Gargoyle 1.11.0 Release Candidate 1

Want to share your OpenWrt / Gargoyle knowledge? Implemented a new feature? Let us know here.

Moderator: Moderators

rseiler
Posts: 208
Joined: Sun Dec 15, 2013 12:31 am

Re: Gargoyle 1.11.0 Release Candidate 1

Post by rseiler »

Lantis wrote:Broken pipe is ok. So did it actually function sending the email?
No, but let's wait for someone to confirm that it's also not working for them after making the msmtp change.

doug_porsche
Posts: 75
Joined: Fri Aug 16, 2013 3:59 pm

Re: Gargoyle 1.11.0 Release Candidate 1

Post by doug_porsche »

Lantis wrote:
doug_porsche wrote:Probably been talked about, but.

Guest network does not find any DNS.
It will let me connect to my guest network, just no DNS, so useless.
Is your DNS not hosted on the router, but another device?
Correct.

Custom DNS Servers
NETGEAR WNDR3700v4 or an old Soup can with string. So hard to tell these days.

Lantis
Moderator
Posts: 6920
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Gargoyle 1.11.0 Release Candidate 1

Post by Lantis »

So the way the guest network operates is it completely isolates the guests from the rest of the LAN. So if your DNS is in a different part of your LAN, and not located on the router itself or the WAN, you’re in trouble.
I think this is an oversight in the implementation.

I’m going to try to work on a fix, but it will take a bit of time.
https://lantisproject.com/downloads/gargoylebuilds for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

smf007
Posts: 3
Joined: Wed Aug 29, 2018 5:32 pm

Re: Gargoyle 1.11.0 Release Candidate 1

Post by smf007 »

Lantis wrote:So the way the guest network operates is it completely isolates the guests from the rest of the LAN. So if your DNS is in a different part of your LAN, and not located on the router itself or the WAN, you’re in trouble.
I think this is an oversight in the implementation.

I’m going to try to work on a fix, but it will take a bit of time.
I still have the DNS issue as well. If the guest client has the router as DNS, no resolution occurs. Changing what the router has set as DNS server makes no difference.

In the config file

Code: Select all

/etc/config/wireless
this entry exists

Code: Select all

option is_guest_network '1'
which is still the same as in 1.10. Now the firewall script

Code: Select all

/usr/lib/gargoyle_firewall_util/gargoyle_firewall_util.sh
hasn't changed in 3 years. In routine "guest_mac_from_uci()" it is looking for "is_guest_network = '1' " so everything should be fine... but it doesn't work.

Looking closer at the ebtables commands

Code: Select all

#Only allow DHCP/DNS access to router for anyone on guest network
ebtables -t filter -A INPUT -i "$lif" -p ARP -j ACCEPT
ebtables -t filter -A INPUT -i "$lif" -p IPV4 --ip-protocol UDP --ip-destination-port 53 -j ACCEPT
ebtables -t filter -A INPUT -i "$lif" -p IPV4 --ip-protocol UDP --ip-destination-port 67 -j ACCEPT
ebtables -t filter -A INPUT -i "$lif" -p IPV4 --ip-destination $lan_ip -j DROP
Output from "ebtables --list" also shows something went wrong

Code: Select all

root@Gargoyle:~# ebtables --list
Bridge table: filter

Bridge chain: INPUT, entries: 4, policy: ACCEPT
-p ARP -i wlan0-1 -j ACCEPT 
-p IPv4 -i wlan0-1 --ip-dst 192.168.250.100 -j DROP 
-p ARP -i wlan1-1 -j ACCEPT 
-p IPv4 -i wlan1-1 --ip-dst 192.168.250.100 -j DROP 

Bridge chain: FORWARD, entries: 2, policy: ACCEPT
-i wlan0-1 --logical-out br-lan -j DROP 
-i wlan1-1 --logical-out br-lan -j DROP 

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
I tried executing them at the command line and there is definitely a problem. Below is the results (Note the "Unknown specified IP protocol")

Code: Select all

root@Gargoyle:~# ebtables -t filter -A INPUT -i wlan0-1 -p ARP -j ACCEPT
root@Gargoyle:~# iptables -S | grep -i arp
root@Gargoyle:~# ebtables -t filter -A INPUT -i wlan0-1 -p IPV4 --ip-protocol UDP --ip-destination-port 53 -j ACCEPT
Unknown specified IP protocol - UDP.
root@Gargoyle:~# ebtables -t filter -A INPUT -i wlan0-1 -p IPV4 --ip-protocol UDP --ip-destination-port 67 -j ACCEPT
Unknown specified IP protocol - UDP.
root@Gargoyle:~# ebtables -t filter -A INPUT -i wlan0-1 -p IPV4 --ip-destination 192.168.250.100 -j DROP
So something is wrong in that ebtables is not supporting UDP.


EDIT :: I can confirm that changing "UDP" to lower case "udp" fixes the DNS issue with guest WiFi.

fifonik
Posts: 162
Joined: Fri Dec 02, 2016 3:52 am
Location: Brisbane, AU

Re: Gargoyle 1.11.0 Release Candidate 1

Post by fifonik »

Should not it be 17 instead of UDP as per man?

Lantis
Moderator
Posts: 6920
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Gargoyle 1.11.0 Release Candidate 1

Post by Lantis »

Thanks for the pointers. I’ll start my investigation there.
https://lantisproject.com/downloads/gargoylebuilds for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

Lantis
Moderator
Posts: 6920
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Gargoyle 1.11.0 Release Candidate 1

Post by Lantis »

Spot on guys, thanks for doing the investigation.
Fixed with this commit, which will make it into the next RC/final version
https://github.com/ericpaulbishop/gargo ... 5579194ef2

This should be easy enough for people to fix easily on their live routers as well.
https://lantisproject.com/downloads/gargoylebuilds for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

doug_porsche
Posts: 75
Joined: Fri Aug 16, 2013 3:59 pm

Re: Gargoyle 1.11.0 Release Candidate 1

Post by doug_porsche »

You all are the best!
updated my gargoyle_firewall_util.sh and now my guest network is working.
NETGEAR WNDR3700v4 or an old Soup can with string. So hard to tell these days.

doug_porsche
Posts: 75
Joined: Fri Aug 16, 2013 3:59 pm

Re: Gargoyle 1.11.0 Release Candidate 1

Post by doug_porsche »

Pushing my luck here, but....
Is there a way for QOS to include a config/filter for the guest network?

Would be a nice enhancement to say: OoS Download rule.
If logged into the guest network (SSID?) then max BW = X kbps

The way it looks now, it seems a DHCP IP assigned guest's has no limits.
NETGEAR WNDR3700v4 or an old Soup can with string. So hard to tell these days.

ispyisail
Moderator
Posts: 5194
Joined: Mon Apr 06, 2009 3:15 am
Location: New Zealand

Re: Gargoyle 1.11.0 Release Candidate 1

Post by ispyisail »

doug_porsche wrote:Pushing my luck here, but....
Is there a way for QOS to include a config/filter for the guest network?

Would be a nice enhancement to say: OoS Download rule.
If logged into the guest network (SSID?) then max BW = X kbps

The way it looks now, it seems a DHCP IP assigned guest's has no limits.
There was a post many years ago about implementing a guest network. In the end a quick fix was made knowing that many features were missing.

Post Reply