Trying to understand Guest Network Pro limitations

[SSovets]

While I’d be comfortable making these specific rules, following these guidelines, for average users (me), wouldn’t it be nice if this IPTables forwarding rule (if that is what it is called) could be incorporated into Merlin Firmware or an Addon? It just makes it easier to add, amend and delete.

There must be other folks that would like to assign e.g. Guest users, access to a single device on the primary network, like a printer.

This sounds like a great suggestion!
My idea would be to have this as an additional option in the DHCP section: when you assign a fixed IP to a device, to have the option to allow access to and/or from the device from other networks (VLANs).

 

[CornfieldWin]

I am running into Guest Pro issues not to be reported until further tracked down. But, I notice a lot AVAHI in this thread. I want to clear out Avahi altogether to use pure DNS services through dsnmask mostly with DHCP IP and name assignments and very small DHCP pools per vlan/subnet/interface, if any, and a single unbound server for external recursive resolution. I suspect that sudden weird IOT device behavior, wireguard interactions, and vlan behaviors stem in part from DNS and mDNS interaction. According to Wikipedia, Multicast DNS (mDNS) is a computer networking protocol that resolves hostnames to IP addresses within small networks that do not include a local name server, which clearly is not the case. There are ancient threads regarding getting rid of Avahi that appear to be suggestive but inconclusive. Getting Avahi out nssswitch.config will help but I want to kill off any server or network debris related to Avahi, preferably before they can start. Concrete, workable suggestions appreciated.

 

[CornfieldWin]

This sounds like a great suggestion!
My idea would be to have this as an additional option in the DHCP section: when you assign a fixed IP to a device, to have the option to allow access to and/or from the device from other networks (VLANs).

Can we add a single field to each Guest Pro SDN page that to allow a local network name and domain be assigned which will be used in dnsmasq-SDN.conf and also in dnsmasq.conf as server forwards to those SDN unique local network names? As a bonus let the Vlan local network name also the a host address for the SDN's DNS service (dnsmasq)? My thought is to use the GUI to assign the local DNS server first in DHCP options and the main LAN server second.

 

[bennor]

I suspect that sudden weird IOT device behavior, wireguard interactions, and vlan behaviors stem in part from DNS and mDNS interaction.

What proof (like a system log or similar that can be verified) do you have that your Guest Network Pro issue stems from DNS and mDNS interaction? What proof (again system log or similar) is there that AVAHI is causing any issues with your Guest Network Pro configuration?

 

[Ripshod]

Can we add a single field to each Guest Pro SDN page that to allow a local network name and domain be assigned which will be used in dnsmasq-SDN.conf and also in dnsmasq.conf as server forwards to those SDN unique local network names? As a bonus let the Vlan local network name also be a host address for the SDN's DNS service (dnsmasq)? My thought is to use the GUI to assign the local DNS server first in DHCP options and the main LAN server second.

You can add whatever you want, it's your router. When it breaks I'm sure you'll be back asking for help again. Maybe you'll get "hacked" again

 

[bennor]

Can we add a single field to each Guest Pro SDN page that to allow a local network name and domain be assigned ...

One can probably try setting a domain name for a Guest Network Pro profile (SDN) using dnsmasq-INDEX.conf.add (INDEX = SDN index number), and adding a custom domain. Make sure to set the appropriate permissions on the dnsmasq-INDEX.conf.add file and save it to the proper location on the Asus router.

dnsmasq - ArchWiki

Adding a custom domain​

You can assign a domain simply by adding:

address=/router/192.168.1.1

Alternatively, if you continue to use add a custom domain to hosts in your (local) network:
local=/home.arpa/
domain=home.arpa

More general, possibly outdated, information here, adjusted to match the use of dnsmasq-INDEX.conf.add:

Custom domains with dnsmasq

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

PS: If you want to change the GUI itself, that's up to you and it may introduce issues or problems if done incorrectly.

 

[dave14305]

Concrete, workable suggestions appreciated

Put service stop_mdns in the /jffs/scripts/services-start script.

 

[CornfieldWin]

One can probably try setting a domain name for a Guest Network Pro profile (SDN) using dnsmasq-INDEX.conf.add (INDEX = SDN index number), and adding a custom domain. Make sure to set the appropriate permissions on the dnsmasq-INDEX.conf.add file and save it to the proper location on the Asus router.

dnsmasq - ArchWiki

More general, possibly outdated, information here, adjusted to match the use of dnsmasq-INDEX.conf.add:

Custom domains with dnsmasq

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

PS: If you want to change the GUI itself, that's up to you and it may introduce issues or problems if done incorrectly.

Not seriously thinking of hacking the GUI. Honestly, just a thought. But I am trying to automate the process with simple configurable scripts.

 

[zay2u]

Hello Everyone,
This is a very interesting thread. I have a RT-BE96U running AsusWRT-Merlin 3006.102.5. and am trying to do the same. Yet I a stuck on one step behind everyone. My Chromecast with Google TV (mine is the 4K) will not connect to the internet over a Guest Network Pro IoT network. When input the password to connect it to the IoT network it times out with a message that it cannot connect and when I go back to the previous menu to select the network again it says that it has the wrong password. This cannot be the case though as all my other devices connect with the same password to the IoT network without issue.

In short, the only way I can get my Chromecast with Google TV to currently work is connecting it over the main network. What specific (or custom) settings did others use to get Chromecast with Google TV to work with Guest Network Pro?

 

[bennor]

Hello Everyone,
This is a very interesting thread. I have a RT-BE96U running AsusWRT-Merlin 3006.102.5. and am trying to do the same. Yet I a stuck on one step behind everyone. My Chromecast with Google TV (mine is the 4K) will not connect to the internet over a Guest Network Pro IoT network. When input the password to connect it to the IoT network it times out with a message that it cannot connect and when I go back to the previous menu to select the network again it says that it has the wrong password. This cannot be the case though as all my other devices connect with the same password to the IoT network without issue.

In short, the only way I can get my Chromecast with Google TV to currently work is connecting it over the main network. What specific (or custom) settings did others use to get Chromecast with Google TV to work with Guest Network Pro?

Post readable screen shots of your Guest Network Pro settings and if using DNS Director, post those settings too. It will help others see what you see with respect to your settings.

Are you blocking Google's DNS servers (8.8.8.8, 8.8.4.4)?
Are you running any addon scripts, using VPN, using a local DNS resolver or sink hole like Diversion or Pi-Hole?
Are you doing any sort of website blocking, using QoS, AiProtection, or any other additional options or features on the router?

 

[CaptainSTX]

Google devices seem to force you to use 8.8.8.8 or 8.8.4.4.

Using the MAC address of your device in the DNS director assign it to use 8.8.8.8. I have all my Google devices setup this way.

 

[jksmurf]

In short, the only way I can get my Chromecast with Google TV to currently work is connecting it over the main network. What specific (or custom) settings did others use to get Chromecast with Google TV to work with Guest Network Pro?

I really like questions like this because hopefully I can contribute in a short post what represents hours of trial and error attempts to get things going. I have @bennor, @ColinTaylor, @dave14305, @Jeffrey Young, @visortgw and quite a few others to thank for this. Reference links to my trials, with further info here and here and here.

Notes:

• My Chromecast with Google TV is on the IoT Network (53), on which I use WPA2 Personal so all the older IoT devices connect. As yours is a connectivity issue, it may be the first thing to try. It is 2.4Ghz only; GNP Menu, IoT Network, General. Start off by not hiding the SSID.
• My DNS Server for that IoT Network is Default; GNP Menu, IoT Network, Advanced.
• I have IPv6 enabled on the IoT Network; GNP Menu, IoT Network, Advanced.
• I do not have Set AP isolated enabled in my IoT Network.
• My DNS Server under WAN, Internet Connection is Cloudflare 1.1.1.1. 1.0.01 i.e. I am not using Google.
• Under LAN, DHCP Server, DNS and WINS Server Setting, all fields are blank.
• I do not use DNS Director; LAN, DNS Director menu, Enable DNS Director = OFF.

I did 3 things to make mine work the way I wanted it to in terms of accessing it from other Networks, although I am not convinced all of them are needed i.e. especially whether the avahi reflector is really required. You may only need one of them and it works for me via Manually Assigned DHCPs. I do have Set AP isolated in my Guest Network.

In firewall-start (/jffs/scripts/)

# Added by KM to allow Guest access to Chromecast with Google TV on IoT (53) from any client on GUEST Network (52) - WORKS
iptables -I FORWARD -i br52 -s 192.168.52.0/24 -d 192.168.53.239 -j ACCEPT
# Next line probably not required as you only really want one way access; this goes the other way
# iptables -I FORWARD -i br53 -s 192.168.53.239 -d 192.168.52.0/24 -j ACCEPT

In avahi-daemon.conf.add (/jffs/configs/)

[reflector]
enable-reflector=yes

# You may need to run dos2unix /jffs/configs/avahi-daemon.conf.add to make this a Unix File
# If you need additional configuration (inserts, amends) use avahi-daemon.postconf in /jffs/scripts
# Check it is running with: ps w | grep avahi-daemon

In dnsmasq-x.conf.add (/jffs/configs/); where x is your SDN number

dhcp-host=XX:XX:3B:XX:72:XX,192.168.53.239,SmurfCastTV,86400
# Restart the service by issuing, from the command line: service restart_dnsmasq

Note: This dnsmasq-x.conf.add file is only needed if you do not use the native DHCP reservations in Guest Network Pro (you can only do 32 in GNP and even that number may not be able to be reached due to memory limitations); you can also use YazDHCP beta version which now does manual assignments for multiple subnets, thanks to @Martinski.

Hopefully it works for you; come back and let us know.

k.

 

[zay2u]

Post readable screen shots of your Guest Network Pro settings and if using DNS Director, post those settings too. It will help others see what you see with respect to your settings.

Are you blocking Google's DNS servers (8.8.8.8, 8.8.4.4)?
Are you running any addon scripts, using VPN, using a local DNS resolver or sink hole like Diversion or Pi-Hole?
Are you doing any sort of website blocking, using QoS, AiProtection, or any other additional options or features on the router?

Hello Bennor,

Thank you for the quick response. Attached are the requested screenshots of my Guest Network Pro and wireless settings. DNS Director is set to disabled. Also:

I am not blocking Google's DNS servers (8.8.8.8, 8.8.4.4)
I am not running any addon scripts and no VPN connection. I am using a DNS resolver (Pi-Hhole); however I set it to "disable blocking" under DNS Control while setting up and troubleshooting.
I have all the "Adaptive QoS" settings set to "OFF"and AiProtection set to "OFF". All other options are set to there defaults besides manually assigning IP's to each device and selecting each wireless channel bandwith and control channel.