I realize now that the IP provided to ifconfig is the IP of the new interface associated w/ the guest radio. (I'm not sure why the other standard radios don't show up as having separate IPs when I do ifconfig, but whatever). I followed the instructions in the wiki post linked above and its not working.
I created and chmodded /jffs/scripts/dnsmasq.postconf with the following (I verified using nvram that wl0.1 is the guest network of interest)
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
logger "dnsmasq-dhcp: Configure wl0.1 (Guest on 2.4GHz) to have special DHCP in VPN exclusion range"
ifconfig wl0.1 192.168.1.2 netmask 255.255.255.0
iptables -D INPUT -i wl0.1 -j ACCEPT
iptables -I INPUT -i wl0.1 -j ACCEPT
ebtables -t broute -D BROUTING -i wl0.1 -p ipv4 -j DROP
ebtables -t broute -I BROUTING -i wl0.1 -p ipv4 -j DROP
pc_append "
log-dhcp
interface=wl0.1
dhcp-range=wl0.1,192.168.1.192,192.168.1.255,255.255.255.0,86400s
dhcp-option=wl0.1,3,192.168.1.1
dhcp-option=wl0.1,6,8.8.8.8,8.8.4.4
" /tmp/etc/dnsmasq.conf
I run 'service restart_dnsmasq'. I can see my log entry appear in the syslog to say that my dnsmasq.postconf script ran. I can verify that the expected lines have been appended to the end of /tmp/etc/dnsmasq.conf
log-dhcp
interface=wl0.1
dhcp-range=wl0.1,192.168.1.192,192.168.1.255,255.255.255.0,86400s
dhcp-option=wl0.1,3,192.168.1.1
dhcp-option=wl0.1,6,8.8.8.8,8.8.4.4
And use ifconfig to verify that the new IP has been associated w/ the guest network radio:
wl0.1 Link encap:Ethernet HWaddr 9C:5C:8E:XX:XX:XX
inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:45503
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
When I attempt to connect to the guest network, get a password error . I have verified this error using the original password and a new one. I think this is actually a DNS error due to my changes, but maybe iOS just says 'invalid password' if can't complete the connection setup.
When I increase the logging, I can see my device requesting an address via DHCP when I connect to the guest network. However, the IP offered and accepted is not in the new range I have specified for the DHCP supporting the guest network. The IP offered is the IP used by the device previously on the non-guest network. I don't know how to break that affinity for the old IP (from the standard, non-guest DHCP range). I'm not sure if the error is because the affinity-based IP offered is in the wrong range, or the secondary DHCP range is just not configured/working correctly. I don't see a DHCP related error, but the device gets that password error for the SSID and that's the end of it.
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 available DHCP range: 192.168.1.20 -- 192.168.1.100
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 available DHCP range: 192.168.1.192 -- 192.168.1.255
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 client provides name: XXXX
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 DHCPDISCOVER(br0) 00:56:cd:XX:XX:XX
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 tags: lan, br0
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 DHCPOFFER(br0) 192.168.1.32 00:56:cd:XX:XX:XX
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 requested options: 1:netmask, 121:classless-static-route, 3:router,
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 requested options: 6:dns-server, 15:domain-name, 119:domain-search,
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 requested options: 252
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 next server: 192.168.1.1
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 sent size: 1 option: 53 message-type 2
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 sent size: 4 option: 54 server-identifier 192.168.1.1
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 sent size: 4 option: 51 lease-time 1d
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 sent size: 4 option: 58 T1 12h
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 sent size: 4 option: 59 T2 21h
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 sent size: 4 option: 1 netmask 255.255.255.0
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 sent size: 4 option: 28 broadcast 192.168.1.255
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 sent size: 1 option:252 0a
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 sent size: 12 option: 15 domain-name meadow.local
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 sent size: 12 option: 6 dns-server 8.8.8.8, 8.8.4.4, 192.168.1.1
Sep 26 23:13:09 dnsmasq-dhcp[2547]: 3740738560 sent size: 4 option: 3 router 192.168.1.1
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 available DHCP range: 192.168.1.20 -- 192.168.1.100
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 available DHCP range: 192.168.1.192 -- 192.168.1.255
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 client provides name: XXXX
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 DHCPREQUEST(br0) 192.168.1.32 00:56:cd:XX:XX:XX
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 tags: lan, br0
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 DHCPACK(br0) 192.168.1.32 00:56:cd:eXX:XX:XX XXXX
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 requested options: 1:netmask, 121:classless-static-route, 3:router,
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 requested options: 6:dns-server, 15:domain-name, 119:domain-search,
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 requested options: 252
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 next server: 192.168.1.1
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 sent size: 1 option: 53 message-type 5
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 sent size: 4 option: 54 server-identifier 192.168.1.1
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 sent size: 4 option: 51 lease-time 1d
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 sent size: 4 option: 58 T1 12h
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 sent size: 4 option: 59 T2 21h
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 sent size: 4 option: 1 netmask 255.255.255.0
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 sent size: 4 option: 28 broadcast 192.168.1.255
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 sent size: 1 option:252 0a
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 sent size: 12 option: 15 domain-name meadow.local
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 sent size: 12 option: 6 dns-server 8.8.8.8, 8.8.4.4, 192.168.1.1
Sep 26 23:13:10 dnsmasq-dhcp[2547]: 3740738560 sent size: 4 option: 3 router 192.168.1.1
When I manually add log-dhcp up at the top of /tmp/etc/dnsmasq.conf and restart the service, I am able to connect to the guest network. I get the same IP as before, but no error. More interestingly, I can see that both DHCP services seem to be responding to the request from the client (using the same IP). Do I need to do something in the script to except the guest radio from using the primary DHCP server? I think this is the issue, but I'm not sure how to do that.