bengalih
Senior Member
So, it has been a while since I set this up and I don't remember exactly where I got this info, but it was from some post or tutorial here or within the Merlin wiki. The challenge was I wanted to setup guest WiFi networks, but since I don't use the on-box DHCP for my network and because I chose to disable "Access Intranet", the clients had an issue with getting DHCP addresses since they were blocked from sending to the LAN.
So I followed the guidelines and setup some firewall and dnsmasq scripts. The dnsmasq script is roughly something like:
It had me setting up one interface and associated IP address per WiFi network along with a DHCP scope. Then, I needed to configure firewall rules to allow these subnets everywhere by my local LAN (that config is below). Revisiting some of my configuration this week I am left wondering:
Is it necessary to actually define 2 different subnets for 2 different WiFi networks?
After all, my main 2.4 and 5 GHz WiFi networks are both on the same subnet and both use the same IP range from my LAN DHCP server. I want to have a guest 2.4 and 5 GHz network as well - but why do they each need their own IP range? Can I configure this in a way that both interfaces are just on say the 172.20.20.x network? It seems like the offered configuration was just more complexity than is required.
For completeness, here are also my ifconfig and firewall commands which create and route the interfaces:
So I followed the guidelines and setup some firewall and dnsmasq scripts. The dnsmasq script is roughly something like:
Code:
pc_delete "no-dhcp-interface=br0" /tmp/etc/dnsmasq.conf
pc_append "
# Custom - $script_name
log-dhcp
dhcp-authoritative
interface=wl0.1
dhcp-range=wl0.1,172.20.20.150,172.20.20.199,255.255.255.0,86400s
dhcp-option=wl0.1,3,172.20.20.1
dhcp-option=wl0.1,6,8.8.8.8,8.8.4.4
interface=wl1.1
dhcp-range=wl1.1,172.20.30.150,172.20.30.199,255.255.255.0,86400s
dhcp-option=wl1.1,3,172.20.30.1
dhcp-option=wl1.1,6,8.8.8.8,8.8.4.4
It had me setting up one interface and associated IP address per WiFi network along with a DHCP scope. Then, I needed to configure firewall rules to allow these subnets everywhere by my local LAN (that config is below). Revisiting some of my configuration this week I am left wondering:
Is it necessary to actually define 2 different subnets for 2 different WiFi networks?
After all, my main 2.4 and 5 GHz WiFi networks are both on the same subnet and both use the same IP range from my LAN DHCP server. I want to have a guest 2.4 and 5 GHz network as well - but why do they each need their own IP range? Can I configure this in a way that both interfaces are just on say the 172.20.20.x network? It seems like the offered configuration was just more complexity than is required.
For completeness, here are also my ifconfig and firewall commands which create and route the interfaces:
Code:
# Configure Guest WiFi interfaces
ifconfig wl0.1 172.20.20.1 netmask 255.255.255.0
ifconfig wl1.1 172.20.30.1 netmask 255.255.255.0
# seems to work without dropping these added by router to block intranet access
# /usr/sbin/ebtables -D FORWARD -i wl0.1 -j DROP
# /usr/sbin/ebtables -D FORWARD -o wl0.1 -j DROP
/usr/sbin/ebtables -t broute -D BROUTING -p arp -i wl0.1 -j DROP
/usr/sbin/ebtables -t broute -D BROUTING -p ipv4 -i wl0.1 -j DROP
/usr/sbin/ebtables -t broute -D BROUTING -p ipv6 -i wl0.1 -j DROP
/usr/sbin/ebtables -t broute -I BROUTING -p arp -i wl0.1 -j DROP
/usr/sbin/ebtables -t broute -I BROUTING -p ipv4 -i wl0.1 -j DROP
/usr/sbin/ebtables -t broute -I BROUTING -p ipv6 -i wl0.1 -j DROP
/usr/sbin/iptables -D FORWARD -i wl0.1 -j ACCEPT
/usr/sbin/iptables -D FORWARD -i wl0.1 -d 10.10.10.1/24 -j DROP
/usr/sbin/iptables -D INPUT -i wl0.1 -j ACCEPT
/usr/sbin/iptables -D INPUT -i wl0.1 -d 10.10.10.1/24 -j DROP
/usr/sbin/iptables -I FORWARD -i wl0.1 -j ACCEPT
/usr/sbin/iptables -I FORWARD -i wl0.1 -d 10.10.10.1/24 -j DROP
/usr/sbin/iptables -I INPUT -i wl0.1 -j ACCEPT
/usr/sbin/iptables -I INPUT -i wl0.1 -d 10.10.10.1/24 -j DROP
/usr/sbin/ebtables -t broute -D BROUTING -p arp -i wl1.1 -j DROP
/usr/sbin/ebtables -t broute -D BROUTING -p ipv4 -i wl1.1 -j DROP
/usr/sbin/ebtables -t broute -D BROUTING -p ipv6 -i wl1.1 -j DROP
/usr/sbin/ebtables -t broute -I BROUTING -p arp -i wl1.1 -j DROP
/usr/sbin/ebtables -t broute -I BROUTING -p ipv4 -i wl1.1 -j DROP
/usr/sbin/ebtables -t broute -I BROUTING -p ipv6 -i wl1.1 -j DROP
/usr/sbin/iptables -D FORWARD -i wl1.1 -j ACCEPT
/usr/sbin/iptables -D FORWARD -i wl1.1 -d 10.10.10.1/24 -j DROP
/usr/sbin/iptables -D INPUT -i wl1.1 -j ACCEPT
/usr/sbin/iptables -D INPUT -i wl1.1 -d 10.10.10.1/24 -j DROP
/usr/sbin/iptables -I FORWARD -i wl1.1 -j ACCEPT
/usr/sbin/iptables -I FORWARD -i wl1.1 -d 10.10.10.1/24 -j DROP
/usr/sbin/iptables -I INPUT -i wl1.1 -j ACCEPT
/usr/sbin/iptables -I INPUT -i wl1.1 -d 10.10.10.1/24 -j DROP