Need help with guest network and lan routing

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Rambo

New Around Here
Hi All,

First thank you to all people here helping with network stuff! I just discovered the jffs and script support in merlin firmware and trying some network setups.

My mail goal is to have different guest networks going through different vpn clients. Each guest network should have access to the LAN devices and see all traffic from it.

So first, I used the tutorial available here: https://github.com/RMerl/asuswrt-me...or-VPN-and-SSID-for-Regular-ISP-using-OpenVPN
I had to adjust it a bit because as I was saving settings in the router GUI, some iptables rules were dissapearing. Now I have a setup that handles config changes well.

Second step, I added some iptables FORWARD rules to accept traffic from Guest1 to LAN and from LAN to Guest1 and it works well too. I can connect both ways:

iptables -I FORWARD -s $WRLSS_IF_NTWK_ADDR/24 -d <MY_LAN_SUBNET> -j ACCEPT
iptables -I FORWARD -s <MY_LAN_SUBNET> -d $WRLSS_IF_NTWK_ADDR/24 -j ACCEPT

But now I would like to have access, from my guest network, to all packets coming from the LAN subnet so I can see my wireless speakers available in Spotify for example.

So I see two potential solutions (but not sure they all work):

1. Is there a way to use the same subnet with multiple DHCP servers and multiple devices? E.g.: LAN DHCP could give IPs from 192.198.0.10 to 192.168.0.50, then wl1.1 could give IPs from 192.168.0.51 to 192.168.0.70, etc? I tried to assign the same subnet range to the DHCP of both LAN and wl1.1 in dnsmasq.conf but I always get an IP from the LAN DHCP.

That way I would not have to bother with routing the packets from one subnet to another, but I don't know if it's possible...

2. Have some iptables rules or something else that will forward all ip from LAN subnet to guest subnet. I already used the following command: echo 1 > /proc/sys/net/ipv4/ip_forward but I see that the value is already 1 when I reboot the router. Right now, with the two FORWARD rules I mentioned before and the ip_forward set to 1, I still don't see my speakers in spotify when connected to the guest wireless connection.

I'm still not a super wiz in networking so any help would be REALLY appreciated :)

Thank you very much!
 

Jack Yaz

Part of the Furniture
Hi All,

First thank you to all people here helping with network stuff! I just discovered the jffs and script support in merlin firmware and trying some network setups.

My mail goal is to have different guest networks going through different vpn clients. Each guest network should have access to the LAN devices and see all traffic from it.

So first, I used the tutorial available here: https://github.com/RMerl/asuswrt-me...or-VPN-and-SSID-for-Regular-ISP-using-OpenVPN
I had to adjust it a bit because as I was saving settings in the router GUI, some iptables rules were dissapearing. Now I have a setup that handles config changes well.

Second step, I added some iptables FORWARD rules to accept traffic from Guest1 to LAN and from LAN to Guest1 and it works well too. I can connect both ways:

iptables -I FORWARD -s $WRLSS_IF_NTWK_ADDR/24 -d <MY_LAN_SUBNET> -j ACCEPT
iptables -I FORWARD -s <MY_LAN_SUBNET> -d $WRLSS_IF_NTWK_ADDR/24 -j ACCEPT

But now I would like to have access, from my guest network, to all packets coming from the LAN subnet so I can see my wireless speakers available in Spotify for example.

So I see two potential solutions (but not sure they all work):

1. Is there a way to use the same subnet with multiple DHCP servers and multiple devices? E.g.: LAN DHCP could give IPs from 192.198.0.10 to 192.168.0.50, then wl1.1 could give IPs from 192.168.0.51 to 192.168.0.70, etc? I tried to assign the same subnet range to the DHCP of both LAN and wl1.1 in dnsmasq.conf but I always get an IP from the LAN DHCP.

That way I would not have to bother with routing the packets from one subnet to another, but I don't know if it's possible...

2. Have some iptables rules or something else that will forward all ip from LAN subnet to guest subnet. I already used the following command: echo 1 > /proc/sys/net/ipv4/ip_forward but I see that the value is already 1 when I reboot the router. Right now, with the two FORWARD rules I talked before and the ip_forward st to 1, I still don't see my speakers in spotify when connected to the guest wireless connection.

I'm still not a super wiz in networking so any help would be REALLY appreciated :)

Thank you very much!
https://www.snbforums.com/threads/y...-merlin-guest-wifi-inc-ssid-vpn-client.45924/

Should do what you need :)
 

Rambo

New Around Here
Hi Jack!

Yes I tried your wonderful script some days ago, but I had some problem with internet access. When I applied the configuration using your script, I could not reach external websites. I had the same problem with Merlin's tutorial at first. Then I realized that some of the if conditions that apply iptables rules simply check if there are rules for a specific tunnel device already in iptables (e.g.: tun11), and because I also run a vpn server with some iptables rules for the same tunnel, it wasn't appliying the needed iptables rules.

I managed to modify the if conditions to be a little bit more precise and now it works. I wonder if your script has the same conditions as Merlin's. Now that I know a little better what's happening I will revisit your script again to see if I can manage to get it working.

Thank you!
 

Jack Yaz

Part of the Furniture
Hi Jack!

Yes I tried your wonderful script some days ago, but I had some problem with internet access. When I applied the configuration using your script, I could not reach external websites. I had the same problem with Merlin's tutorial at first. Then I realized that some of the if conditions that apply iptables rules simply check if there are rules for a specific tunnel device already in iptables (e.g.: tun11), and because I also run a vpn server with some iptables rules for the same tunnel, it wasn't appliying the needed iptables rules.

I managed to modify the if conditions to be a little bit more precise and now it works. I wonder if your script has the same conditions as Merlin's. Now that I know a little better what's happening I will revisit your script again to see if I can manage to get it working.

Thank you!
Can't say I've seen any issues - i use YazFi on 3 different SSIDs on different VPN clients. I'd be interested in seeing the diagnostics from your setup!
 

Rambo

New Around Here
Can't say I've seen any issues - i use YazFi on 3 different SSIDs on different VPN clients. I'd be interested in seeing the diagnostics from your setup!
Ok so I've used your script again Jack and it works. But, I am basically at the same place as I were with my custom setup: even though I enabled Two way with guest mode, I still can't see my sonos speakers in Spotify. For the record, I have one pair connected by wifi 2.4ghz and one pair connected by ethernet cables.

I can access my LAN devices directly if I know the IP address, but the "broadcasted" packets if you will are not going to the other subnet.

Do you have any idea how I could make it to work?

Thanks
 

Rambo

New Around Here
These are my settings:

wl11_ENABLED=true
wl11_IPADDR=192.168.5.0
wl11_DHCPSTART=2
wl11_DHCPEND=254
wl11_DNS1=192.168.0.1
wl11_DNS2=192.168.0.1
wl11_FORCEDNS=false
wl11_REDIRECTALLTOVPN=true
wl11_VPNCLIENTNUMBER=1
wl11_TWOWAYTOGUEST=true
wl11_ONEWAYTOGUEST=false
wl11_CLIENTISOLATION=false
 

Jack Yaz

Part of the Furniture
Can you check if reflector is enabled in
Code:
/tmp/avahi/avahi-daemon.conf
Please?
 

Jack Yaz

Part of the Furniture
Yes it is:

[reflector]
enable-reflector=yes

Thank you
OK so mDNS should be making it between subnets. Is it just Sonos that is affected? I've tested using Chromecast and that works with the reflector enabled
 

Rambo

New Around Here
OK so mDNS should be making it between subnets. Is it just Sonos that is affected? I've tested using Chromecast and that works with the reflector enabled
Unfortunately, I don't have any google Chromcast at home, but so far Spotify does not list any local devices (my sonos speakers and my ps4). Same thing for Tidal, no sonos at all. In both cases, Apple Airplay works. I always see all my airplay devices.
 

Rambo

New Around Here
Ha interesting detail: if I minimise and get back to spofity non-stop on my phone to force a "scan", the sonos speakers appear sometimes! So the packets are passing from subnet to subnet, but for some reason not always, or maybe not all types of packets broadcasted by the speakers. Or because the IP is different, Spotify doesn't "cache" them the same way. Lots of possibilities :)

Edit: In Tidal, the same method doesn't work at all. I have never seen any sonos speakers in Tidal so far with that setup.
 
Last edited:

Rambo

New Around Here
I think I'll just flip my config to work around that problem.

Right now I use the main LAN wifi without a VPN, and use the guest network to go through the VPN.

Instead, I'll assign my phone a static IP on the LAN wifi and route that ip through the VPN. And the guest network will not use the VPN at all. So I'll always be on the main LAN wifi to enjoy the VPN, and receive all the sonos packets at the same time. And for the rare times I can't use the VPN, I'll simply connect to the guest network. In that case, I don't care if I don't receive all LAN packets because it's temporary.

So thank you anyway for your support Jack! I'll still use your script to configure those guest network so thank you for the good work :) Cheers!
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top