Guest WLAN no DHCP but WLAN works?

Report wireless and/or network connectivity problems in this forum.

Moderator: Moderators

ektus
Posts: 241
Joined: Sun Aug 11, 2013 2:26 am
Location: Germany

Re: Guest WLAN no DHCP but WLAN works?

Post by ektus »

Reading some more on the topic of ebtables and guest networks, it looks like some rules have to use MAC addresses instead of IPs.
e.g. https://matthias-larisch.de/openwrt_client_isolation/ or
https://www.rushworth.us/lisa/?tag=ebtables

Lantis
Moderator
Posts: 6735
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Guest WLAN no DHCP but WLAN works?

Post by Lantis »

Your modification does not seem to have worked. All of the rules I asked you to add are not present in your ebtables output. So of course, you would not expect a change.
How about forget adding them to the script, and just run the commands manually.

“$lif” will be “wlan0-1” in your case
http://lantisproject.com/downloads/gargoyle_ispyisail.php for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

ektus
Posts: 241
Joined: Sun Aug 11, 2013 2:26 am
Location: Germany

Re: Guest WLAN no DHCP but WLAN works?

Post by ektus »

Would those be present always or only as long as the device in question is connected?

Anyway, I did as you asked, but the device still can't seem to get an IP.

Code: Select all

root@Gargoyle:~# ebtables -L
Bridge table: filter

Bridge chain: INPUT, entries: 4, policy: ACCEPT
-p ARP -i wlan0-1 -j ACCEPT
-p IPv4 -i wlan0-1 --ip-proto udp --ip-dport 53 -j ACCEPT
-p IPv4 -i wlan0-1 --ip-proto udp --ip-dport 67 -j ACCEPT
-p IPv4 -i wlan0-1 --ip-dst 192.168.0.174 -j DROP

Bridge chain: FORWARD, entries: 1, policy: ACCEPT
-i wlan0-1 --logical-out br-lan -j DROP

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
root@Gargoyle:~# ebtables -t filter -A FORWARD -i "wlan0-1" -p IPV4 --ip-protocol udp --ip-destination-port 53 -j ACCEPT
root@Gargoyle:~# ebtables -t filter -A FORWARD -i "wlan0-1" -p IPV4 --ip-protocol udp --ip-destination-port 67 -j ACCEPT
root@Gargoyle:~# ebtables -t filter -A FORWARD -i "wlan0-1" --logical-out br-lan -p IPV4 --ip-destination 192.168.0.174 -j DROP
root@Gargoyle:~# ebtables -L
Bridge table: filter

Bridge chain: INPUT, entries: 4, policy: ACCEPT
-p ARP -i wlan0-1 -j ACCEPT
-p IPv4 -i wlan0-1 --ip-proto udp --ip-dport 53 -j ACCEPT
-p IPv4 -i wlan0-1 --ip-proto udp --ip-dport 67 -j ACCEPT
-p IPv4 -i wlan0-1 --ip-dst 192.168.0.174 -j DROP

Bridge chain: FORWARD, entries: 4, policy: ACCEPT
-i wlan0-1 --logical-out br-lan -j DROP
-p IPv4 -i wlan0-1 --ip-proto udp --ip-dport 53 -j ACCEPT
-p IPv4 -i wlan0-1 --ip-proto udp --ip-dport 67 -j ACCEPT
-p IPv4 -i wlan0-1 --logical-out br-lan --ip-dst 192.168.0.174 -j DROP

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
root@Gargoyle:~#
It keeps reconnecting:

Code: Select all

Sat Apr 22 10:45:32 2023 daemon.info hostapd: wlan0-1: STA f0:6b:ca:df:d6:8d IEEE 802.11: authenticated
Sat Apr 22 10:45:32 2023 daemon.info hostapd: wlan0-1: STA f0:6b:ca:df:d6:8d IEEE 802.11: associated (aid 1)
Sat Apr 22 10:45:32 2023 daemon.notice hostapd: wlan0-1: AP-STA-CONNECTED f0:6b:ca:df:d6:8d
Sat Apr 22 10:45:32 2023 daemon.info hostapd: wlan0-1: STA f0:6b:ca:df:d6:8d RADIUS: starting accounting session 97F0C7A716B084F0
Sat Apr 22 10:45:32 2023 daemon.info hostapd: wlan0-1: STA f0:6b:ca:df:d6:8d WPA: pairwise key handshake completed (RSN)
Sat Apr 22 10:45:32 2023 daemon.notice hostapd: wlan0-1: EAPOL-4WAY-HS-COMPLETED f0:6b:ca:df:d6:8d
Sat Apr 22 10:46:08 2023 daemon.notice hostapd: wlan0-1: AP-STA-DISCONNECTED f0:6b:ca:df:d6:8d
Sat Apr 22 10:46:08 2023 daemon.info hostapd: wlan0-1: STA f0:6b:ca:df:d6:8d IEEE 802.11: disassociated
Sat Apr 22 10:46:08 2023 daemon.info hostapd: wlan0-1: STA f0:6b:ca:df:d6:8d IEEE 802.11: disassociated
Sat Apr 22 10:46:09 2023 user.info usteer: station f0:6b:ca:df:d6:8d disconnected from node hostapd.wlan0-1
Sat Apr 22 10:46:09 2023 daemon.info hostapd: wlan0-1: STA f0:6b:ca:df:d6:8d IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
Sat Apr 22 10:46:12 2023 daemon.info hostapd: wlan0-1: STA f0:6b:ca:df:d6:8d IEEE 802.11: authenticated
Sat Apr 22 10:46:12 2023 daemon.info hostapd: wlan0-1: STA f0:6b:ca:df:d6:8d IEEE 802.11: associated (aid 1)
Sat Apr 22 10:46:12 2023 daemon.notice hostapd: wlan0-1: AP-STA-CONNECTED f0:6b:ca:df:d6:8d
Sat Apr 22 10:46:12 2023 daemon.info hostapd: wlan0-1: STA f0:6b:ca:df:d6:8d RADIUS: starting accounting session DE44B9853A95962E
Sat Apr 22 10:46:12 2023 daemon.info hostapd: wlan0-1: STA f0:6b:ca:df:d6:8d WPA: pairwise key handshake completed (RSN)
Sat Apr 22 10:46:12 2023 daemon.notice hostapd: wlan0-1: EAPOL-4WAY-HS-COMPLETED f0:6b:ca:df:d6:8d
Sat Apr 22 10:46:48 2023 daemon.notice hostapd: wlan0-1: AP-STA-DISCONNECTED f0:6b:ca:df:d6:8d
Sat Apr 22 10:46:48 2023 daemon.info hostapd: wlan0-1: STA f0:6b:ca:df:d6:8d IEEE 802.11: disassociated
Sat Apr 22 10:46:48 2023 daemon.info hostapd: wlan0-1: STA f0:6b:ca:df:d6:8d IEEE 802.11: disassociated
Sat Apr 22 10:46:49 2023 user.info usteer: station f0:6b:ca:df:d6:8d disconnected from node hostapd.wlan0-1
Sat Apr 22 10:46:49 2023 daemon.info hostapd: wlan0-1: STA f0:6b:ca:df:d6:8d IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
On the device, I've seen an "IP configuration error" message for the WiFi interface (in German, Android tablet).

Lantis
Moderator
Posts: 6735
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Guest WLAN no DHCP but WLAN works?

Post by Lantis »

The rules are now in the wrong order.
Change the command from -A (append) to -I (insert) to make them add to the top not bottom.
Do them like this so they end up in the right order.

ebtables -t filter -I FORWARD -i wlan0-1 --logical-out br-lan -p IPV4 --ip-destination 192.168.1.0/24 -j DROP
ebtables -t filter -I FORWARD -i wlan0-1 -p IPV4 --ip-protocol udp --ip-destination-port 53 -j ACCEPT
ebtables -t filter -I FORWARD -i wlan0-1 -p IPV4 --ip-protocol udp --ip-destination-port 67 -j ACCEPT

I am pretty confident that it will work given my own testing.
http://lantisproject.com/downloads/gargoyle_ispyisail.php for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

ektus
Posts: 241
Joined: Sun Aug 11, 2013 2:26 am
Location: Germany

Re: Guest WLAN no DHCP but WLAN works?

Post by ektus »

You were right, now it's working. THANK YOU VERY MUCH!

I changed the script as follows and then did a reboot, thus insuring it was executed:

Code: Select all

if [ -n "$is_guest" ] ; then
	echo "$lif with mac $gmac is wireless guest"

	#Allow access to WAN but not other LAN hosts for anyone on guest network
	ebtables -t filter -I FORWARD -i "$lif" --logical-out br-lan -p IPV4 --ip-destination 192.168.0.0/24 -j DROP
	ebtables -t filter -I FORWARD -i "$lif" -p IPV4 --ip-protocol udp --ip-destination-port 67 -j ACCEPT
	ebtables -t filter -I FORWARD -i "$lif" -p IPV4 --ip-protocol udp --ip-destination-port 53 -j ACCEPT					
	#ebtables -t filter -A FORWARD -i "$lif" --logical-out br-lan -j DROP

	#Only allow DHCP/DNS access to router for anyone on guest network
	ebtables -t filter -A INPUT -i "$lif" -p ARP -j ACCEPT
	ebtables -t filter -A INPUT -i "$lif" -p IPV4 --ip-protocol udp --ip-destination-port 53 -j ACCEPT
	ebtables -t filter -A INPUT -i "$lif" -p IPV4 --ip-protocol udp --ip-destination-port 67 -j ACCEPT
	ebtables -t filter -A INPUT -i "$lif" -p IPV4 --ip-destination $lan_ip -j DROP

fi
Active firewall rules:

Code: Select all

root@Gargoyle:~# ebtables -L
Bridge table: filter

Bridge chain: INPUT, entries: 4, policy: ACCEPT
-p ARP -i wlan0-1 -j ACCEPT
-p IPv4 -i wlan0-1 --ip-proto udp --ip-dport 53 -j ACCEPT
-p IPv4 -i wlan0-1 --ip-proto udp --ip-dport 67 -j ACCEPT
-p IPv4 -i wlan0-1 --ip-dst 192.168.0.174 -j DROP

Bridge chain: FORWARD, entries: 3, policy: ACCEPT
-p IPv4 -i wlan0-1 --ip-proto udp --ip-dport 53 -j ACCEPT
-p IPv4 -i wlan0-1 --ip-proto udp --ip-dport 67 -j ACCEPT
-p IPv4 -i wlan0-1 --logical-out br-lan --ip-dst 192.168.0.0/24 -j DROP

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
root@Gargoyle:~#
Tested client isolation, too, and seems to work as expected. So does internet access for the guest.

Mission accomplished :-)

Lantis
Moderator
Posts: 6735
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Guest WLAN no DHCP but WLAN works?

Post by Lantis »

Fantastic! I'll update the code as well to handle this for the future.
http://lantisproject.com/downloads/gargoyle_ispyisail.php for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

Post Reply