Joined: 17 Dec 2015 Posts: 13 Location: Northwestern USA
Posted: Fri Jan 15, 2016 20:27 Post subject: DNSMasq assigns DNS servers except when Windows overrides
I have installed DD-WRT build r14929 on a WRT54GS v4, and have used bridging to create a br1 guest wireless network in addition to a br0 private wireless network on the single router. The two separate networks are generally working well.
To filter content for the guest users, I have used Services > DNSMasq section to assign OpenDNS as the DNS service for those who log into the guest network. Here are the settings:
DNSMasq: Enabled
Local DNS: Disabled
Additional DNSMasq Options:
dhcp-option=br1,6,208.67.222.222,208.67.220.220
This works fine if the IPv4 settings in the guest's adapter is set to allow DNS server addresses to be assigned automatically. However, if the user has changed his IPv4 settings to specify DNS IP addresses that they want their adapter to use, then the guest's assigned DNS IP addresses will be the ones used.
Question: How can I modify DD-WRT settings to FORCE the guest network user to use OpenDNS even if they have set up their own DNS IP numbers in their IPv4 settings?
Joined: 17 Dec 2015 Posts: 13 Location: Northwestern USA
Posted: Sun Jan 17, 2016 0:10 Post subject:
eibgrad,
Since I'm just a "cook" using the "recipes" in the DD-WRT "cookbook", can you point me to some tutorials (or alternatively provide some instructions) on how to:
Joined: 17 Dec 2015 Posts: 13 Location: Northwestern USA
Posted: Mon Jan 18, 2016 21:56 Post subject:
eibgrad,
Thanks for this very comprehensive set of instructions. As I get ready to apply them, a couple of questions:
1) When I add your suggested code to the firewall script, should I add it before or after the firewall script items that I choose to add from the article that you cited?
2) If I'm successful, when I log into the guest wireless network and give the ipconfig /all command, should I see the two OPenDNS IPs that you included in your script, or should I see something else in the DNS Servers line items?
Joined: 17 Dec 2015 Posts: 13 Location: Northwestern USA
Posted: Tue Jan 19, 2016 1:45 Post subject:
eibgrad,
To make a clean start, I reset the firmware using Admin > Factory Defaults > Restore Factory (really DD-WRT) Defaults. I then followed the steps in the Multiple WLANs article that you cited, including testing for Internet connections on both wireless networks after the steps in the Separating the WLANs section. Up to this point I was successful.
Instead of adding the script shown in the M WLANs article, I added only what you suggested to the Additional DNSMasq Options box, since I could see that your code incorporated the lines that the article suggested. I tested the connections again, and the laptop connected successfully to the Internet on both private and public WLANs.
I then added your suggested code to the startup script and the firewall script boxes, and did not add any other script to those boxes. I then power cycled the router. When I tested connections with the laptop, I got a good private WLAN connection with Internet access, and was able to bring up new Web pages quickly. But when I logged onto the guest WLAN the Windows connection icon initially showed a connection with Internet access when I moused over it, but as soon as a tried to (unsuccessfuly) load a Web page, it showed a WLAN connectiion with no Internet access.
When I checked the status of this public connection in Status > LAN > DHCP Clients, it showed an IP address of 192.168.2.127 and a two days client lease time. The ipconf /all command showed the same DNS Server number as before, 192.168.2.1. No surprises there.
I'm not sure what I did wrong. Can you think of any settings that I should check?
Yes. Because I started fresh and added all of the lines of code that you suggested, I included those two lines when I copy/pasted your suggested script into the firewall box.
Joined: 17 Dec 2015 Posts: 13 Location: Northwestern USA
Posted: Tue Jan 19, 2016 4:09 Post subject:
I logged into a telnet session with the router, and entered the string:
ps -w | grep [d]nsmasq2
There was no response, but there was also no error message (which in Linux I understand is sometimes a good thing). What response should I have gotten?
[Added by edit] I also ran the ps command by itself. In the list of running processes I see dnsmasq, but not dnsmasq2.
Joined: 17 Dec 2015 Posts: 13 Location: Northwestern USA
Posted: Tue Jan 19, 2016 5:08 Post subject:
I don't think I have the knowledge to be able to explore by telnet and isolate the problem.
You mentioned build. If there's a newer build that will work on my WRT54G v4, I'd be glad to uprade to it. The build that I currently use, r14929, was about the newest one that was considered reliable in wiki for my router model.
I'm unsure about which build to upgrade to. I've searched around to find out a later build that I could use on this router, but without success. Maybe you could answer a few questions for me about that?
1) When I drill down in a directory of DD-WRT builds, must I find the exact model and version of my router in order for it to be compatible with that router?
2) I've read that some builds are much better than others. How do I avoid selecting a build that is more problematic than most -- a "bad build"?
[By the way, this will be the last reply that I can send this evening. I'll check again in the morning.]
Joined: 17 Dec 2015 Posts: 13 Location: Northwestern USA
Posted: Wed Feb 03, 2016 20:33 Post subject: Solution: Two WLANs and Override of Client DNS
INTRODUCTION: These are the steps that EIBGRAD on the DD-WRT Forums had me go through to add a second WLAN to a WRT54GS v4 router. It also worked for a WRT54G v4. A key feature is that, if a user is logged into the guest network, the router will override DNS settings that the user of a client computer may have set up as static IP DNS addresses in their IPv4 adapter settings.
EIBGRAD did a great job of guiding me to a solution as we exchanged many private messages. I’m pleased with the solution, and want to share it in this forum post so that others with similar hardware and firmware can take advantage of this.
EIBGRAD had to make major modifications to the code that had worked on his router because my build of DD-WRT apparently does not contain a feature (called heredoc) which his build of DD-WRT did. I appreciate the fact that EIBGRAD went the extra mile to come up with a solution that worked on my routers.
CAUTION: These procedures worked for me on the Linksys router models and the DD-WRT build that I specify here. They may not work for you with other hardware or with other builds of DD-WRT. As usual, back up your router profile before beginning.
I started out with a clean installation of one of Brainslayer’s DD-WRT builds, r27775. The Standard version was slightly too large, but the VPN version was small enough to install on a WRT54GS v4 router. Later I repeated this process successfully with a WRT54G v4 router that I also had upgraded to build r27775 using the VPN version.
STEPS TO INSTALL
Before starting the steps in the Multiple LANs wiki, I did these steps:
1) I did a 30-30-30 hard reset of my router.
2) In Settings > Basic Settings I entered my WAN Settings information, in my case for PPoE. Basic > Network Setup was already set at Local IP address of 192.168.1.1 and Subnet Mask was at 255.255.255.0.
3) Enabled Local DNS in Services at Services > Services > DNSMasq
1) Under BROADCOM BASED HARDWARE I did those tests, and found out that I had chip revision 9, the lowest rev. no. that supports truly separated WLANs.
2) Under Configuration > GUI Method > Basic Wireless Settings I followed the instructions in that section.
3) I followed the instructions under the Encryption section, and made sure that I could connect to both SSIDs with their encryption settings enabled.
4) Under Separating the WLANs, I followed the instructions to add bridge br1, and to assign it to to interface Wl0.1. When I clicked Apply Settings the page did not show that Wl0.1 had been moved down to a br1 assignment, but after I rebooted the router, and returned to the Settings > Network page, it then showed Wl0.1 assigned to br1.
I did not continue with the DHCP Server section at the bottom. Instead, I added the first block of code provided by EIBGRAD (see step 2) in next section).
ADDING CODE PROVIDED BY EIBGRAD
1) I next added this block of code to Services > Additional DNSMasq Options:
Code:
# Enables DHCP on br1
interface=br1
# Set the default gateway for br1 clients
dhcp-option=br1,3,192.168.2.1
# Set the DNS servers for br1 clients
dhcp-option=br1,6,192.168.2.1
# Set the DHCP range and default lease time of 24 hours for br1 clients
dhcp-range=br1,192.168.2.100,192.168.2.150,255.255.255.0,24h
then clicked Apply Settings.
2) I then added this code to Administration > Commands:
Code:
# NAT the guest network over the WAN
WAN_IF="$(ip route | awk '/^default/{print $NF}')"
iptables -t nat -I POSTROUTING -s 192.168.2.0/24 -o $WAN_IF -j MASQUERADE
, then clicked the Save Firewall button.
At this point I tested to see if each network could connect at three different levels: a) The Windows network icon indicated it was connected to the WLAN, the icon also indicated that it had Internet access, and c) I could actually load Web pages. In the Windows Command Prompt I also ran IPCONFIG /ALL to see if the IP numbers were assigned as expected, for example DNS showed as 192.168.1.1 for the private network and 192.168.2.1 for the public network.
Up until this point, OpenDNS was not configured as the DNS service used by the public network. That came with the next steps.
3) In Administration > Commands I added this block of code that contains, among other things, the OpenDNS IP addresses (initially it specifies the Family Shield version because it is easy to test whether OpenDNS is engaged or not):
Code:
# wait for primary DNSMasq instance to appear before continuing
while ! pidof dnsmasq > /dev/null 2>&1; do sleep 10; done
# create the config file for second instance of DNSMasq
DNSMASQ2_CONF="/tmp/dnsmasq2.conf"
echo -e 'interface=br1
no-resolv
server=/lan/192.168.1.1
server=208.67.222.123
server=208.67.220.123
stop-dns-rebind
rebind-domain-ok=lan
#log-async
#log-queries' > $DNSMASQ2_CONF
# prevent a restart of dnsmasq from killing second instance of DNSMasq
ln -s $(which dnsmasq) /tmp/dnsmasq2
# start second instance of DNSMasq (detached from parent process)
nohup /tmp/dnsmasq2 -p 5353 -u root -g root --conf-file=$DNSMASQ2_CONF > /dev/null 2>&1
Then clicked the Save Startup button.
4) I the edited the Firewall code by clicking Edit under the Firewall code box, and pasting these two lines of code in AFTER the two lines that were already there:
Code:
# trap DNS requests from the guest network and redirect to second instance of DNSMasq
iptables -t nat -I PREROUTING -i br1 -p tcp -s 192.168.2.0/24 --dport 53 -j DNAT --to 192.168.1.1:5353
iptables -t nat -I PREROUTING -i br1 -p udp -s 192.168.2.0/24 --dport 53 -j DNAT --to 192.168.1.1:5353
then clicked Save Firewall. Then I had to reboot the router to make sure that all of this code was active.
That completed the steps to get the main result I was looking for, and the router then performed as described at the beginning of these notes, forcing users of the public Network to use OpenDNS for their DNS addresses. I tested again with client device connections before making any other optional changes to the router settings.
5) With EIBGRAD’s advice I added an additional optional step to specify another DNS service, Google Public DNS, for the private network. These are the steps: A) Making sure that Use DNSMasq for DNS was enabled on the Setup > Basic Setup page, and B) adding the following code above the existing code in the Services > Additional DNSMasq Options box:
Code:
#Ignore any upstream/public DNS servers from ISP
no-resolv
#Asssign DNS servers to be used by the br0 bridge, the private network.
server=8.8.8.8
server=8.8.4.4
This code includes the no-resolv command to prevent the ISP from assigning DNS addresses in addition to those specified here. If you don’t care about this, you can leave that line out.
6) A further step that I took was to add some of the additional firewall restrictions shown in the Multiple WLANs wiki under the headline Restricting Access. Since EIBGRAD indicated that the code he gave me was not sensitive to the order in in which it is listed in the firewall commands, I added the additional restrictions from the wiki before the code that was previously added to the Firewall box under Administration > Commands in this set of procedures.
7) I then went on to add some quality of service and other restrictions. I did not want to add any of these until I had obtained and tested the forced use of the OpenDNS service by those logged onto the guest network.
Again, I want to thank EIBGRAD for the great deal of work that he put into coming up with a solution. While I organized these instructions in this post, I’m just a “cook” following a “recipe”. EIBGRAD is the master chef who developed the “recipe”. So my ability to answer questions about these steps is very limited.
