What's new

Using a separate but local DHCP server for both main and guest WiFi

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

WhyNetworkAtAll

Occasional Visitor
Here is my network

Main router @ 192.168.1.1 : Asuswrt-Merlin 384.17 on an RT-AC68U
DNS1 on PiHole 5.x @ 192.168.1.9 : RaspberryPi 4
DNS2 on PiHole 5.x @ 192.168.1.8 : OrangePi Zero (fallback DNS)
WiFi: 1x main network (2.4G + 5G) and two guest networks ("IoT" and "Visitors", on both 2.4G and 5G). I am keeping the guest networks isolated from the intranet.

I really like PiHole 5.x's ability to apply different rules to different devices (e.g. more aggressive filtering on children's devices, less aggressive filtering on everything). I want the PiHole perform DHCP duties too but when I do that, my guest WiFi devices are unable to connect to the PiHole DHCP service and consequently "lose internet".

Is there a way I can configure my main router to permit only DNS and DHCP requests between guest and intranet without losing the greater isolation between them? I'm not sure since those are IP services while my link level seems to be setup to disallow any traffic on the forward chain.

Code:
admin@router:/# ebtables -L
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 8, policy: ACCEPT
-i wl0.1 -j DROP
-o wl0.1 -j DROP
-i wl0.2 -j DROP
-o wl0.2 -j DROP
-i wl1.1 -j DROP
-o wl1.1 -j DROP
-i wl1.2 -j DROP
-o wl1.2 -j DROP

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
admin@router:/#

PS: I also have another AC68U on latest Asus stock firmware as an AiMesh node working just fine but I think it's not relevant to this issue.
 
Thanks @K-2SO ! I just tried that. It seems to be able to connect guest network clients (now living off 192.168.[2, 3, 4, 5, 6].x ranges) over to the 192.168.1.9 and 192.168.1.8 DNS PiHoles but no idea about configuring DHCP.

@Jack Yaz : Your script mentions "Restrict guests to only contact router for ICMP, DHCP, DNS, NTP and NetBIOS". How do I tell your script that like DNS, DHCP isn't on the router (192.168.1.1) but instead at 192.168.1.9? Thanks!
 
Ports are 67, 68 but I wouldn't know how to plug that in to get it working the way I want i.e. have guest devices reach the DHCP server (PiHole) on the main network.
 
I guess, you just need to point guest clients to corresponding DNS. External or internal IP doesn't matter.

PS. Ah, I see now. Your DHCP is on the Pi. Test it and see if there are any issues. Sorry, got distracted. :oops:
 
Last edited:
Ports are 67, 68 but I wouldn't know how to plug that in to get it working the way I want i.e. have guest devices reach the DHCP server (PiHole) on the main network.
I guess you need to allow 67 from the guest to the server and back. Something like
Code:
iptables -I YazFiFORWARD -i wl0.1 ! -o eth0 -p udp --dport 67 -j ACCEPT
iptables -I YazFiFORWARD ! -i etho -o wl0.1 -p udp --sport 67 -j ACCEPT
replacing wl0.1 and eth0 as appropriate
 
@K-2SO : That doesn't kill the guest internet but only because YazFi configures DHCP on the guest networks. The guest network isn't really getting DHCP leases from the primary DHCP.

@Jack Yaz : I see the idea. And since YazFi simply adds to the router's dnsmasq configuration (by adding to `/jffs/configs/dnsmasq.conf.add` that gets pulled by Merlin into `/tmp/etc/dnsmasq.conf` if I'm seeing this correct), simply disabling the router's in-built DHCP server will also disable YazFi's DHCP configuration from kicking in, right?

And to keep it persistent across router reboots, I'd add those to something like `/jffs/scripts/allow-other-dhcp.sh` and call it from `/jffs/scripts/firewall-start` just below `/jffs/scripts/YazFi runnow & # YazFi Guest Networks` ? Lastly, I see you're already configuring the DNS ports in the `YazFiFORWARD` iptable chain, so can I do a feature request to similarly add support for DHCP? I'm comfortable from assembly to Java/C# so this is clear in my head today but 6-9 months down the road I'm sure I'll be wondering what's going on, so a GUI would be very friendly.

On a side note, I was reading through your script. It's pretty crazy how much functionality you have within a shell script for compatibility on embedded routers! It's very clean and well organized but still, as a shell script (vs a high level language) it mustn't be easy. You even got a GUI page into the router's UI. Kudos to you! (and Merlin, who makes this all possible).
 
I don't see how DHCP on PiHole can work when using YazFi. The DHCP process relies on broadcast requests and those don't go outside the broadcast domain (i.e the subnet). This works when the router is the DHCP server because it "owns" all the separate network interfaces. To have this work across subnets you'd need to setup DHCP relay agents.
 
@K-2SO : That doesn't kill the guest internet but only because YazFi configures DHCP on the guest networks. The guest network isn't really getting DHCP leases from the primary DHCP.

@Jack Yaz : I see the idea. And since YazFi simply adds to the router's dnsmasq configuration (by adding to `/jffs/configs/dnsmasq.conf.add` that gets pulled by Merlin into `/tmp/etc/dnsmasq.conf` if I'm seeing this correct), simply disabling the router's in-built DHCP server will also disable YazFi's DHCP configuration from kicking in, right?

And to keep it persistent across router reboots, I'd add those to something like `/jffs/scripts/allow-other-dhcp.sh` and call it from `/jffs/scripts/firewall-start` just below `/jffs/scripts/YazFi runnow & # YazFi Guest Networks` ? Lastly, I see you're already configuring the DNS ports in the `YazFiFORWARD` iptable chain, so can I do a feature request to similarly add support for DHCP? I'm comfortable from assembly to Java/C# so this is clear in my head today but 6-9 months down the road I'm sure I'll be wondering what's going on, so a GUI would be very friendly.

On a side note, I was reading through your script. It's pretty crazy how much functionality you have within a shell script for compatibility on embedded routers! It's very clean and well organized but still, as a shell script (vs a high level language) it mustn't be easy. You even got a GUI page into the router's UI. Kudos to you! (and Merlin, who makes this all possible).
Many thanks for the kind feedback :D

Adding user rules to YazFi is something I've been meaning to get round to, but other scripts have occupied my time (namely uiDivStats rewrite and most recent, adding an option to spdmerlin to allow for hourly tests rather than 30mins).

Since YazFi sleeps for 60 after firewall-start is called (make sure everything has settled nicely), make sure your script sleeps for an equivalent amount of time such that it runs after YazFi. You could poll for YazFi's lock file after launching from firewall-start, once the file is removed then YazFi has finished.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top