What's new

Restricted Guest Networks with DHCP - one IP range?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

bengalih

Senior Member
So, it has been a while since I set this up and I don't remember exactly where I got this info, but it was from some post or tutorial here or within the Merlin wiki. The challenge was I wanted to setup guest WiFi networks, but since I don't use the on-box DHCP for my network and because I chose to disable "Access Intranet", the clients had an issue with getting DHCP addresses since they were blocked from sending to the LAN.

So I followed the guidelines and setup some firewall and dnsmasq scripts. The dnsmasq script is roughly something like:

Code:
pc_delete "no-dhcp-interface=br0" /tmp/etc/dnsmasq.conf

pc_append "
# Custom - $script_name
log-dhcp
dhcp-authoritative

interface=wl0.1
dhcp-range=wl0.1,172.20.20.150,172.20.20.199,255.255.255.0,86400s
dhcp-option=wl0.1,3,172.20.20.1
dhcp-option=wl0.1,6,8.8.8.8,8.8.4.4

interface=wl1.1
dhcp-range=wl1.1,172.20.30.150,172.20.30.199,255.255.255.0,86400s
dhcp-option=wl1.1,3,172.20.30.1
dhcp-option=wl1.1,6,8.8.8.8,8.8.4.4

It had me setting up one interface and associated IP address per WiFi network along with a DHCP scope. Then, I needed to configure firewall rules to allow these subnets everywhere by my local LAN (that config is below). Revisiting some of my configuration this week I am left wondering:

Is it necessary to actually define 2 different subnets for 2 different WiFi networks?

After all, my main 2.4 and 5 GHz WiFi networks are both on the same subnet and both use the same IP range from my LAN DHCP server. I want to have a guest 2.4 and 5 GHz network as well - but why do they each need their own IP range? Can I configure this in a way that both interfaces are just on say the 172.20.20.x network? It seems like the offered configuration was just more complexity than is required.

For completeness, here are also my ifconfig and firewall commands which create and route the interfaces:

Code:
# Configure Guest WiFi interfaces
ifconfig wl0.1 172.20.20.1 netmask 255.255.255.0
ifconfig wl1.1 172.20.30.1 netmask 255.255.255.0

# seems to work without dropping these added by router to block intranet access
# /usr/sbin/ebtables -D FORWARD -i wl0.1 -j DROP
# /usr/sbin/ebtables -D FORWARD -o wl0.1 -j DROP

/usr/sbin/ebtables -t broute -D BROUTING -p arp -i wl0.1 -j DROP
/usr/sbin/ebtables -t broute -D BROUTING -p ipv4 -i wl0.1 -j DROP
/usr/sbin/ebtables -t broute -D BROUTING -p ipv6 -i wl0.1 -j DROP
/usr/sbin/ebtables -t broute -I BROUTING -p arp -i wl0.1 -j DROP
/usr/sbin/ebtables -t broute -I BROUTING -p ipv4 -i wl0.1 -j DROP
/usr/sbin/ebtables -t broute -I BROUTING -p ipv6 -i wl0.1 -j DROP

/usr/sbin/iptables -D FORWARD -i wl0.1 -j ACCEPT
/usr/sbin/iptables -D FORWARD -i wl0.1 -d 10.10.10.1/24 -j DROP
/usr/sbin/iptables -D INPUT -i wl0.1 -j ACCEPT
/usr/sbin/iptables -D INPUT -i wl0.1 -d 10.10.10.1/24 -j DROP
/usr/sbin/iptables -I FORWARD -i wl0.1 -j ACCEPT
/usr/sbin/iptables -I FORWARD -i wl0.1 -d 10.10.10.1/24 -j DROP
/usr/sbin/iptables -I INPUT -i wl0.1 -j ACCEPT
/usr/sbin/iptables -I INPUT -i wl0.1 -d 10.10.10.1/24 -j DROP

/usr/sbin/ebtables -t broute -D BROUTING -p arp -i wl1.1 -j DROP
/usr/sbin/ebtables -t broute -D BROUTING -p ipv4 -i wl1.1 -j DROP
/usr/sbin/ebtables -t broute -D BROUTING -p ipv6 -i wl1.1 -j DROP
/usr/sbin/ebtables -t broute -I BROUTING -p arp -i wl1.1 -j DROP
/usr/sbin/ebtables -t broute -I BROUTING -p ipv4 -i wl1.1 -j DROP
/usr/sbin/ebtables -t broute -I BROUTING -p ipv6 -i wl1.1 -j DROP

/usr/sbin/iptables -D FORWARD -i wl1.1 -j ACCEPT
/usr/sbin/iptables -D FORWARD -i wl1.1 -d 10.10.10.1/24 -j DROP
/usr/sbin/iptables -D INPUT -i wl1.1 -j ACCEPT
/usr/sbin/iptables -D INPUT -i wl1.1 -d 10.10.10.1/24 -j DROP
/usr/sbin/iptables -I FORWARD -i wl1.1 -j ACCEPT
/usr/sbin/iptables -I FORWARD -i wl1.1 -d 10.10.10.1/24 -j DROP
/usr/sbin/iptables -I INPUT -i wl1.1 -j ACCEPT
/usr/sbin/iptables -I INPUT -i wl1.1 -d 10.10.10.1/24 -j DROP
 
Anyone? Is it not possible to host two wifi guest wifi networks (one on each channel) but use the same DHCP scope for both?
 
@Martineau - hey man I'm just calling your attention to this because I saw your posts here and instead of necro that and quote here I'm doing the reverse.

Is what I want to do possible? Have 2 separate guest WiFi network (wl0.1, wl1.1) but they each provide addresses on the same dhcp network?
I thought about just binding each interface to a different IP on the same subnet and then configuring non-overlapping ranges but:

1) I didn't know if this would even work *this way*
2) I didn't know if there was a better way
3) I didn't know if this idea was even possible or if both interfaces have to actually "route" between them and the internet and having the same subnet would just be impossible.

any thoughts?
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top