Seperate DHCP Range for Guest WiFi

[HarryMuscle]

I'm trying to setup a separate DHCP range for the guest WiFi. This is just a separate range and not a separate subnet. I've tried creating a new dnsmasq.conf.add file and adding the following:

interface=wl0.1
dhcp-range=wl0.1,192.168.1.200,192.168.1.250,255.255.255.0,86400
dhcp-option=wl0.1,3,192.168.1.1
dhcp-option=wl0.1,6,192.168.1.1

Unfortunately based on the DHCP logs it looks like incoming DHCP requests coming in through wl0.1 don't actually get tagged with wl0.1 but instead with br0 since the wl0.1 interface belongs to the br0 bridge. Is there any way to get DNSMasq to recognize the wl0.1 interface as a separate interface and tag requests coming in through that interface instead of just tagging them with the bridge interface name?

 

[ColinTaylor]

You need to remove wl0.1 from the bridge. There are numerous posts (including examples) about this subject in the forum. I'm sure if you search you will find your answer.

Edit: Or even look at the wiki: https://github.com/RMerl/asuswrt-me...dicated-DHCP-options-bind-to-a-specific-SSID?

 

[HarryMuscle]

You need to remove wl0.1 from the bridge. There are numerous posts (including examples) about this subject in the forum. I'm sure if you search you will find your answer.

Edit: Or even look at the wiki: https://github.com/RMerl/asuswrt-merlin/wiki/How-to-have-dedicated-DHCP-options-bind-to-a-specific-SSID?

I looked into that wiki article but it addresses setting up a separate subnet on the guest wifi. Changing things to keep the same subnet results in the problem mentioned in my original post unfortunately.

I've also tried removing the wl0.1 interface from the br0 bridge but that doesn't work either, most likey because there aren't any routes setup for the wl0.1 interface directly.

Thanks,
Harry

 

[ColinTaylor]

Sorry, I missed the part about being on the same subnet. I don't know the answer to your question. I think that any solution would have to involve detaching the wireless interface from the bridge otherwise dnsmasq has no way of identifying the wireless traffic.

 

[HarryMuscle]

Looks like there's no easy way to do this while keeping everything on the same subnet ... so I decided to more or less follow the wiki article and go with separate subnets for the various guest WiFi interfaces. However, I improved on the example in the wiki by making sure all new IP table rules resemble existing rules and go in the correct locations since they are evaluated in order. Here's the final /jffs/scripts/dnsmasq.postconf script file:

#!/bin/sh

# Wait for all interfaces and IP table rules to be setup
sleep 5

# Find the IP table rule number for the !br0 interface that needs to be
# deleted
NUMBER=$(iptables --list FORWARD --line-numbers --verbose | \
  grep -m 1 "!br0   eth0" | cut -f 1 -d " ")

# Check if the IP table rule for the !br0 interface was found
if [ $NUMBER ]
then
  # Replace the IP table rule for the !br0 interface with individual
  # rules and interfaces not part of the br0 bridge
  iptables --delete FORWARD $NUMBER
  iptables --insert FORWARD $NUMBER --in-interface eth0 \
    --out-interface eth0 --jump DROP
  iptables --insert FORWARD $(($NUMBER + 1)) --in-interface lo \
    --out-interface eth0 --jump DROP
fi

# Declare the interfaces and last existing subnet number
INTERFACES="wl0.2 wl1.2 wl0.3 wl1.3"
NUMBER=1

# Loop through the interface
for INTERFACE in $INTERFACES
do
  # Assign an IP address to the interfaces
  ifconfig $INTERFACE 192.168.$((++NUMBER)).1 netmask 255.255.255.0
done

# Find the br0 interface rule number that will be mimicked
NUMBER=$(iptables --list INPUT --line-numbers --verbose | \
  grep -m 1 "br0    any" | cut -f 1 -d " ")

# Loop through the interfaces
for INTERFACE in $INTERFACES
do
  # Delete any existing identical IP table rule to avoid duplicates
  iptables --delete INPUT --in-interface $INTERFACE --match state \
    --state NEW --jump ACCEPT 2> /dev/null

  # Insert an IP table rule that mimics the existing br0 inteface rule
  iptables --insert INPUT $((++NUMBER)) --in-interface $INTERFACE \
    --match state --state NEW --jump ACCEPT
done

# Find the br0 interface rule number that will be mimicked
NUMBER=$(iptables --list FORWARD --line-numbers --verbose | \
  grep -m 1 "br0    br0" | cut -f 1 -d " ")

# Loop through the interfaces
for INTERFACE in $INTERFACES
do
  # Delete any existing identical IP table rule to avoid duplicates
  iptables --delete FORWARD --in-interface $INTERFACE \
    --out-interface $INTERFACE --jump ACCEPT 2> /dev/null

  # Insert an IP table rule that mimics the existing br0 inteface rule
  iptables -I FORWARD $((++NUMBER)) --in-interface $INTERFACE \
    --out-interface $INTERFACE --jump ACCEPT
done

# Find the br0 interface rule number that will be mimicked
NUMBER=$(iptables --list FORWARD --line-numbers --verbose | \
  grep -m 1 "br0    any" | cut -f 1 -d " ")

# Loop through the interfaces
for INTERFACE in $INTERFACES
do
  # Delete any existing identical IP table rule to avoid duplicates
  iptables --delete FORWARD --in-interface $INTERFACE --jump ACCEPT \
    2> /dev/null

  # Insert an IP table rule that mimics the existing br0 inteface rule
  iptables --insert FORWARD $((++NUMBER)) --in-interface $INTERFACE \
    --jump ACCEPT
done

# Loop through the interfaces
for INTERFACE in $INTERFACES
do
  # Delete any existing identical ethernet table rules to avoid
  # duplicates
  ebtables --table broute --delete BROUTING --proto arp \
    --in-interface $INTERFACE --jump DROP 2> /dev/null
  ebtables --table broute --delete BROUTING --proto ipv4 \
    --in-interface $INTERFACE --jump DROP 2> /dev/null

  # Insert ethernet table rules to change the default bridging behaviour
  # to routing effectively removing the interface from the br0 bridge
  # without actually removing it and causing greater impact
  ebtables --table broute --insert BROUTING --proto arp \
    --in-interface $INTERFACE --jump DROP
  ebtables --table broute --insert BROUTING --proto ipv4 \
    --in-interface $INTERFACE --jump DROP  
done

And here are the contents of the /jffs/configs/dnsmasq.conf.add file:

interface=wl0.2
dhcp-range=wl0.2,192.168.2.200,192.168.2.250,255.255.255.0,84600s
dhcp-option=wl0.2,3,192.168.2.1
dhcp-option=wl0.2,252,"\n"
interface=wl1.2
dhcp-range=wl1.2,192.168.3.200,192.168.3.250,255.255.255.0,84600s
dhcp-option=wl1.2,3,192.168.3.1
dhcp-option=wl1.2,252,"\n"
interface=wl0.3
dhcp-range=wl0.3,192.168.4.200,192.168.4.250,255.255.255.0,84600s
dhcp-option=wl0.3,3,192.168.4.1
dhcp-option=wl0.3,252,"\n"
interface=wl1.3
dhcp-range=wl1.3,192.168.5.200,192.168.5.250,255.255.255.0,84600s
dhcp-option=wl1.3,3,192.168.5.1
dhcp-option=wl1.3,252,"\n"

This has been fully tested. Feel free to offer suggestions and improvements, etc. The main idea behind this was to cause the least amount of configuration changes to get to the desired result. Also any configuration changes try to mimic existing configurations as closely as possible.

Thanks,
Harry

 

[HarryMuscle]

So it looks like there's just one issue left with that script I posted. If I enable guest access to the intranet I can't actually access the intranet. Most likely missing an IP rule of some sorts ... any input or help is much appreciated.

Thanks,
Harry

EDIT: I created a new thread about this issue with lots more information: https://www.snbforums.com/threads/new-subnets-cant-access-intranet-subnet.40937/

 

[HarryMuscle]

The original script was written on the RT-N66U router. Here is the updated copy of the script that I'm running on the RT-AC66U B1 router. There's an extra IP tables rule that needed to be dealt with. I also updated some settings for the UPnP service to work with the new subnets.

/jffs/scripts/firewall-start

#!/bin/sh

# Define the interfaces to configure, the interfaces not part of the
# br0 bridge, and the first subnet number
INTERFACES="wl0.2 wl1.2 wl0.3 wl1.3"
NON_BR0_INTERFACES="eth0 lo"
NUMBER=2

# Loop through the interface
for INTERFACE in $INTERFACES
do
  # Assign an IP address to the interfaces
  ifconfig $INTERFACE 192.168.$((NUMBER++)).1 netmask 255.255.255.0
done

# Find the !br0 interface rule number that will be deleted
NUMBER=$(iptables --list INPUT --line-numbers --verbose | \
  grep "PTCSRVWAN" | grep -m 1 "!br0   any" | cut -f 1 -d " ")

# Check if the !br0 interface rule number was found
if [[ $NUMBER ]]
then
  # Replace the IP table rule for the !br0 interface with individual
  # rules and interfaces not part of the br0 bridge
  iptables --delete INPUT $NUMBER
  for INTERFACE in $NON_BR0_INTERFACES
  do
    iptables --insert INPUT $((NUMBER++)) --in-interface $INTERFACE \
      --jump PTCSRVWAN
  done
fi

# Find the br0 interface rule number that will be mimicked
NUMBER=$(iptables --list INPUT --line-numbers --verbose | \
  grep "PTCSRVLAN" | grep -m 1 "br0    any" | cut -f 1 -d " ")

# Check if the br0 interface rule number was found
if [[ $NUMBER ]]
then
  # Loop through the interfaces
  for INTERFACE in $INTERFACES
  do
    # Delete any existing identical IP table rule to avoid duplicates
    iptables --delete INPUT --in-interface $INTERFACE --jump PTCSRVLAN \
      2> /dev/null

    # Insert an IP table rule that mimics the existing br0 inteface rule
    iptables --insert INPUT $((++NUMBER)) --in-interface $INTERFACE \
      --jump PTCSRVWAN
  done
fi

# Find the br0 interface rule number that will be mimicked
NUMBER=$(iptables --list INPUT --line-numbers --verbose | \
  grep "ACCEPT" | grep "br0    any" | grep -m 1 "state NEW" | \
  cut -f 1 -d " ")

# Check if the br0 interface rule number was found
if [[ $NUMBER ]]
then
  # Loop through the interfaces
  for INTERFACE in $INTERFACES
  do
    # Delete any existing identical IP table rule to avoid duplicates
    iptables --delete INPUT --in-interface $INTERFACE --match state \
      --state NEW --jump ACCEPT 2> /dev/null

    # Insert an IP table rule that mimics the existing br0 inteface rule
    iptables --insert INPUT $((++NUMBER)) --in-interface $INTERFACE \
      --match state --state NEW --jump ACCEPT
  done
fi

# Find the !br0 interface rule number that will be deleted
NUMBER=$(iptables --list FORWARD --line-numbers --verbose | \
  grep "DROP" | grep -m 1 "!br0   eth0" | cut -f 1 -d " ")

# Check if the !br0 interface rule number was found
if [[ $NUMBER ]]
then
  # Replace the IP table rule for the !br0 interface with individual
  # rules and interfaces not part of the br0 bridge
  iptables --delete FORWARD $NUMBER
  for INTERFACE in $NON_BR0_INTERFACES
  do
    iptables --insert FORWARD $((NUMBER++)) --in-interface $INTERFACE \
      --out-interface eth0 --jump DROP
  done
fi

# Find the br0 interface rule number that will be mimicked
NUMBER=$(iptables --list FORWARD --line-numbers --verbose | \
  grep "ACCEPT" | grep -m 1 "br0    br0" | cut -f 1 -d " ")

# Check if the br0 interface rule number was found
if [[ $NUMBER ]]
then
  # Loop through the interfaces including the br0 interface
  for INTERFACE in br0 $INTERFACES
  do
    # Loop through the interfaces including the br0 interface
    for OUT_INTERFACE in br0 $INTERFACES
    do
      # Check if we would be adding a br0 interface rule that already
      # exists
      if [[ $INTERFACE = "br0" && $OUT_INTERFACE = "br0" ]]
      then
        continue
      fi

      # Delete any existing identical IP table rule to avoid duplicates
      iptables --delete FORWARD --in-interface $INTERFACE \
        --out-interface $OUT_INTERFACE --jump ACCEPT 2> /dev/null

      # Insert an IP table rule that mimics the existing br0 inteface
      # rule
      iptables -I FORWARD $((++NUMBER)) --in-interface $INTERFACE \
        --out-interface $OUT_INTERFACE --jump ACCEPT
    done
  done
fi

# Find the br0 interface rule number that will be mimicked
NUMBER=$(iptables --list FORWARD --line-numbers --verbose | \
  grep "ACCEPT" | grep -m 1 "br0    any" | cut -f 1 -d " ")

# Check if the br0 interface rule number was found
if [[ $NUMBER ]]
then
  # Loop through the interfaces
  for INTERFACE in $INTERFACES
  do
    # Delete any existing identical IP table rule to avoid duplicates
    iptables --delete FORWARD --in-interface $INTERFACE --jump ACCEPT \
      2> /dev/null

    # Insert an IP table rule that mimics the existing br0 inteface rule
    iptables --insert FORWARD $((++NUMBER)) --in-interface $INTERFACE \
      --jump ACCEPT
  done
fi

# Loop through the interfaces
for INTERFACE in $INTERFACES
do
  # Delete any existing identical ethernet table rules to avoid
  # duplicates
  ebtables --table broute --delete BROUTING --proto ARP \
    --in-interface $INTERFACE --jump DROP 2> /dev/null
  ebtables --table broute --delete BROUTING --proto IPv4 \
    --in-interface $INTERFACE --jump DROP 2> /dev/null

  # Insert ethernet table rules to change the default bridging behaviour
  # to routing effectively removing the interface from the br0 bridge
  # without actually removing it and causing greater impact
  ebtables --table broute --append BROUTING --proto ARP \
    --in-interface $INTERFACE --jump DROP
  ebtables --table broute --append BROUTING --proto IPv4 \
    --in-interface $INTERFACE --jump DROP   
done

/jffs/config/dnsmasq.conf.add

interface=wl0.2
dhcp-range=wl0.2,192.168.2.200,192.168.2.250,255.255.255.0,86400s
dhcp-option=wl0.2,3,192.168.2.1
dhcp-option=wl0.2,252,"\n"
interface=wl1.2
dhcp-range=wl1.2,192.168.3.200,192.168.3.250,255.255.255.0,86400s
dhcp-option=wl1.2,3,192.168.3.1
dhcp-option=wl1.2,252,"\n"
interface=wl0.3
dhcp-range=wl0.3,192.168.4.200,192.168.4.250,255.255.255.0,86400s
dhcp-option=wl0.3,3,192.168.4.1
dhcp-option=wl0.3,252,"\n"
interface=wl1.3
dhcp-range=wl1.3,192.168.5.200,192.168.5.250,255.255.255.0,86400s
dhcp-option=wl1.3,3,192.168.5.1
dhcp-option=wl1.3,252,"\n"

/jffs/config/upnp.add

allow 1-65535 192.168.2.1/255.255.255.0 1024-65535
allow 1-65535 192.168.3.1/255.255.255.0 1024-65535
allow 1-65535 192.168.4.1/255.255.255.0 1024-65535
allow 1-65535 192.168.5.1/255.255.255.0 1024-65535

Thanks,
Harry

 

[Jack Yaz]

    # Find the br0 interface rule number that will be mimicked
    NUMBER=$(iptables -L INPUT --line-numbers -v | grep "PTCSRVLAN" | grep -m 1 "br0    any" | cut -f 1 -d " ")
    
    # Check if the br0 interface rule number was found
    if [[ $NUMBER ]]; then
        # Delete any existing identical IP table rule to avoid duplicates
        iptables -D INPUT -i $2 -j PTCSRVLAN 2> /dev/null
        
        # Insert an IP table rule that mimics the existing br0 inteface rule
        iptables -I INPUT $((++NUMBER)) -i $2 -j PTCSRVWAN
    fi

Should these not all reference LAN rather than WAN on the last line?

 

[dougruns]

I'm trying to assign my guest network SSID to a different DHCP range that aligns w/ my VPN exception (i.e. straight to WAN) range configuration. I'm following the wiki article here https://github.com/RMerl/asuswrt-me...dicated-DHCP-options-bind-to-a-specific-SSID?

I understand all of it except for one line. What is the IP address provided to the ifconfig command? I see that the router in this example is at 172.30.20.1, but what is 172.30.20.2?

Two follow-up notes:

• I'm doing this because I'm having trouble connecting to some sites (bank, grocery store?) through my VPN provider (PIA) configured on the router. Rather than have to drop the VPN or try to find an unblocked VPN endpoint, I figured I would just configure a range to skip the VPN and then use the wiki-described approach to assign IPs in on one radio to the excepted range. I think this may be an easier solution than the others I've seen on here and on the wiki that route one SSID to VPN and one to WAN. Does my current approach seem reasonable or do I really need to go the other route?
• I am using an Asus RT-AC1900 as my router and making this change on the guest network it hosts. I also have its demoted older cousin RT-N66U lurking downstairs providing wifi and range extension in the basement. I still have its guest network turned on, but it uses DHCP from the RT-AC1900 acting as the router. Is there a way to have the guest network SSID on the N66U speak to the special DHCP service I'm going to be launching on the AC1900?

Router is Asus RT-AC1900 running Asuswrt-Merlin 380.62_1. Access Point is Asus RT-N66U also running Asuswrt-Merlin 380.62_1. (I'm planning to upgrade the firmware to latest on both tomorrow.)

 

[dougruns]

I realize now that the IP provided to ifconfig is the IP of the new interface associated w/ the guest radio. (I'm not sure why the other standard radios don't show up as having separate IPs when I do ifconfig, but whatever). I followed the instructions in the wiki post linked above and its not working.

I created and chmodded /jffs/scripts/dnsmasq.postconf with the following (I verified using nvram that wl0.1 is the guest network of interest)

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
logger "dnsmasq-dhcp: Configure wl0.1 (Guest on 2.4GHz) to have special DHCP in VPN exclusion range"
ifconfig wl0.1 192.168.1.2 netmask 255.255.255.0
iptables -D INPUT -i wl0.1 -j ACCEPT
iptables -I INPUT -i wl0.1 -j ACCEPT
ebtables -t broute -D BROUTING -i wl0.1 -p ipv4 -j DROP
ebtables -t broute -I BROUTING -i wl0.1 -p ipv4 -j DROP
pc_append "
log-dhcp
interface=wl0.1
dhcp-range=wl0.1,192.168.1.192,192.168.1.255,255.255.255.0,86400s
dhcp-option=wl0.1,3,192.168.1.1
dhcp-option=wl0.1,6,8.8.8.8,8.8.4.4
" /tmp/etc/dnsmasq.conf​

I run 'service restart_dnsmasq'. I can see my log entry appear in the syslog to say that my dnsmasq.postconf script ran. I can verify that the expected lines have been appended to the end of /tmp/etc/dnsmasq.conf

log-dhcp
interface=wl0.1
dhcp-range=wl0.1,192.168.1.192,192.168.1.255,255.255.255.0,86400s
dhcp-option=wl0.1,3,192.168.1.1
dhcp-option=wl0.1,6,8.8.8.8,8.8.4.4​

And use ifconfig to verify that the new IP has been associated w/ the guest network radio:

wl0.1 Link encap:Ethernet HWaddr 9C:5C:8E:XX:XX:XX
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:45503
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)​

When I attempt to connect to the guest network, get a password error . I have verified this error using the original password and a new one. I think this is actually a DNS error due to my changes, but maybe iOS just says 'invalid password' if can't complete the connection setup.

When I increase the logging, I can see my device requesting an address via DHCP when I connect to the guest network. However, the IP offered and accepted is not in the new range I have specified for the DHCP supporting the guest network. The IP offered is the IP used by the device previously on the non-guest network. I don't know how to break that affinity for the old IP (from the standard, non-guest DHCP range). I'm not sure if the error is because the affinity-based IP offered is in the wrong range, or the secondary DHCP range is just not configured/working correctly. I don't see a DHCP related error, but the device gets that password error for the SSID and that's the end of it.

Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 available DHCP range: 192.168.1.20 -- 192.168.1.100
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 available DHCP range: 192.168.1.192 -- 192.168.1.255
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 client provides name: XXXX
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 DHCPDISCOVER(br0) 00:56:cd:XX:XX:XX
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 tags: lan, br0
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 DHCPOFFER(br0) 192.168.1.32 00:56:cd:XX:XX:XX
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 requested options: 1:netmask, 121:classless-static-route, 3:router,
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 requested options: 6:dns-server, 15:domain-name, 119:domain-search,
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 requested options: 252
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 next server: 192.168.1.1
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 sent size: 1 option: 53 message-type 2
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 sent size: 4 option: 54 server-identifier 192.168.1.1
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 sent size: 4 option: 51 lease-time 1d
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 sent size: 4 option: 58 T1 12h
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 sent size: 4 option: 59 T2 21h
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 sent size: 4 option: 1 netmask 255.255.255.0
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 sent size: 4 option: 28 broadcast 192.168.1.255
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 sent size: 1 option:252 0a
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 sent size: 12 option: 15 domain-name meadow.local
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 sent size: 12 option: 6 dns-server 8.8.8.8, 8.8.4.4, 192.168.1.1
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 sent size: 4 option: 3 router 192.168.1.1
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 available DHCP range: 192.168.1.20 -- 192.168.1.100
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 available DHCP range: 192.168.1.192 -- 192.168.1.255
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 client provides name: XXXX
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 DHCPREQUEST(br0) 192.168.1.32 00:56:cd:XX:XX:XX
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 tags: lan, br0
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 DHCPACK(br0) 192.168.1.32 00:56:cd:eXX:XX:XX XXXX
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 requested options: 1:netmask, 121:classless-static-route, 3:router,
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 requested options: 6:dns-server, 15:domain-name, 119:domain-search,
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 requested options: 252
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 next server: 192.168.1.1
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 sent size: 1 option: 53 message-type 5
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 sent size: 4 option: 54 server-identifier 192.168.1.1
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 sent size: 4 option: 51 lease-time 1d
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 sent size: 4 option: 58 T1 12h
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 sent size: 4 option: 59 T2 21h
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 sent size: 4 option: 1 netmask 255.255.255.0
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 sent size: 4 option: 28 broadcast 192.168.1.255
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 sent size: 1 option:252 0a
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 sent size: 12 option: 15 domain-name meadow.local
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 sent size: 12 option: 6 dns-server 8.8.8.8, 8.8.4.4, 192.168.1.1
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 sent size: 4 option: 3 router 192.168.1.1​

When I manually add log-dhcp up at the top of /tmp/etc/dnsmasq.conf and restart the service, I am able to connect to the guest network. I get the same IP as before, but no error. More interestingly, I can see that both DHCP services seem to be responding to the request from the client (using the same IP). Do I need to do something in the script to except the guest radio from using the primary DHCP server? I think this is the issue, but I'm not sure how to do that.

 

[dougruns]

This is the part of the dnsmasq.conf that sets up the primary DHCP service.

dhcp-range=lan,192.168.1.20,192.168.1.100,255.255.255.0,86400s
dhcp-option=lan,3,192.168.1.1
dhcp-option=lan,6,8.8.8.8,8.8.4.4,0.0.0.0
dhcp-option=lan,15,meadow.local
dhcp-option=lan,44,192.168.1.1
dhcp-option=lan,252,"\n"
dhcp-authoritative​

I'm wondering if the use of the 'lan' label (where 'wl0.1' is specified on the secondary DHCP is a special tag that means "use for all DHCP requests on this local network" and so that range is still in effect when the guest network is used. I don't see 'lan' listed in the dnsmasq man page to confirm this.

If this is the case, how do I limit the scope of the primary DHCP range to only requests from the non-guest radio or ethernet connections?

 

[amplatfus]

I'm trying to assign my guest network SSID to a different DHCP range that aligns w/ my VPN exception (i.e. straight to WAN) range configuration. I'm following the wiki article here https://github.com/RMerl/asuswrt-merlin/wiki/How-to-have-dedicated-DHCP-options-bind-to-a-specific-SSID?

I understand all of it except for one line. What is the IP address provided to the ifconfig command? I see that the router in this example is at 172.30.20.1, but what is 172.30.20.2?

Two follow-up notes:

• I'm doing this because I'm having trouble connecting to some sites (bank, grocery store?) through my VPN provider (PIA) configured on the router. Rather than have to drop the VPN or try to find an unblocked VPN endpoint, I figured I would just configure a range to skip the VPN and then use the wiki-described approach to assign IPs in on one radio to the excepted range. I think this may be an easier solution than the others I've seen on here and on the wiki that route one SSID to VPN and one to WAN. Does my current approach seem reasonable or do I really need to go the other route?
• I am using an Asus RT-AC1900 as my router and making this change on the guest network it hosts. I also have its demoted older cousin RT-N66U lurking downstairs providing wifi and range extension in the basement. I still have its guest network turned on, but it uses DHCP from the RT-AC1900 acting as the router. Is there a way to have the guest network SSID on the N66U speak to the special DHCP service I'm going to be launching on the AC1900?

Router is Asus RT-AC1900 running Asuswrt-Merlin 380.62_1. Access Point is Asus RT-N66U also running Asuswrt-Merlin 380.62_1. (I'm planning to upgrade the firmware to latest on both tomorrow.)

Hi,

Please in the meantime, after many years...I tried the same and I have the same error. Som sites are not loading.
Could you please let me know if you have found the route cause?
For me for instance below are not working as examples:

216.239.35.0
104.17.78.107

Thank you so much for any reply,
amplatfus