t broute -I BROUTING -i br2 -p ipv4 -j DROP


# Allow br1 and br2 WAN access
iptables -t nat -I POSTROUTING -o $WAN_IF -j SNAT --to $WANIP
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br2 -m state --state NEW -j ACCEPT

# Block br1 and br2 access to br0
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br2 -o br0 -m state --state NEW -j DROP


# Isolate br1 and br2 from each other
iptables -I FORWARD -i br1 -o br2 -m state --state NEW -j DROP
iptables -I FORWARD -i br2 -o br1 -m state --state NEW -j DROP

# Block br1 and br2 from accessing the router
#iptables -I FORWARD -i br1 -d 192.168.1.0/24 -m state --state NEW -j DROP
#iptables -I FORWARD -i br2 -d 192.168.1.0/24 -m state --state NEW -j DROP


# Block br1 from accessing the router by port:
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset

# Block br2 from accessing the router by port:
iptables -I INPUT -i br2 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br2 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br2 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br2 -p tcp --dport https -j REJECT --reject-with tcp-reset

service restart_dnsmasq

logger -st "($(basename $0))" $$ "Martineau Wifi Bridge configuration Complete."

Basically the script creates two bridges, using the appropriate dnsmasq.conf.add directives:

Code:
# Bridge br1 uses DHCP pool 10.1.245.2 - 10.1.245.20 DNS is Google
interface=br1
dhcp-range=br1,10.1.245.2,10.1.245.20,255.255.255.0,86400s
dhcp-option=br1,3,10.1.245.1
dhcp-option=br1,6,8.8.8.8,8.8.4.4

# Bridge br2 uses DHCP pool 10.2.245.2 - 10.2.245.20 DNS is ISP (default)
interface=br2
dhcp-range=br2,10.2.245.2,10.2.245.20,255.255.255.0,86400s
dhcp-option=br2,3,10.2.245.1

# Bridge br3 uses DHCP pool 10.3.0.1 - 10.3.0.20 DNS is ISP (default)
interface=br3
dhcp-range=br3,10.3.0.2,10.3.0.20,255.255.255.0,86400s
dhcp-option=br3,3,10.3.0.1

Internet access from all three laptops seemed fine, and (according to dnsleaktest) HP-X360 was correctly using Google DNS whilst the other two were using my ISP's DNS

P.S. This is not my main router, so this test configuration using the 380.58 Alpha was only in use for less than an hour to prove that different Guest subnets are possible!.

(I did encounter some quirks with SSH access to the router, but this may be due to the test firmware?)
 

Martineau

Part of the Furniture
Hi, I have used your script to be able to separate the WiFi networks from each other. Thank you so much! :)

But regarding the third question he had (using a VPN for one of these networks) doesn't work with this? I have tried to fill in «Routing policy» for the whole subnet (e.g 10.1.0.1/24) and for one unique IP address, but when I connect one client to this subnet/IP there is no internet connection.
Wow!...revisiting my post from 2 years ago!! :eek::eek:
The best thing would have been if I could use the GUI interface.
Sadly not possible.
But regarding the third question he had (using a VPN for one of these networks) doesn't work with this.

Do I need some additional rules set up to make this work?
YES ....If you're asking for this? (2 VPN Client and 2 WiFi SSID: how to route traffic)
Code:
./WiFiVPN.sh status

(WiFiVPN.sh): 15091 v1.03 © 2016-2018 Martineau, WiFi VPN status request.....[status]
 WiFi->VPN Configuration Status for interfaces:
 wl0.1   G241IoT          2.4GHz Guest 1
 wl0.2   G242             2.4GHz Guest 2
 wl0.3   G243BR3NY        2.4GHz Guest 3  (10.88.101.0/24) routed through tunnel VPN Client 1 (HMA New York) using VPN DNS (104.223.91.194) via bridge:br1
 wl1.1   G51IoT           5GHz   Guest 1
 wl1.3   G53BR3UK         5GHz   Guest 3  (10.88.102.0/24) routed through tunnel VPN Client 2 (HMA UK) using VPN DNS (208.67.222.222) via bridge:br2
 eth1    Mart1n3auWPA     2.4GHz Network
 eth2    Mart1n3auMedia   5GHz   Network

P.S. What router are you using?, my WiFiVPN.sh script doesn't work on some models:(
 
Last edited:

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top