r7800, Voxel firmware and Guest Networks

violetaruth

Occasional Visitor
First let me just say again the Voxel firmware is wonderful.

I have an edge case that I wondered if anyone had a solution to:

I'm using a pi-hole for DNS black holing and DHCP. I want to use the r7800 guest network mode and block guest users from accessing my local network but still access the internet. However, if I do this, guests can't see the pi-hole as it's not running on the r7800 so doesn't get DHCP/DNS.

Does anyone know of method to allow access to one specific LAN ip (i.e. the one that has the pi-hole) to get DHCP and DNS and isolate the rest of the network in guest mode?

Thanks for any thoughts on this edge case!
 

HELLO_wORLD

Senior Member
Using custom iptables would work.
You would need to create those tables in a firewall-start.sh script placed in /opt/scripts.

First let me just say again the Voxel firmware is wonderful.

I have an edge case that I wondered if anyone had a solution to:

I'm using a pi-hole for DNS black holing and DHCP. I want to use the r7800 guest network mode and block guest users from accessing my local network but still access the internet. However, if I do this, guests can't see the pi-hole as it's not running on the r7800 so doesn't get DHCP/DNS.

Does anyone know of method to allow access to one specific LAN ip (i.e. the one that has the pi-hole) to get DHCP and DNS and isolate the rest of the network in guest mode?

Thanks for any thoughts on this edge case!
 

R. Gerrits

Senior Member
it's not iptables that you'd need to look into but ebtables.
(traffic on an ethernet bridge does not pass through iptables)

If I'm correct this would allow DNS requests to pihole from the 2.4 GHz GuestWifi:
ebtables -I INPUT -p IPv4 -i ath11 --ip-proto udp --ip-dport 53 --dst <Pihole IP-address>
ebtables -I INPUT -p IPv4 -i ath11 --ip-proto tcp --ip-dport 53 --dst <Pihole IP-address>

For 5 GHz GuestWifi insert similar rules for ath01

and for DHCP you'd also need to insert the rules for --ip-proto udp --ip-dport 67:68 (UDP only)

If you found the right rules to insert,then probably best to edit /lib/wifi/qcawifi.sh to add them there.
(otherwise router could decide to wipe them out when something else changes)
 

R. Gerrits

Senior Member
my comment is true both for router mode and AP mode. traffic between wired interfaces and all 4 wireless interfaces in all cases only goes through ebtables because they are connected to the same bridge.

Only traffic from those interfaces from and to the router and traffic from and to the internet goes via iptables.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top