1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Multiple DHCP ENABLED

Discussion in 'Tomato Firmware' started by macster2075, Mar 18, 2017.

  1. macster2075

    macster2075 Network Newbie Member

    Hi...
    I have been using Shibby Tomato for years now and I really like it. I know my way around it fairly, but I do consider myself a novice as I am always finding new things in it, haha.

    I have a scenario here and I would like your opinion or guidance.
    I have 2 routers and I want only one of those routers to act as WAP.

    So..
    Router 1 (192.168.1.1), is connected via Ethernet directly to the modem and the wireless feature is disabled.
    Router 2 (192.168.2.1) , is on the other side of the house connected to Router 1 via Powerline Adapter, it has a great connection and works very well.

    I would like for Router 2 to be the main and ONLY WAP for my home network. I have set Router 2 to be on a different subnet than Router 1.

    I have set vlan on router 2 to provide a guest account as well (192.168.3.1). It works well and I have no issues.

    I understand that I can get away with disabling DHCP on Router 2 if I am only using 1 Wireless account and just use one of the LAN ports to connect to Router 1.. but because I have set a Vlan, the guest account won't work unless DHCP is enabled and I have to connect the ethernet cable in the WAN port of Router 2.

    My question is, is it OK to have DCHP enabled on both routers? - I ask because I noticed that if I disable DHCP on Router 1, Router 2 won't get an IP... If I disable DHCP on Router 2 and leave it ON on Router 1, I can't get an IP either.. So i noticed that I have to leave DHCP ON in both routers for everything to work.... is this OK as long as the subnets are different from each other? or will this eventually create an issue in the future?

    so to recap...
    Modem--->Router 1,
    Router 1 via PowerLine Adapter(ethernet cable) --->WAN port of Router 2, which provides wireless access including a guest account (vlan)
     
    Last edited: Mar 18, 2017
  2. eibgrad

    eibgrad Network Guru Member

    There's no reason you shouldn't be able to disable the DHCP server for the private network on the WAP, while still providing DHCP for the guest network on that same WAP. I'm doing this currently on my own WAP. I have DHCP enabled on the primary router, its wireless is disabled, wireless is enabled on the WAP for both the private and guest networks, and the WAP is handling DHCP for guests. Works fine. You just have to make sure you NAT the guest network over the private network in the case of a WAP, and provide firewall rules to prevent guests from accessing private resources as they traverse the private network to reach the internet on the primary router.
     
  3. macster2075

    macster2075 Network Newbie Member

    I just can't get it to work the way you describe it... If I disable DHCP on the WAP, it will not connect to the internet and I get "network communication issues"... As soon as I enable DHCP all works. Also, I need to have DHCP on the main Router due to I have devices connected to the LAN ports.

    Now let me say this.. when I disable DHCP on the WAP, only br0 connects, but the guest (br1) does not. Here are a few shots of my settings. - the way I have it right now works fine and I have no issues, but not sure if this is the best way to go about it... I just don't want to create any congestion on the network...although, I don't think it will be a problem since both the WAP and AP have different subnets for their DHCP. - Also.. I need to connect the Ethernet cable to the WAN port of the WAP in order for everything to work.. If I connect the cable on the LAN port, ONLY bro works, but br1 does not, no matter if I enable DHCP or not.

    The only way I can make both bro and br1 to connect while plugging the Ethernet cable to the LAN port of the WAP, is to bridge br1 to br0, but not sure if that's smart lol

    vlan setting on the WAP
    vlan setup.PNG


    LAN settings on the WAP - If I disable the WAN DHCP, either connection works
    WAP.PNG

    LAN settings on the Main router
    Main router.PNG
     
    Last edited: Mar 19, 2017
  4. eibgrad

    eibgrad Network Guru Member

    The problem is that you don't have the second router configured as a WAP. It still configured as a router (since it's still using the WAN).

    When configured as a WAP, you disable the WAN (and assign its port to the LAN to make it usable again). You also disable its DHCP server on br0, and assign it an IP in the same local network as the primary router (so if the primary is 192.168.1.1, perhaps make it 192.168.1.2). Now you add another bridge (br1) for the guest network, assign a VLAN and/or VAP to that bridge, and give it its own local IP network (e.g., 192.168.2.0/24). And now enable DHCP on br1.

    br0 192.168.1.2 255.255.255.0 dhcp-disabled
    br1 192.168.2.1 255.255.255.0 dhcp-enabled 192.168.2.2-51

    And you need to NAT that guest network over the private network.

    Code:
    iptables -t nat -I POSTROUTING -s 192.168.2.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)
    And you'll want to deny guests access to resources on the private network as they traverse it to reach the internet.

    Code:
    iptables -I FORWARD -i br1 -d 192.168.1.0/24 -m state --state NEW -j REJECT
     
  5. macster2075

    macster2075 Network Newbie Member

    OH man.. that's the way I had it when I first started it.. but when I saw that it only worked when having the br0 disabled and br1 enabled, I thought it looked wrong and that both needed to be either disabled or enabled.. having both be different looked wrong to me... i will try this way again.. thank eidgrab!

    But in any case.. is the way I have now, is that any issue?
     
  6. macster2075

    macster2075 Network Newbie Member

    Still no dice... bro connects fine.. br1 gets an IP, but has no internet. updated WAN settings.PNG

    I rebooted the Router after entering the iptables. - - - Anything missing? iptable.PNG
     
  7. eibgrad

    eibgrad Network Guru Member

    It might be that tomato defaults to denying access between network interfaces (I think dd-wrt is the opposite, I always seem to forget). Try the following.

    Code:
    iptables -I FORWARD -i br1 -o br0 -j ACCEPT
    iptables -I FORWARD -i br1 -d 192.168.1.0/24 -m state --state NEW -j REJECT
     
  8. macster2075

    macster2075 Network Newbie Member

    so replace the previous with this one or add this one in addition to it?
     
  9. eibgrad

    eibgrad Network Guru Member

    The complete set of rules should be the following:

    Code:
    iptables -I FORWARD -i br1 -o br0 -j ACCEPT
    iptables -I FORWARD -i br1 -d 192.168.1.0/24 -m state --state NEW -j REJECT
    iptables -t nat -I POSTROUTING -s 192.168.2.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)
     
  10. macster2075

    macster2075 Network Newbie Member

    Same issue.. br1 still no Internet, but br0 does :(
     
  11. eibgrad

    eibgrad Network Guru Member

    Ok, dump the firewall and dnsmasq.

    Code:
    iptables -t nat -vnL POSTROUTING
    iptables -vnL INPUT
    iptables -vnL FORWARD
    ps -w | grep [d]nsmasq
    cat /tmp/etc/dnsmasq.conf
     
  12. macster2075

    macster2075 Network Newbie Member

    ok.. done.
     
  13. eibgrad

    eibgrad Network Guru Member

    Uhh, and post the output back here! lol
     
  14. macster2075

    macster2075 Network Newbie Member

    oh wait.. I was waiting for more instructions.. lol - -I thought I needed to delete the previous iptables and enter

    iptables -t nat -vnL POSTROUTING
    iptables -vnL INPUT
    iptables -vnL FORWARD
    ps -w | grep [d]nsmasq
    cat /tmp/etc/dnsmasq.conf

    in the firewall and reboot the router.. which I did... now what?
     
  15. macster2075

    macster2075 Network Newbie Member

    does my firewall need to look like this...?

    iptables -I FORWARD -i br1 -o br0 -j ACCEPT
    iptables -I FORWARD -i br1 -d 192.168.1.0/24 -m state --state NEW -j REJECT
    iptables -t nat -I POSTROUTING -s 192.168.2.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)
    iptables -t nat -vnL POSTROUTING
    iptables -vnL INPUT
    iptables -vnL FORWARD
    ps -w | grep [d]nsmasq
    cat /tmp/etc/dnsmasq.conf
     
  16. eibgrad

    eibgrad Network Guru Member

    I want you to leave the firewall rules as I originally specified.

    Code:
    iptables -I FORWARD -i br1 -o br0 -j ACCEPT
    iptables -I FORWARD -i br1 -d 192.168.1.0/24 -m state --state NEW -j REJECT
    iptables -t nat -I POSTROUTING -s 192.168.2.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)
    Those other commands will dump the contents of the firewall and dnsmasq so I can see what's going on. You need to execute them from either ssh, telnet, or even Tools->System commands, then post the results back here.
     
  17. macster2075

    macster2075 Network Newbie Member

    got it... here you go...

    Chain POSTROUTING (policy ACCEPT 154 packets, 10367 bytes)
    pkts bytes target prot opt in out source destination
    1 60 SNAT all -- * br0 192.168.2.0/24 0.0.0.0/0 to:192.168.1.100
    0 0 MASQUERADE all -- * vlan2 0.0.0.0/0 0.0.0.0/0
    0 0 SNAT all -- * br0 192.168.1.0/24 192.168.1.0/24 to:192.168.1.100
    1 328 SNAT all -- * br1 192.168.2.0/24 192.168.2.0/24 to:192.168.2.1
    Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
    496 60597 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 shlimit tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
    155 10505 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
    132 10849 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
    133 9176 ACCEPT all -- br1 * 0.0.0.0/0 0.0.0.0/0
    Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts bytes target prot opt in out source destination
    0 0 REJECT all -- br1 * 0.0.0.0/0 192.168.1.0/24 state NEW reject-with icmp-port-unreachable
    7 1140 ACCEPT all -- br1 br0 0.0.0.0/0 0.0.0.0/0
    0 0 all -- * * 0.0.0.0/0 0.0.0.0/0 account: network/netmask: 192.168.1.0/255.255.255.0 name: lan
    5 438 all -- * * 0.0.0.0/0 0.0.0.0/0 account: network/netmask: 192.168.2.0/255.255.255.0 name: lan1
    0 0 ACCEPT all -- br0 br0 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- br1 br1 0.0.0.0/0 0.0.0.0/0
    0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
    1 60 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    5 438 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 DROP all -- br0 br1 0.0.0.0/0 0.0.0.0/0
    0 0 DROP all -- br1 br0 0.0.0.0/0 0.0.0.0/0
    0 0 wanin all -- vlan2 * 0.0.0.0/0 0.0.0.0/0
    0 0 wanout all -- * vlan2 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- br1 * 0.0.0.0/0 0.0.0.0/0
    752 nobody 1060 S dnsmasq -c 1500 --log-async
    pid-file=/var/run/dnsmasq.pid
    resolv-file=/etc/resolv.dnsmasq
    addn-hosts=/etc/dnsmasq/hosts
    dhcp-hostsfile=/etc/dnsmasq/dhcp
    expand-hosts
    min-port=4096
    stop-dns-rebind
    rebind-localhost-ok
    interface=br0
    interface=br1
    dhcp-range=tag:br1,192.168.2.2,192.168.2.51,255.255.255.0,1440m
    dhcp-option=tag:br1,3,192.168.2.1
    dhcp-host=1C:99:4C:76:92:9A,192.168.2.48
    dhcp-host=10:A5:D0:B7:2B:B3,192.168.2.9
    dhcp-host=6C:B0:CE:2F:7C:80,192.168.1.1
    dhcp-host=D0:22:BE:C3:1A:5E,192.168.2.44
    dhcp-host=28:6A:BA:99:63:1F,192.168.2.13
    dhcp-lease-max=255
    dhcp-authoritative
     
  18. eibgrad

    eibgrad Network Guru Member

    The output looks correct. Perhaps it's just a DNS problem. See if you can ping 8.8.8.8 from a ssh/telnet session on the guest network.
     
  19. macster2075

    macster2075 Network Newbie Member

    yup.. i can...
    ping 8.8.8.8.PNG
     
  20. eibgrad

    eibgrad Network Guru Member

    Add the following directive to the custom configuration field on the Advanced->DHCP/DNS page.

    Code:
    dhcp-option=br1,option:dns-server,8.8.8.8,8.8.4.4
     
  21. macster2075

    macster2075 Network Newbie Member

    now, I should say that I have the main router set to force dns 208.67.222.222, 208.67.220.220
    and Intercept DNS port UPD 53 is selected.
     
  22. macster2075

    macster2075 Network Newbie Member

    does iptable rules on the main router affect the WAP?
     
  23. macster2075

    macster2075 Network Newbie Member

    Just in case.. these are the rules I have set on the Main router...

    iptables -I FORWARD -p udp --dport 443 -j REJECT
    iptables -A OUTPUT -p tcp --dport 22 -j REJECT
    iptables -I INPUT -i br1 -m state --state NEW -j DROP
    iptables -I INPUT -i br1 -p udp -m multiport --dports 53,67 -j ACCEPT
    iptables -I INPUT -i br1 -p tcp --dport 5280 -j ACCEPT
    iptables -A INPUT -p tcp --dport 80 -j DROP
    iptables -A INPUT -p tcp --dport 80 -s 127.0.0.1 -j DROP
    iptables -A INPUT -i lo -p tcp --dport $APP_PORT -j DROP
    iptables -A INPUT -p tcp --dport $APP_PORT -j DROP
     
  24. macster2075

    macster2075 Network Newbie Member

    I used to have vlans on that router, so some of those rules are not needed on that router since I am now using a WAP.
     
  25. eibgrad

    eibgrad Network Guru Member

    Depends on how the DNS intercept is implemented. Did you select that option in DNSMasq, or add the rules manually via the firewall? Dump that firewall and let's see what it's doing to see if it does impact the guest network.

    Code:
    iptables -t nat -vnL PREROUTING
     
  26. macster2075

    macster2075 Network Newbie Member

    Chain PREROUTING (policy ACCEPT 3044 packets, 296K bytes)
    pkts bytes target prot opt in out source destination
    0 0 DROP all -- vlan2 * 0.0.0.0/0 192.168.1.0/24
    0 0 DROP all -- vlan2 * 0.0.0.0/0 192.168.2.0/24
     
  27. macster2075

    macster2075 Network Newbie Member

    I selected an option...
    port 53.PNG
     
  28. eibgrad

    eibgrad Network Guru Member

    Every DNS intercept I've ever seen has been implemented as a DNAT rule in the PREROUTING chain. If that dump is on the primary router where the intercept option is checked, I don't see how it could be working. There are no rules in PREROUTING.

    Btw, this issue of intercepting DNS is a separate issue. Is the guest network at least now working?
     
  29. macster2075

    macster2075 Network Newbie Member

    No, the guest network is not working.. it gets an IP, but does not have outside internet.. I can view the WAP settings page and navigate..but no outside Internet..only the bro
     
  30. macster2075

    macster2075 Network Newbie Member

    the guest network, br1 only works when I turn ON the DHCP and connect the WAP via WAN port.
     
  31. eibgrad

    eibgrad Network Guru Member

    Try changing the DNSMasq directive to the following:

    Code:
    dhcp-option=br1,6,8.8.8.8,8.8.4.4
     
  32. macster2075

    macster2075 Network Newbie Member

    still nothing...
    So, is it a problem the way I had it before with DHCP enabled on both Router 1 and the WAP with different subnets?
     
  33. eibgrad

    eibgrad Network Guru Member

    Forget about how you had it before. If you can ping 8.8.8.8 from the guest network, then you have the connectivity correct. The only issue seems to be DNS. Once the client is connected, can you see how it got configured? IOW, besides having an IP, does it show a gateway? DNS server(s)?

    Did you do anything else to this second router, like perhaps disable routing? Change the operating mode from Gateway to Router?
     
  34. macster2075

    macster2075 Network Newbie Member

    this is what I see when connecting to br1

    guest info.PNG
     
  35. macster2075

    macster2075 Network Newbie Member

  36. eibgrad

    eibgrad Network Guru Member

    But that doesn't provide the details regarding the gateway IP, DNS server(s), etc. For example, when using Windows, you can go to a command line and issue the following command and get those details.

    Code:
    ipconfig /all
     
  37. eibgrad

    eibgrad Network Guru Member

    That's how the router is setup. I want to know how the client eventually got configured by DHCP given that configuration of DHCP.

    IOW, if the client never gets the DNS servers in its request to DHCP, then obviously is has no DNS servers to use. That's what the command we added to DNSMasq does. It tells DHCP to return 8.8.8.8 and 8.8.4.4 for DNS to guests.
     
  38. macster2075

    macster2075 Network Newbie Member

  39. eibgrad

    eibgrad Network Guru Member

    Well that's odd. We told it in DNSMasq to assign 8.8.8.8 and 8.8.4.4. Not that using 192.168.2.1 is a problem. Before adding that dhcp-option, I was expecting it to be 192.168.2.1. But that wasn't working for some reason. And now it's as if the option is not being read/used. Something else is going on there. Because this is normally a simple configuration. Sometimes ppl start messing w/ other things and the router gets into a weird state. At the moment, it just doesn't make sense why the DNS servers got set to 192.168.2.1 on the client and not 8.8.8.8 and 8.8.4.4.

    P.S. It's late here, will have to revisit this in the morning.
     
  40. macster2075

    macster2075 Network Newbie Member

    ok.. I tried adding the command again and saved it.. ..now look..
    br1 info.PNG
     
  41. eibgrad

    eibgrad Network Guru Member

    Ok, then based on that dump of the client config, and assuming you can still ping 8.8.8.8 from the command line on that same client, I don't understand how this couldn't be working. Because if the ping works, it means you have basic connectivity. Packets are making it to the internet, and replies are coming back from the internet and to the client. If you then go to a browser on that same client, and it doesn't work, it usually means that DNS isn't working. But again, I can see the DNS servers are specified on the client. And even the first DNS server (8.8.8.8) is the one that responded to the ping!

    What happens if you issue the following command from the command line of that same client.

    Code:
    nslookup google.com
    or

    Code:
    nslookup google.com 8.8.8.8
    Does it return any IPs?

    If it's still not working, then reboot the client. And you might consider disabling the DNS intercepts on the primary router just to see if that's causing some problem.
     
  42. macster2075

    macster2075 Network Newbie Member

    I tried both and this is what I get...
    nslookup.PNG
     
  43. macster2075

    macster2075 Network Newbie Member

    well, this is weird.. now the guest is connecting :)
    I unchecked the intercept DNS and I connected with the guest.. but now I put it back how it was to see if it would disable access, but it can still connect.
     
  44. eibgrad

    eibgrad Network Guru Member

    So what you're telling me is the intercept DNS setting on the primary router is interfering somehow w/ the guest network? That if it's disabled, it all works correctly?

    If so, then dump the firewall (w/ intercept enabled) on the primary and let's see if we can figure out why.

    Code:
    iptables -t nat -vnL PREROUTING
     
  45. macster2075

    macster2075 Network Newbie Member

    well, I am not sure 100% of by disabling the DNS intercept made it connect.. I didn't actually tried connecting prior to doing that today.. I just went and unchecked that option, then I noticed the guest was able to connect.. but, if I check internet DNS again how it was, the guest can now still connect...so maybe the dns intercept was not an issue and the router just needed time to accept the connection?
     
  46. macster2075

    macster2075 Network Newbie Member

    this is from the Primary router w/ intercept DNS enabled

    Chain PREROUTING (policy ACCEPT 27 packets, 1522 bytes)
    pkts bytes target prot opt in out source destination
    0 0 WANPREROUTING all -- * * 0.0.0.0/0 192.168.254.3
    0 0 DROP all -- vlan2 * 0.0.0.0/0 192.168.1.0/24
    0 0 DNAT udp -- * * 192.168.1.0/24 !192.168.1.0/24 udp dpt:53 to:192.168.1.1


    without...

    Chain PREROUTING (policy ACCEPT 13 packets, 713 bytes)
    pkts bytes target prot opt in out source destination
    0 0 WANPREROUTING all -- * * 0.0.0.0/0 192.168.254.3
    0 0 DROP all -- vlan2 * 0.0.0.0/0 192.168.1.0/24
     
  47. eibgrad

    eibgrad Network Guru Member

    This might be explained by the fact the guest had cached the DNS results from the time when intercept DNS was disabled. So it didn't need to make a DNS query again once the intercept DNS was reenabled. At least not until the local DNS cache had expired. That's why when you're working w/ DNS, it's a good idea to clear the local DNS cache for each test, to force DNS to be queried each time.

    Windows:

    Code:
    ipconfig /flushdns
    The above will probably require an administrative privilege level on the command window.
     
  48. eibgrad

    eibgrad Network Guru Member

    I have a theory as to why this isn't working, but before explaining, I want you to go to a client on the *private* network and configure it w/ static DNS servers 8.8.8.8 and 8.8.4.4. I suspect the DNS intercept isn't working AT ALL, irrespective of the client being on the private or guest network.

    Also, dump the POSTROUTING chain on the primary as well.

    Code:
    iptables -t nat -vnL POSTROUTING
     
  49. macster2075

    macster2075 Network Newbie Member

    ok.. so Intercept DNS seems to be working.. if I have it disabled I can visit pages that would normally be blocked if I set the client dns to 8.8.8.8-8.8.4.4... but once I enable DNS intercept, that client cannot view the same page..so it seems to be working fine.
    here is the dump....

    Chain PREROUTING (policy ACCEPT 269 packets, 23662 bytes)
    pkts bytes target prot opt in out source destination
    0 0 WANPREROUTING all -- * * 0.0.0.0/0 192.168.254.3
    0 0 DROP all -- vlan2 * 0.0.0.0/0 192.168.1.0/24
    76 4757 DNAT udp -- * * 192.168.1.0/24 !192.168.1.0/24 udp dpt:53 to:192.168.1.1
     
  50. macster2075

    macster2075 Network Newbie Member

    but anyway....everything seems to be working right now.. the guest account is connecting fine now.. not sure what happened but it seems to be working great :)
     
  51. macster2075

    macster2075 Network Newbie Member

    the iptable you provided blocks access to the primary router settings when connecting to the guest account..but I can still access the settings on the WAP... is there a way to block guests from accessing the WAP settings page as well?
     
  52. macster2075

    macster2075 Network Newbie Member

    ooops.. I guess I spoke too soon.. The guest stopped connecting again..even wtih DNS Intercept disabled :(
     
  53. eibgrad

    eibgrad Network Guru Member

    This is getting too confusing. All I want to know right now is if everything works fine if intercept DNS is disabled. That's it. Run it that way for a few hours at least and just make sure nothing suddenly stops working. But if you keep jumping back and forth between having intercept DNS enabled and disabled, we'll never get this straightened out. For all I know the intercept DNS setting is a red herring.
     
  54. macster2075

    macster2075 Network Newbie Member

    Ok.. I found were the issue is.. I have tried it now several times with the same result...

    if I remove "dhcp-option=br1,6,8.8.8.8,8.8.4.4" from Dnsmasq on the WAP and flush dns in CMD.. I lose connection immediately...

    Once I add it back and flush dns again, I connect again... so it seems I need to keep that command in there for it to work. - - - this is WITH DNS Intercept enabled on the Primary router at all times.
     
  55. macster2075

    macster2075 Network Newbie Member

    I appreciate your patience and your help with this. I have reconfirmed and have been doing lots of testing all this time and I can confirm that in order for the guest account to connect, "dhcp-option=br1,6,8.8.8.8,8.8.4.4" needs to be in Dnsmasq conf section.. and I don't even have to flush dns, all I have to do to activate that setting is to switch back to the regular account, then back to the guest account....

    so for example, once I am connected... I remove "dhcp-option=br1,6,8.8.8.8,8.8.4.4" and save...then switch to the regular account and then back to the guest account.. at that point, I get no connectivity.....

    Then, I go back and re-enter dhcp-option=br1,6,8.8.8.8,8.8.4.4, save it... switch to the regular account, then back to the guest, and voila.. I have connection... every single time... so that means I will have to keep that command in there in order for it to work... is this normal?

    Also, keep in mind that Intercept DNS is always enabled at the main Router, but the command in Dnsmasq does not bypass it.. even when I am connected, the guest account will connect to the DNS I have set and not google dns...and that's what I want it do to, so that's good.
     
  56. macster2075

    macster2075 Network Newbie Member

    Now that I have everything working.. one very, very strange thing is happening which I have never seen or had any issues with...

    If I enable Bandwidth Limiter to any amount, no matter how much, just as long as it's enabled on the br1, it breaks/drops ALL connections including wireless connections.. as soon as I disable the Limiter to br1, ALL connections go back to normal. - - I have switched Routers since I have several at hand and they all do the same thing, but ONLY with this type of setup... I always use Bandwidth Limiter and NEVER have an issue.

    Do you think maybe the iptables we set could be causing this?

    br1 limiter.PNG
     
  57. eibgrad

    eibgrad Network Guru Member

    Trying to figure all this out gets confusing because how any client gets configured is dependent on other factors.

    For example, I have the following dhc-option for my guests on the WAP.

    dhcp-option=br1,6,8.8.8.8,8.8.4.4

    This makes sense *for me* because I don't want guests using my local DNS servers. I just want them to use public DNS servers. And I don't make any attempt to intercept those DNS queries on the private network.

    As an experiment, I removed that dhcp-option, and found the guests now got a DNS server of 192.168.1.1 (the primary router). And that's because I specified that as a static DNS on the Basic->Network->LAN section (along w/ the Gateway of 192.168.1.1).

    But it didn't work initially since I (like you) was blocking access to *all* destination IPs on the private network. Once I eliminated that restriction, it worked.

    As I said, it all gets rather complicated depending on how you configure several different items.
    Ultimately I changed the dhcp-option to the router's IP on the guest network.

    dhcp-option=br1,6,192.168.2.1

    Now it doesn't matter that I'm blocking guests from destination IPs on the private network. The guests always reference the DNS server on their own network. That DNS server then relays up to the DNS server on the primary network (192.168.1.1). And in your case, if some guest tries to override to some other public DNS server, your DNS intercept will catch it.
     
  58. macster2075

    macster2075 Network Newbie Member

    yup. I understand.. I set it this way because I want my local account and guests account to use OpenDns as the DNS service...and that's working great...but now that I finally got things working, I have this issue with Bandwitch Limiter breaking connections once it is enabled... this is driving me crazy!!!
     
  59. eibgrad

    eibgrad Network Guru Member

    I assume the bandwidth limiter is on the primary router. But the guests are not seen as coming from br1 on the primary router. They all appear to be coming from private network (br0). They're nat'd over the private IP of the WAP. So if you want to limit those users, you'll need to do so based on that IP.
     
  60. macster2075

    macster2075 Network Newbie Member

    the issue happens when the limiter is enabled on the Primary Router.. I just tried to enable it on the WAP and no connection is dropped... so it has to do something with the Primary Router... but this is a different Router..even different brand and model...so it's not the Router, it has to do with a setting somewhere.

    I need to use the limiter because I work from home and use a Cloud phone...but that's another topic.
    I will go back to how I had it at first which was with DHCP enabled on the WAP and using different subnets.. I want to see because I did not have any issues with the Limiter then.
     
  61. macster2075

    macster2075 Network Newbie Member

    I already tried adding them by guest ip, but it does not work.. I get a message telling me the "IP address outside of LAN"
     
  62. eibgrad

    eibgrad Network Guru Member

    You're not following me.

    The guest network is *hidden* behind the WAP's LAN ip on the private network! Every client on the guest network using the IP network 192.168.2.0/24 appears to be coming from the WAP's IP on the private network (192.168.1.2, or whatever you decided to use). And that's because they are NAT'd over the private network. That's the IP you need to associate w/ guests wrt limiting bandwidth.

    IOW, the primary router has no notion of guests (or br1). All you can do is make an indirect reference to those guests based on the private IP of the WAP.
     
  63. macster2075

    macster2075 Network Newbie Member

    I understand what you're saying... but I am letting you know it is not working. When I connect to the guest network using my phone.. I get an IP of 192.168.2.251 whereas when I connect to the regular account I get 192.168.1.9.. the limiter ONLY works by IP for private network IPs.

    So, if I add 192.168.1.9 to the limiter.. it works and my phone is limited to whatever speed I set.
    But, when I connect to the guest account, even if I use the MAC address of the phone, the limiter has NO effect on it.
     
  64. eibgrad

    eibgrad Network Guru Member

    You're still not getting it.

    Again, when a guest gets connected to the network, they receive an IP on the 192.168.2.0/24 network. Let's say that's 192.168.2.251. When that guest tries to access the internet, it's routed over the private network on the same WAP. And as part of that process, the source IP of those packets are changed from 192.168.2.251 to 192.168.1.2 (the IP of the WAP on the private network!). And that happens for *every* guest, regardless of what IP is assigned on the 192.168.2.0/24 network. This is all due to NAT.

    The net result is that your primary router can't distinguish private users from guest users *except* for the fact that guests are having their source IP changed to 192.168.1.2. And unless you make an exception for that IP (192.168.1.2), those guests will be managed exactly the same as every other client on the 192.168.1.0/24 network (br0).

    Now we could change things up a bit and NOT use NAT. We could instead add a static route on the primary router so the actual source IP of 192.168.2.0/24 makes it to the primary router. But even so, you'd have to make an exception for the 192.168.2.0/24 network.

    IOW, at no point does the primary router ever know about the br1 network interface. That's a network interface only known to the WAP. All you can do to distinguish guests at the primary router is based on their IP. And what that IP will be depends on whether or not you're using NAT.

    That's the price you pay for moving guests off the primary router. When they were managed on the primary router, you *could* reference the br1 network interface, because that's where that network interface was defined. But now that the br1 network interface is located on the WAP, you don't have that option anymore, only the source IP.
     
  65. macster2075

    macster2075 Network Newbie Member

    So.. have set the Primary Router and WAP as I had it... everything works.. including the limiter.. I can now limit bandwidth on any devices connected to br1..separated from br0.

    I think I'm just going to leave it the way it is.. I really don't think it will cause any issues since all accounts have different subnets so there will be no conflict between DHCP servers.
     
  66. eibgrad

    eibgrad Network Guru Member

    That's fine. That was always an option. But the downside is that the WAP is now only usable by guests. You have to continue using the primary router for wireless users on the private network. And that was something you were originally trying to eliminate.

    So there is no right or wrong answer. It's just a matter of deciding which configuration is the easier to live with given both have some downsides.
     
  67. macster2075

    macster2075 Network Newbie Member

    Yeah.. the main thing is that the router I was using as WAP, will now be used in my office as just a router since I will be working from home..so I wanted to setup another router as WAP for the private and guest wireless network. My main concern was, I didn't want to have issues with having both the AP and WAP as DHCP servers..but if it's not going to be an issue, then I will just leave it as is...thank you so much for all your help and patience, you've been great and I have learned a lot from all of this, believe it or not!.. I just needed to have all this working by tomorrow since I will start to work home.
     
  68. macster2075

    macster2075 Network Newbie Member

    OK eibgrad... before I put the gloves completely down.. I was reading over an over your previous post about NAT...
    If I understand you correctly.. you're saying that let say, a guest account has an IP of 192.168.2.251, it gets converted over to 192.168.1.100 (in my case).. 192.168.1.100 is the IP I set the WAP to have.

    So are you saying that on the Bandwidth Limiter, instead of adding 192.168.2.251, I should enter 192.168.1.100?
    If that's the case, I have tried that and it did not work.
     
  69. eibgrad

    eibgrad Network Guru Member

    YES! The primary router is going to see all guests as having the LAN ip of the WAP on the private network due to NAT'ing those guests over the private network on the WAP. So to the extent your bandwidth limiter can handle individual IPs on the private network differently, you can specify the WAP's LAN ip for special handling of guests.

    This is the point I've been trying to make. If the LAN ip of the WAP is 192.168.1.100, then every time the primary router sees that IP, it's a guest!
     
  70. eibgrad

    eibgrad Network Guru Member

    P.S. I don't see how this couldn't work. The primary router and its bandwidth limiter have no way of distinguishing any IP on the private network (192.168.1.0/24) from any other. It's *we* that know the WAP's LAN ip is actually guests using the 192.168.2.0/24 network. But as far as the primary router and its bandwidth limiter are concerned, 192.168.1.100 (if that's indeed the LAN ip of the WAP) is just another LAN device on the 192.168.1.0/24 network. So how in the world could specifying 192.168.1.100 for limitation not work?
     
  71. eibgrad

    eibgrad Network Guru Member

    I should make another qualification here.

    Unlike when the guest network was on the primary router, having guests on the WAP means those guests *could* saturate your private network since they need that private network to reach the WAN of the primary router. That wasn't an issue when the guests were on the primary router. They didn't need to traverse the private network. They just routed directly between their own network interface (br1) and the WAN.

    If that's what you mean by not working, then ok, I see your point. But again, you should still be able to limit internet access based on the WAP's LAN ip on the private network.
     

Share This Page