Gargoyle 1.11.0 Release Candidate 1

[rseiler]

Broken pipe is ok. So did it actually function sending the email?

No, but let's wait for someone to confirm that it's also not working for them after making the msmtp change.

[doug_porsche]

Probably been talked about, but.

Guest network does not find any DNS.
It will let me connect to my guest network, just no DNS, so useless.

Is your DNS not hosted on the router, but another device?

Correct.

Custom DNS Servers

[Lantis]

So the way the guest network operates is it completely isolates the guests from the rest of the LAN. So if your DNS is in a different part of your LAN, and not located on the router itself or the WAN, you’re in trouble.
I think this is an oversight in the implementation.

I’m going to try to work on a fix, but it will take a bit of time.

[smf007]

So the way the guest network operates is it completely isolates the guests from the rest of the LAN. So if your DNS is in a different part of your LAN, and not located on the router itself or the WAN, you’re in trouble.
I think this is an oversight in the implementation.

I’m going to try to work on a fix, but it will take a bit of time.

I still have the DNS issue as well. If the guest client has the router as DNS, no resolution occurs. Changing what the router has set as DNS server makes no difference.

In the config file

Code: Select all

/etc/config/wireless

this entry exists

Code: Select all

option is_guest_network '1'

which is still the same as in 1.10. Now the firewall script

Code: Select all

/usr/lib/gargoyle_firewall_util/gargoyle_firewall_util.sh

hasn't changed in 3 years. In routine "guest_mac_from_uci()" it is looking for "is_guest_network = '1' " so everything should be fine... but it doesn't work.

Looking closer at the ebtables commands

Code: Select all

#Only allow DHCP/DNS access to router for anyone on guest network
ebtables -t filter -A INPUT -i "$lif" -p ARP -j ACCEPT
ebtables -t filter -A INPUT -i "$lif" -p IPV4 --ip-protocol UDP --ip-destination-port 53 -j ACCEPT
ebtables -t filter -A INPUT -i "$lif" -p IPV4 --ip-protocol UDP --ip-destination-port 67 -j ACCEPT
ebtables -t filter -A INPUT -i "$lif" -p IPV4 --ip-destination $lan_ip -j DROP

Output from "ebtables --list" also shows something went wrong

Code: Select all

root@Gargoyle:~# ebtables --list
Bridge table: filter

Bridge chain: INPUT, entries: 4, policy: ACCEPT
-p ARP -i wlan0-1 -j ACCEPT 
-p IPv4 -i wlan0-1 --ip-dst 192.168.250.100 -j DROP 
-p ARP -i wlan1-1 -j ACCEPT 
-p IPv4 -i wlan1-1 --ip-dst 192.168.250.100 -j DROP 

Bridge chain: FORWARD, entries: 2, policy: ACCEPT
-i wlan0-1 --logical-out br-lan -j DROP 
-i wlan1-1 --logical-out br-lan -j DROP 

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

I tried executing them at the command line and there is definitely a problem. Below is the results (Note the "Unknown specified IP protocol")

Code: Select all

root@Gargoyle:~# ebtables -t filter -A INPUT -i wlan0-1 -p ARP -j ACCEPT
root@Gargoyle:~# iptables -S | grep -i arp
root@Gargoyle:~# ebtables -t filter -A INPUT -i wlan0-1 -p IPV4 --ip-protocol UDP --ip-destination-port 53 -j ACCEPT
Unknown specified IP protocol - UDP.
root@Gargoyle:~# ebtables -t filter -A INPUT -i wlan0-1 -p IPV4 --ip-protocol UDP --ip-destination-port 67 -j ACCEPT
Unknown specified IP protocol - UDP.
root@Gargoyle:~# ebtables -t filter -A INPUT -i wlan0-1 -p IPV4 --ip-destination 192.168.250.100 -j DROP

So something is wrong in that ebtables is not supporting UDP.


EDIT :: I can confirm that changing "UDP" to lower case "udp" fixes the DNS issue with guest WiFi.

[fifonik]

Should not it be 17 instead of UDP as per man?

[Lantis]

Thanks for the pointers. I’ll start my investigation there.

[Lantis]

Spot on guys, thanks for doing the investigation.
Fixed with this commit, which will make it into the next RC/final version
https://github.com/ericpaulbishop/gargo ... 5579194ef2

This should be easy enough for people to fix easily on their live routers as well.

[doug_porsche]

You all are the best!
updated my gargoyle_firewall_util.sh and now my guest network is working.

[doug_porsche]

Pushing my luck here, but....
Is there a way for QOS to include a config/filter for the guest network?

Would be a nice enhancement to say: OoS Download rule.
If logged into the guest network (SSID?) then max BW = X kbps

The way it looks now, it seems a DHCP IP assigned guest's has no limits.

[ispyisail]

Pushing my luck here, but....
Is there a way for QOS to include a config/filter for the guest network?

Would be a nice enhancement to say: OoS Download rule.
If logged into the guest network (SSID?) then max BW = X kbps

The way it looks now, it seems a DHCP IP assigned guest's has no limits.

There was a post many years ago about implementing a guest network. In the end a quick fix was made knowing that many features were missing.