[GigaGuy]

Been trying to get this to work for a couple days now. I must be missing something. I have DDWRT (kong asus r7000) on my router, wifi disabled. My wifi is all via 2 UniFi AP's. I currently have a kids/guest ssid and adult ssid. I want to have the kids/guest ssid go through opendns to restrict their content. No restriction on the adult ssid. I see how this can be done with dnsmasq options either vlan or different ip range.

1. Have one unifi ssid deliver dhcp to only that ssid (kids) - cant get unifi to only pull from that pool
2. Use vlan tagging, since this is available in both products, but ddwrt is cooperating here either.

How do I create a "virtual" vlan in ddwrt? In unifi, vlan tagging is just a drop-down option. So it would be vlan 3 for kids ssid.

dnsmasq config would be something like this. How to I bridge vlan3 to br1?

[mac913]

Set one of the lan ports to vlan3 by going to GUI VLANs page under Setup Tab. Say you want port 4 as vlan3, unselect vlan1 on port 4 and select vlan3 and apply settings. If you want to tag vlan3 with vlan1 just leave vlan1 checked and select Tagging and add vlan3 to it and apply settings.

Now go to the GUI Networking page (right by the VLANs page). On the Create Bridge press "Add" and enter "br1" (without quotes) in the empty name box and apply settings. Now go to the VLANs page a make sure port 4 is vlan3 and go back to the Networking page this will refresh the page so at the bottom you will see "Network Configuration br1". Enter IP Address 192.168.2.1 and in the Subnet Mask enter 255.255.255.0 and apply settings.

To refresh your Networking GUI screen goto VLANs page and back to the Networking Page. Now under "Assign to Bridge" select Add and under Assignment 0 select br1 and Interface select vlan3 and apply settings.

In the Networking Page under "Current Bridging Tables" you should see your br1 assigned to vlan3.

Your dnsmasq looks fine.

[GigaGuy]

Just to make sure. This doesn't mean the unifi app's will have to be plugged in to port 4?

[GigaGuy]

Just wanted to reply and say thanks! This worked. On the Vlan tab, I had to assign to all ports so the AP's would pick it up.

[GigaGuy]

ok, maybe not, its wierd. Sometimes dhcp wont work.

[mac913]

Do you have dhcp enabled on your APs? Conflict, don't know.

[GigaGuy]

Here is where I am.

Setup>VLAN
Checked Port 1 for VLAN 5

Setup>Networking
under "create bridge" > br5
under "assg to bridge" > "br5-vlan5" to interface "vlan5"

[mac913]

After the Bridge is setup, I only use DNSMasq for seting up the network. I would clear out the Multiple DHCP Server Settings and ONLY use these setting in the DNSMasq Options...

interface=br5
# Set the DHCP range .100 to .200 and default lease time of 24 hours
dhcp-range=br5,191.168.5.100,192.168.5.200,255.255.255.0,24h
# Set the gateway
dhcp-option=br5,3,192.168.5.1
# Set DNS servers
dhcp-option=br5,6,208.67.222.222,208.67.220.220

In your Firewall...

# Force Network to OpenDNS
iptables -t nat -A PREROUTING -p udp -s 192.168.5.0/24 --dport 53 -j DNAT --to 208.67.222.222
iptables -t nat -A PREROUTING -p tcp -s 192.168.5.0/24 --dport 53 -j DNAT --to 208.67.222.222

This code is not needed....
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
iptables -t nat -I POSTROUTING -o 'get_wanface' -j SNAT --to 'nvram get wan_ipaddr'

[GigaGuy]

thanks, but no luck. Restored a backup (from before any vlan stuff), rebooted, still cant successfully get an ip, and testing static, such as 192.168.5.100 dont have internet.

This is all from the same mac address

[mac913]

Ooooops, I had a typo in the above code, 191 should be 192 this will cause DHCP to not work on br5.

Correction...
# Set the DHCP range .100 to .200 and default lease time of 24 hours
dhcp-range=br5,192.168.5.100,192.168.5.200,255.255.255.0,24h

[GigaGuy]

I did catch that typo.
Here is my dnsmasq

[mac913]

For the DNSMasq Settings try these settings to test out...

Encrypt DNS > Disabled
Cache DNSSEC data > Disable
Validate DNS Replies (DNSSEC) > Disable
Check unsigned DNS replies > Disable
Local DNS > Disable
No DNS Rebind > Disable
Query DNS in Strict Order > Disable
Add Requestor MAC to DNS Query > Disable

[GigaGuy]

no luck with those changes

[mac913]

Can you test an ethernet device on the R7000 that has port setup as untagged vlan5 only? Make sure your ethernet device is setup for DHCP too.

[GigaGuy]

Here is my VLAN page.


If I understood what you asked. I plugged laptop (DHCP) into Port 1 (which turned green when I did it). It pulled a 192.168.0.x ip

Seems it should pulled a 192.168.5.x