Deco M5 Guest Network Isolation issue

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Deco M5 Guest Network Isolation issue

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Deco M5 Guest Network Isolation issue
Deco M5 Guest Network Isolation issue
2021-04-26 10:44:57 - last edited 2021-04-26 15:14:21
Model: Deco M5  
Hardware Version: V1
Firmware Version: 1.53

Hello everyone,

 

I have an interesting problem I'm trying to solve.

 

I have a deco m5 system running in AP mode (router mode doesn't offer the functionality I need). It works well, reasonably good handover, and coverage of my home.

 

However one thing that isn't working is the guest network isolation.

 

If I turn on network isolation there's no internet access, if I turn off isolation guest network has internet access. Now I do want to have the guest network isolated - so I must try and fix this.

 

I know why it isn't working but I can't work out how to solve it at the moment I need some external brain power.

 

The issue is I use pihole to manage my DNS and avoid ads and tracking etc... It's brilliant.

 

If I turn on network isolation on the guest network it can no longer access the DNS server. I can ping external addresses but it cannot resolve them. So somehow I need to bring the pihole into the "guest" network but I can't workout how to do it on the deco. 

 

If I turn off pihole and just use my router as the dns server there's no issues at all, but it's one of these things I'd like to solve if possible! 

 

Here's a copy of my network if that's of any use (it's simplified ,the full network map has too much personal detail in it!).

 

So my question, can the deco be accessed to add some routing to it?

 

  0      
  0      
#1
Options
1 Accepted Solution
Re:Deco M5 Guest Network Isolation issue-Solution
2021-04-26 13:59:33 - last edited 2021-04-26 15:14:21

@will_r 

 

>So somehow I need to bring the pihole into the "guest" network but I can't workout how to do it on the deco. 

 

You can't add routing in Deco that runs in Access Point mode, but there is different solution. 

 

What you have when network isolation enabled is two separate networks: 

 

1) Network A (wired devices and wireless devices on "main") with its own wired DNS server (a.k.a. pihole);

2) Network B (wireless devices on "guest") without DNS server. 

 

Devices on Network A can resolve host names. Devices on Network B can't resolve host names. 

 

If you look at it this way, solution presents itself: you need another DNS server, and you need it on Network B. It could be carbon copy of DNS server on Network A, but it must belong to Network B.

 

Which means, you'll need to also connect pihole wirelessly to Deco mesh and point wirelessly connected devices to that pihole as their DNS server. 

 

That could require separate piece of hardware to run second pihole, but perhaps your (Linux?) box you run pihole on has WiFi interface. If yes, you'll need to research how to have your specific flavour of Linux connected to network on both interfaces (WiFi, Ethernet) simultaneously, and how to make DNS service running on it respond to DNS queries coming from both interfaces.

When configured properly, you may be able to utilize single Linux box to service DNS queries from wired devices, "guest" and "main" Deco WiFi networks.

 

You will need to configure your home network DHCP server (on ISP router?) to return two IP addresses for DNS servers: one from wired connection and one from wireless connection of pihole server(s). Each device on your network will be able to access one of these two IP addresses, thus getting DNS queries resolved successfully.

You should make these two IP addresses static, of course, it can be done on ISP router.

 

Done.

Recommended Solution
  3  
  3  
#2
Options
3 Reply
Re:Deco M5 Guest Network Isolation issue-Solution
2021-04-26 13:59:33 - last edited 2021-04-26 15:14:21

@will_r 

 

>So somehow I need to bring the pihole into the "guest" network but I can't workout how to do it on the deco. 

 

You can't add routing in Deco that runs in Access Point mode, but there is different solution. 

 

What you have when network isolation enabled is two separate networks: 

 

1) Network A (wired devices and wireless devices on "main") with its own wired DNS server (a.k.a. pihole);

2) Network B (wireless devices on "guest") without DNS server. 

 

Devices on Network A can resolve host names. Devices on Network B can't resolve host names. 

 

If you look at it this way, solution presents itself: you need another DNS server, and you need it on Network B. It could be carbon copy of DNS server on Network A, but it must belong to Network B.

 

Which means, you'll need to also connect pihole wirelessly to Deco mesh and point wirelessly connected devices to that pihole as their DNS server. 

 

That could require separate piece of hardware to run second pihole, but perhaps your (Linux?) box you run pihole on has WiFi interface. If yes, you'll need to research how to have your specific flavour of Linux connected to network on both interfaces (WiFi, Ethernet) simultaneously, and how to make DNS service running on it respond to DNS queries coming from both interfaces.

When configured properly, you may be able to utilize single Linux box to service DNS queries from wired devices, "guest" and "main" Deco WiFi networks.

 

You will need to configure your home network DHCP server (on ISP router?) to return two IP addresses for DNS servers: one from wired connection and one from wireless connection of pihole server(s). Each device on your network will be able to access one of these two IP addresses, thus getting DNS queries resolved successfully.

You should make these two IP addresses static, of course, it can be done on ISP router.

 

Done.

Recommended Solution
  3  
  3  
#2
Options
Re:Deco M5 Guest Network Isolation issue
2021-04-26 14:51:15
Fabulous! I spent hours scratching my head, and your solution is perfect, and I know exactly how to do it (and I do have a second NIC for it) thanks to your help. I knew posting here was going to be a great idea. A problem shared and all that! Thank you!
  0  
  0  
#3
Options
Re:Deco M5 Guest Network Isolation issue
2021-12-23 20:26:21

@will_r 

 

Do you have some detail of how exactly you implemented the solution? I have exactly the same need, but I am struggling to work out how to make a start. For info I have 3Deco P7 in AP mode and cannot get users in the guest network to route to my single pihole

 

Thanks

will_r wrote

Fabulous! I spent hours scratching my head, and your solution is perfect, and I know exactly how to do it (and I do have a second NIC for it) thanks to your help. I knew posting here was going to be a great idea. A problem shared and all that! Thank you!

 

  0  
  0  
#4
Options