R7800 Guest Networks / VAPs of all flavors not getting IP

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Author Message
voltronic
DD-WRT Novice


Joined: 30 Sep 2020
Posts: 10

PostPosted: Mon Jul 25, 2022 22:49    Post subject: R7800 Guest Networks / VAPs of all flavors not getting IP Reply with quote
2x R7800 running r49492 (07-15-22); one gateway, one AP
pi-hole for DNS only
No VLANs

At some point in a much earlier build from 2020 or 2021 I had a functional VAP / guest wifi network. With anything recent including my current build, VAPs of any flavor cannot get an IP.

I have read all of the various official and non-official guides to see if I am missing something, and cannot find anything I am doing incorrectly.

The VAP is only for my gateway R7800. Unbridged, AP and network isolation, forced DNS redirection to pi-hole. Disabling any or all of those three doesn't solve it.

I have tried using the standard DHCPd method and also the (oudated?) DNSMasq method, both with 5 GHz and 2.4 GHz radios.

Rebooting after all setting changes.

In all cases, Clients can connect but cannot get an IP (aka "connected without internet").

Please let me know if I'm missing something.

Thanks for the help!
Sponsor
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Tue Jul 26, 2022 6:52    Post subject: Reply with quote
is all explained in the following links:

Only example 2 works with isolated VAP's,

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=331414

Edit: I have added screenshots of the VAP setup in the linked thread.


Last edited by ho1Aetoo on Tue Jul 26, 2022 8:18; edited 1 time in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12839
Location: Netherlands

PostPosted: Tue Jul 26, 2022 7:02    Post subject: Reply with quote
Attached my personal notes how I set up a VAP Smile

Tested and working on my R7800 running build 49544

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


Last edited by egc on Tue Jul 26, 2022 7:11; edited 1 time in total
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Tue Jul 26, 2022 7:06    Post subject: Reply with quote
Yes I just see egc's guide is better.
"force DNS redirection / optional DNS target" must be disabled in the GUI

But up to that point the wiki is correct

and I just remembered I wanted to add the VAP configuration to the sticky
voltronic
DD-WRT Novice


Joined: 30 Sep 2020
Posts: 10

PostPosted: Tue Jul 26, 2022 12:14    Post subject: Reply with quote
ho1Aetoo wrote:
is all explained in the following links:

Only example 2 works with isolated VAP's,

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=331414

Edit: I have added screenshots of the VAP setup in the linked thread.


Wow, that's an extremely comprehensive guide to using pi-hole with DD-WRT. I have had my pi-hole with DD-WRT for quite a long time and never had issues with guest / VAP until recent builds though. I use unbound on my pi-hole as well, and my settings are already as your Example 2 is, as well as the VAP screenshots you added.

I'll keep at it. Thanks!
voltronic
DD-WRT Novice


Joined: 30 Sep 2020
Posts: 10

PostPosted: Tue Jul 26, 2022 12:26    Post subject: Reply with quote
egc wrote:
Attached my personal notes how I set up a VAP Smile

Tested and working on my R7800 running build 49544


Much appreciated. Yours was one of the guides I had previously followed (and dare I say the clearest), though I just did it again. Still the same behavior on all clients.

I'll go through one more time just to be sure. Thanks again.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12839
Location: Netherlands

PostPosted: Tue Jul 26, 2022 12:48    Post subject: Reply with quote
If it does not work post screenshots so that we can review
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Tue Jul 26, 2022 12:49    Post subject: Reply with quote
This works 100% as described in the sticky.

Make sure that no additional options like "force DNS redirection" are selected in the GUI.

I have this running myself with example 2 + VAP's + force DNS redirection via firewall - this works fine.

Sometimes it is necessary to restart the router after ALL settings have been applied 1:1.
voltronic
DD-WRT Novice


Joined: 30 Sep 2020
Posts: 10

PostPosted: Tue Jul 26, 2022 14:58    Post subject: Reply with quote
ho1Aetoo wrote:
This works 100% as described in the sticky.

Make sure that no additional options like "force DNS redirection" are selected in the GUI.

I have this running myself with example 2 + VAP's + force DNS redirection via firewall - this works fine.

Sometimes it is necessary to restart the router after ALL settings have been applied 1:1.


AHA! It was the forced DNS redirect enabled on my VAP that was the culprit. I had missed that in the guides.

I will look into enabling DNS redirect via firewall rules as you have. I have a Nest thermostat that I'm pretty sure has hardcoded 8.8.8.8 which I'm trying to lock down.

Much appreciated!
voltronic
DD-WRT Novice


Joined: 30 Sep 2020
Posts: 10

PostPosted: Tue Jul 26, 2022 15:16    Post subject: Reply with quote
voltronic wrote:
ho1Aetoo wrote:
This works 100% as described in the sticky.

Make sure that no additional options like "force DNS redirection" are selected in the GUI.

I have this running myself with example 2 + VAP's + force DNS redirection via firewall - this works fine.

Sometimes it is necessary to restart the router after ALL settings have been applied 1:1.


AHA! It was the forced DNS redirect enabled on my VAP that was the culprit. I had missed that in the guides.

I will look into enabling DNS redirect via firewall rules as you have. I have a Nest thermostat that I'm pretty sure has hardcoded 8.8.8.8 which I'm trying to lock down.

Much appreciated!


Two questions regarding this:

1. In my Commands, I already have the following, but cannot recall if it was related to a past OpenVPN setup which I'm no longer using or a pi-hole related rule. Is this necessary?

Code:
iptables -t nat -I POSTROUTING -s 10.8.0.0/24 -o $(get_wanface) -j MASQUERADE


2. With the firewall rules you specify, is there a way to have forced DNS redirection ONLY for the VAP I'm using (wlan1.1) and not my main lan and wlan?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12839
Location: Netherlands

PostPosted: Tue Jul 26, 2022 15:32    Post subject: Reply with quote
Regarding 1 that looks like a rule from an OpenVPN server setup (it is obsolete nowadays you can set it via the OpenVPN GUI)

So I guess you can delete it.

Regarding 2, the answer is yes but it depends on how you setup your DNS via Pi-Hole so I leave that question for our expert @ho1Aetoo

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Tue Jul 26, 2022 15:43    Post subject: Reply with quote
@voltronic

The rules in the sticky are structured

    Example 2

    ## filter on br0 (usually includes LAN and WLAN)
    iptables -t nat -I PREROUTING -i br0 ! -s 192.168.1.110 ! -d $(nvram get lan_ipaddr) -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr):53
    iptables -t nat -I PREROUTING -i br0 ! -s 192.168.1.110 ! -d $(nvram get lan_ipaddr) -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr):53

    192.168.1.110 = IP address of the Pi-Hole

    ## filter unbridged VAP wlan0.1
    iptables -t nat -I PREROUTING -i wlan0.1 ! -d $(nvram get wlan0.1_ipaddr) -p tcp --dport 53 -j DNAT --to $(nvram get wlan0.1_ipaddr):53
    iptables -t nat -I PREROUTING -i wlan0.1 ! -d $(nvram get wlan0.1_ipaddr) -p udp --dport 53 -j DNAT --to $(nvram get wlan0.1_ipaddr):53

    ## filter unbridged VAP wlan1.1
    iptables -t nat -I PREROUTING -i wlan1.1 ! -d $(nvram get wlan1.1_ipaddr) -p tcp --dport 53 -j DNAT --to $(nvram get wlan1.1_ipaddr):53
    iptables -t nat -I PREROUTING -i wlan1.1 ! -d $(nvram get wlan1.1_ipaddr) -p udp --dport 53 -j DNAT --to $(nvram get wlan1.1_ipaddr):53


If you only want to filter DNS requests on the interface wlan1.1 then you only take the last section.

you can test it by configuring a static DNS server in the network settings (e.g. 8.8.8.8 ) on a client connected to wlan1.1 and then start a DNS leak test.

https://www.dnsleaktest.com

But the rules work.


Last edited by ho1Aetoo on Tue Jul 26, 2022 17:00; edited 3 times in total
voltronic
DD-WRT Novice


Joined: 30 Sep 2020
Posts: 10

PostPosted: Tue Jul 26, 2022 15:51    Post subject: Reply with quote
egc wrote:
Regarding 1 that looks like a rule from an OpenVPN server setup (it is obsolete nowadays you can set it via the OpenVPN GUI)

So I guess you can delete it.

Regarding 2, the answer is yes but it depends on how you setup your DNS via Pi-Hole so I leave that question for our expert @ho1Aetoo


Thanks; I deleted and can confirm it wasn't needed.
voltronic
DD-WRT Novice


Joined: 30 Sep 2020
Posts: 10

PostPosted: Tue Jul 26, 2022 15:52    Post subject: Reply with quote
ho1Aetoo wrote:
@voltronic

The rules in the sticky are structured

    Example 2

    ## filter on br0 (usually includes LAN and WLAN)
    iptables -t nat -I PREROUTING -i br0 ! -s 192.168.1.110 ! -d $(nvram get lan_ipaddr) -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr):53
    iptables -t nat -I PREROUTING -i br0 ! -s 192.168.1.110 ! -d $(nvram get lan_ipaddr) -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr):53

    192.168.1.110 = IP address of the Pi-Hole

    ## filter unbridged VAP wlan0.1
    iptables -t nat -I PREROUTING -i wlan0.1 ! -d $(nvram get wlan0.1_ipaddr) -p tcp --dport 53 -j DNAT --to $(nvram get wlan0.1_ipaddr):53
    iptables -t nat -I PREROUTING -i wlan0.1 ! -d $(nvram get wlan0.1_ipaddr) -p udp --dport 53 -j DNAT --to $(nvram get wlan0.1_ipaddr):53

    ## filter unbridged VAP wlan1.1
    iptables -t nat -I PREROUTING -i wlan1.1 ! -d $(nvram get wlan1.1_ipaddr) -p tcp --dport 53 -j DNAT --to $(nvram get wlan1.1_ipaddr):53
    iptables -t nat -I PREROUTING -i wlan1.1 ! -d $(nvram get wlan1.1_ipaddr) -p udp --dport 53 -j DNAT --to $(nvram get wlan1.1_ipaddr):53


If you only want to filter DNS requests on the interface wlan1.1 then you only take the last section.


That's what I was hoping. Thanks once again.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum