Guest WLAN no DHCP but WLAN works?

[socialbutterfly]

At the moment the Gargoyle is set as Gateway and Wireless AP. DHCP was activated but I deactivated it because pfSense is the DHCP server now but even when it was activated it did not serve an IP to the Guest WLAN. (DHCP pool was intersecting with the one from pfSense though, I thougt I left it on by mistake and turned it off).

The purpose of the Guest WLAN is to:
1) give them a different password
2) put a bandwith quota on them
3) isolate them from all other WiFi devices but the internet

Point 3 I've done in pfSense. So, the Gargoyle Router IP is 192.168.3.2, the pfSense interface/bridge/port that connects to the Gargoyle is 192.168.3.1 which is also set as the gateway in Gargoyle.
The DHCP is on the pfSense box now and has a range from 192.168.3.30 - 50 for devices. My own WiFi devices all have static mappings bound to MAC addresses in the DHCP and those devices are specifically allowed in the pfSense firewall to access the subnet 192.168.1.x where my other devices are (NAS, printer etc.). The rest of the WiFi devices are only allowed to the WAN interface of the pfSense.

The Gargoyle is set as Gateway and wireless AP. DHCP was activated but I deactivated it because pfSense is the DHCP server now but even when it was activated it did not serve an IP to the Guest WLAN. (DHCP pool was intersecting with the one from pfSense though, I thougt I left it on by mistake).

The purpose of the Guest WLAN is to:
1) give them a different password
2) put a bandwith quota on them
3) isolate them from most devices

Point 3 I've done in pfSense. So, the Gargoyle Router IP is 192.168.3.2, the pfSense interface/bridge/port that connects to the Gargoyle is 192.168.3.1. The DHCP is on the pfSense now and has a range from 192.168.3.30 - 50 for guest devixes. My own WiFi devices all have static mappings bound to MAC addresses in the DHCP and those devices are specifically allowed in the firewall to access the subnet 192.168.1.x where my other devices are (NAS, printer etc.). The rest of the WiFi devices are only allowed to the WAN interface of the pfSense box.

I hope that makes sense...

[Lantis]

The issue is probably because the Guest Network is isolated from all other LAN hosts, which would include your DHCP server (pfsense).

[ektus]

Has this issue been resolved since? I've got two Gargoyle devices running 1.15.X, and guests on the second router can't obtain an IP address. The second router is needed to increase wifi coverage. The guests shall not gain access to the local network but only to the internet.

[Lantis]

No. Tracked here https://github.com/ericpaulbishop/gargoyle/issues/931
Also a suggested solution, but got no feedback so I didn’t progress.

[ektus]

Line numbers seem to have changed since the bug was last commented on. Currently there is a "drop" in line 696, followed by DHCP exceptions in lines 698ff.

So should the lines 699 through 701 be copied after line 695, but with FORWARD instead of ACCEPT?

On the router, the file can be found in

Code: Select all

/usr/lib/gargoyle_firewall_util/gargoyle_firewall_util.sh

current:

Code: Select all

692 if [ -n "$is_guest" ] ; then
693	echo "$lif with mac $gmac is wireless guest"
694
695	#Allow access to WAN but not other LAN hosts for anyone on guest network
696	ebtables -t filter -A FORWARD -i "$lif" --logical-out br-lan -j DROP
697
698	#Only allow DHCP/DNS access to router for anyone on guest network
699	ebtables -t filter -A INPUT -i "$lif" -p ARP -j ACCEPT
700	ebtables -t filter -A INPUT -i "$lif" -p IPV4 --ip-protocol udp --ip-destination-port 53 -j ACCEPT
701	ebtables -t filter -A INPUT -i "$lif" -p IPV4 --ip-protocol udp --ip-destination-port 67 -j ACCEPT
702	ebtables -t filter -A INPUT -i "$lif" -p IPV4 --ip-destination $lan_ip -j DROP
703
704 fi

modified:

Code: Select all

692 if [ -n "$is_guest" ] ; then
693	echo "$lif with mac $gmac is wireless guest"
694
695	#Allow access to WAN but not other LAN hosts for anyone on guest network
696	#Exception for DNS
697	ebtables -t filter -A INPUT -i "$lif" -p ARP -j FORWARD
698	ebtables -t filter -A INPUT -i "$lif" -p IPV4 --ip-protocol udp --ip-destination-port 53 -j FORWARD
699	ebtables -t filter -A INPUT -i "$lif" -p IPV4 --ip-protocol udp --ip-destination-port 67 -j FORWARD
700	#Block the rest
701	ebtables -t filter -A FORWARD -i "$lif" --logical-out br-lan -j DROP
702
703	#Only allow DHCP/DNS access to router for anyone on guest network
704	ebtables -t filter -A INPUT -i "$lif" -p ARP -j ACCEPT
705	ebtables -t filter -A INPUT -i "$lif" -p IPV4 --ip-protocol udp --ip-destination-port 53 -j ACCEPT
706	ebtables -t filter -A INPUT -i "$lif" -p IPV4 --ip-protocol udp --ip-destination-port 67 -j ACCEPT
707	ebtables -t filter -A INPUT -i "$lif" -p IPV4 --ip-destination $lan_ip -j DROP
708
709 fi

Should those FORWARD rules be made more specific, IE only forward to the gateway, not just any router in the LAN?

There's some documentation in the OpenWRT wiki, but that's an entirely different format and presumably just describes what's in the current guest network rules for the local router.

https://openwrt.org/docs/guide-user/net ... guest-wlan

[ektus]

I just tried and modified the file on the secondary acces point, but it looks like it doesn't work. My test device (android phone) still can't get an IP. I did reboot the router, too.

[Lantis]

Code: Select all

692 if [ -n "$is_guest" ] ; then
693	echo "$lif with mac $gmac is wireless guest"
694
695	#Allow access to WAN but not other LAN hosts for anyone on guest network
696	ebtables -t filter -A FORWARD -i "$lif" --logical-out br-lan -j DROP
697
698	#Only allow DHCP/DNS access to router for anyone on guest network
699	ebtables -t filter -A INPUT -i "$lif" -p ARP -j ACCEPT
700	ebtables -t filter -A INPUT -i "$lif" -p IPV4 --ip-protocol udp --ip-destination-port 53 -j ACCEPT
701	ebtables -t filter -A INPUT -i "$lif" -p IPV4 --ip-protocol udp --ip-destination-port 67 -j ACCEPT
702	ebtables -t filter -A INPUT -i "$lif" -p IPV4 --ip-destination $lan_ip -j DROP
703
704 fi

Before line 696 add something like.
ebtables -t filter -A FORWARD -i "$lif" -p IPV4 --ip-protocol udp --ip-destination-port 53 -j ACCEPT
ebtables -t filter -A FORWARD -i "$lif" -p IPV4 --ip-protocol udp --ip-destination-port 67 -j ACCEPT

This should allow DHCP forwarded to any other host on LAN.
You could make the destination more specific, but let’s start simple.

[ektus]

Tried that one, even added in the ARP line, but no luck. Shouldn't those echo lines be displayed somewhere? How do I view the debug output? When is this script run?

Code: Select all

isolate_guest_networks()
{
	ebtables -t filter -F FORWARD
	ebtables -t filter -F INPUT
	local guest_macs=$( get_guest_macs )
	if [ -n "$guest_macs" ] ; then
		local lanifs=`brctl show br-lan 2>/dev/null | awk ' $NF !~ /interfaces/ { print $NF } '`
		local lif

		local lan_ip
		network_get_ipaddr lan_ip lan

		for lif in $lanifs ; do
			for gmac in $guest_macs ; do
				local is_guest=$(ifconfig "$lif"	2>/dev/null | grep -i "$gmac")
				if [ -n "$is_guest" ] ; then
					echo "$lif with mac $gmac is wireless guest"
					echo "apply firewall rules"
					#Allow access to WAN but not other LAN hosts for anyone on guest network
          				#Exception for DHCP and DNS1
					ebtables -t filter -A FORWARD -i "$lif" -p ARP -j ACCEPT
					ebtables -t filter -A FORWARD -i "$lif" -p IPV4 --ip-protocol udp --ip-destination-port 53 -j ACCEPT
					ebtables -t filter -A FORWARD -i "$lif" -p IPV4 --ip-protocol udp --ip-destination-port 67 -j ACCEPT
          				#Block the rest
					ebtables -t filter -A FORWARD -i "$lif" --logical-out br-lan -j DROP

					#Only allow DHCP/DNS access to router for anyone on guest network
					ebtables -t filter -A INPUT -i "$lif" -p ARP -j ACCEPT
					ebtables -t filter -A INPUT -i "$lif" -p IPV4 --ip-protocol udp --ip-destination-port 53 -j ACCEPT
					ebtables -t filter -A INPUT -i "$lif" -p IPV4 --ip-protocol udp --ip-destination-port 67 -j ACCEPT
					ebtables -t filter -A INPUT -i "$lif" -p IPV4 --ip-destination $lan_ip -j DROP

				fi
			done
		done
	fi
}

[Lantis]

Try this instead.
Before line 696 add something like.
ebtables -t filter -A FORWARD -i "$lif" -p IPV4 --ip-protocol udp --ip-destination-port 53 -j ACCEPT
ebtables -t filter -A FORWARD -i "$lif" -p IPV4 --ip-protocol udp --ip-destination-port 67 -j ACCEPT

Also modify line 696 from
ebtables -t filter -A FORWARD -i "$lif" --logical-out br-lan -j DROP
To
ebtables -t filter -A FORWARD -i "$lif" --logical-out br-lan -p IPV4 --ip-destination 192.168.1.0/24 -j DROP

Assuming you are using the 192.168.1.0 subnet. Swap it out as appropriate.
This should allow DHCP/DNS to flow to your DHCP server on the LAN, and traffic can flow out of the LAN port as long as it is destined for a foreign address.


The script is called when the firewall refreshes, so typically on network restart.
There’s no debugging per se unless you call it manually.

Also, I discovered that in 1.15 the modules for doing this filtering aren’t built in properly. I will be putting new images up within the next few hours to correct this.
You can check by running
gpkg list-installed | grep ebtables
And looking for both the ipv4 and ipv6 modules.

If all of this works for you in the end, I will fix it up into the code.

[ektus]

I will do the checks once I've got the opportunity again (probably friday afternoon (GMT+2)).

Test complete, still not working
I've installed the build from April 18th, 2023 and modified the firewall_utils script accordingly. Now ebtables -L does show some rules, but my phone still fails to acquire an IP.

Code: Select all

root@Gargoyle:~# gpkg list-installed | grep ebtables
ebtables-legacy - 2018-06-27-48cff25d-1
kmod-ebtables - 5.10.176-1-0a6974f83ac342d4d8683910144e02d4
kmod-ebtables-ipv4 - 5.10.176-1-0a6974f83ac342d4d8683910144e02d4
kmod-ebtables-ipv6 - 5.10.176-1-0a6974f83ac342d4d8683910144e02d4
root@Gargoyle:~# ebtables -L
Bridge table: filter

Bridge chain: INPUT, entries: 4, policy: ACCEPT
-p ARP -i wlan0-1 -j ACCEPT
-p IPv4 -i wlan0-1 --ip-proto udp --ip-dport 53 -j ACCEPT
-p IPv4 -i wlan0-1 --ip-proto udp --ip-dport 67 -j ACCEPT
-p IPv4 -i wlan0-1 --ip-dst 192.168.0.174 -j DROP

Bridge chain: FORWARD, entries: 1, policy: ACCEPT
-i wlan0-1 --logical-out br-lan -j DROP

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
root@Gargoyle:~#