Voxel r7800, Voxel firmware and Guest Networks

[violetaruth]

First let me just say again the Voxel firmware is wonderful.

I have an edge case that I wondered if anyone had a solution to:

I'm using a pi-hole for DNS black holing and DHCP. I want to use the r7800 guest network mode and block guest users from accessing my local network but still access the internet. However, if I do this, guests can't see the pi-hole as it's not running on the r7800 so doesn't get DHCP/DNS.

Does anyone know of method to allow access to one specific LAN ip (i.e. the one that has the pi-hole) to get DHCP and DNS and isolate the rest of the network in guest mode?

Thanks for any thoughts on this edge case!

 

[HELLO_wORLD]

Using custom iptables would work.
You would need to create those tables in a firewall-start.sh script placed in /opt/scripts.

First let me just say again the Voxel firmware is wonderful.

I have an edge case that I wondered if anyone had a solution to:

I'm using a pi-hole for DNS black holing and DHCP. I want to use the r7800 guest network mode and block guest users from accessing my local network but still access the internet. However, if I do this, guests can't see the pi-hole as it's not running on the r7800 so doesn't get DHCP/DNS.

Does anyone know of method to allow access to one specific LAN ip (i.e. the one that has the pi-hole) to get DHCP and DNS and isolate the rest of the network in guest mode?

Thanks for any thoughts on this edge case!

 

[violetaruth]

Thanks for the pointer - I now will go research iptables

 

[R. Gerrits]

it's not iptables that you'd need to look into but ebtables.
(traffic on an ethernet bridge does not pass through iptables)

If I'm correct this would allow DNS requests to pihole from the 2.4 GHz GuestWifi:
ebtables -I INPUT -p IPv4 -i ath11 --ip-proto udp --ip-dport 53 --dst <Pihole IP-address>
ebtables -I INPUT -p IPv4 -i ath11 --ip-proto tcp --ip-dport 53 --dst <Pihole IP-address>

For 5 GHz GuestWifi insert similar rules for ath01

and for DHCP you'd also need to insert the rules for --ip-proto udp --ip-dport 67:68 (UDP only)

If you found the right rules to insert,then probably best to edit /lib/wifi/qcawifi.sh to add them there.
(otherwise router could decide to wipe them out when something else changes)

 

[HELLO_wORLD]

Yes iptables for router, ebtables for bridge.

You did not precise which mode you are using (or I did not see it).

 

[violetaruth]

Thanks R.Gerrits - didn't know anything about ebtables!

Sorry for not being clear enough HELLO_wORLD

 

[R. Gerrits]

my comment is true both for router mode and AP mode. traffic between wired interfaces and all 4 wireless interfaces in all cases only goes through ebtables because they are connected to the same bridge.

Only traffic from those interfaces from and to the router and traffic from and to the internet goes via iptables.

 

[Sizzlechest]

Just asking... Is the adguard filtering dns server doing essentially the same blocking as your pi-hole? If it's "good enough," you might want to consider it: https://adguard.com/en/adguard-dns/overview.html

 

[Selcal]

Sorry to resurrect an old thread... but this one is close to matching my question though not with a complete answer .

I'm trying to do the same. In my case, it's a R9000 running latest Voxel. The R9000 is active as router, providing the guest WLAN. It is also the DHCP server.
In the LAN network, a PiHole is running. On the R9000, I've changed /etc/init.d/net-lan to set the DNS server to the PiHole. This works fine for the LAN/WLAN, but, as expected, now the guest WLAN does not have access to the DNS.

I'd be happy to have the guest network use an external DNS, though would prefer using the PiHole. I've tried the above ebtables (and iptables to be sure).

Since I believe it should be ebtables, I just had to change the above example lines as, as given, they needed either MAC address instead of IP, or --ip-dst <IP>
I added the lines for both ath01 and ath11, but still the guest clients cannot reach the PiHole. If I remove the rules blocking all traffic from ath[x]1 to the LAN, it works. Confirms ebtables seems the way to go, but I can't get it to work!

Any ideas? Anything about ebtables I'm missing perhaps?

Thanks for any help!

 

[Selcal]

Resurrected with a solution

The key was, I realised after some sleep, that the commands only allowed traffic with destination IP/port 53. In the standard R9000 configuration, the block LAN/WLAN is both ways, so also rules need to be added for the source.
So, for both 5Ghz/2.4Ghz and TCP/UDP (DNS uses both), I added the following 8 rules:

ebtables -I FORWARD -i ath11 -p IPv4 --ip-proto udp --ip-dport 53 --ip-dst [DNS_IP] -j ACCEPT
ebtables -I FORWARD -i ath11 -p IPv4 --ip-proto tcp --ip-dport 53 --ip-dst [DNS_IP] -j ACCEPT
ebtables -I FORWARD -i ath01 -p IPv4 --ip-proto udp --ip-dport 53 --ip-dst [DNS_IP] -j ACCEPT
ebtables -I FORWARD -i ath01 -p IPv4 --ip-proto tcp --ip-dport 53 --ip-dst [DNS_IP] -j ACCEPT

ebtables -I FORWARD -p IPv4 --ip-proto udp --ip-sport 53 --ip-src [DNS_IP] -j ACCEPT
ebtables -I FORWARD -p IPv4 --ip-proto tcp --ip-sport 53 --ip-src [DNS_IP] -j ACCEPT
ebtables -I FORWARD -p IPv4 --ip-proto udp --ip-sport 53 --ip-src [DNS_IP] -j ACCEPT
ebtables -I FORWARD -p IPv4 --ip-proto tcp --ip-sport 53 --ip-src [DNS_IP] -j ACCEPT

Working like a charm now!