Feature request - separate subnet for guest

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Feature request - separate subnet for guest

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Feature request - separate subnet for guest
Feature request - separate subnet for guest
2020-05-17 17:23:30
Model: Deco M5  
Hardware Version: V1
Firmware Version: 1.4.4 Build 20200221 Rel. 65392

I configure the DHCP lease settings to use a different primary DNS server to point my clients to an AdGuard Home server (similar to PiHole) so I can block ads and cache requests.  I also use this setup to do conditional forwarding to a Lancache server to download and cache games my kids download from Epic/Steam/Xbox, etc.  This setup works great on the main network but causes issues for clients on the guest vlan since they can't reach the DNS server.  Most devices timeout trying to reach the primary DNS server but fall back to the secondary (which is the main Deco).  However, some devices either have extremly long timeouts or refuse to work at all.  This is especially a problem with the Xbox One since it will complain there is no inernet when it can't resolve names using the primary DNS server.  As a result I have to manually enter the gateway address as the primary resolver in the Xbox network config.

 

I've tried putting a Raspberry Pi on the guest network vlan and giving it the same IP as my AdGuard server, but as soon as it talks on the guest vlan I can no longer talk to the AdGuard server on the main network.  I don't think it's an ARP issue since the devices have unique MAC addresses, but I think it messes with the routing table since the default route is the same for both networks.

 

Would it be possible to have a future firmware release configure the guest network to be on a different subnet so they don't overlap?  Or, maybe (not sure how this would be possible) have the option to provide different DHCP lease options for the guest network.

 

My local subnet is 192.168.0.0/24, the main Deco is 192.168.0.1 and my AdGuard server is 192.168.0.2  My lease settings are setup so I only specify the primary DNS server as 192.168.0.2 and I leave the secondary field empty.  Wit this setup, clients are assigned 192.168.0.2 as the primary resolver and 192.168.0.1 as the secondary.

 

 

  0      
  0      
#1
Options
7 Reply
Re:Feature request - separate subnet for guest
2020-05-19 16:08:38

@mniswonger 

 

Thank you for the detailed suggestion.

 

I know that our devs are always open to features and suggestions so I will make sure to forward this thread.

 

 

  0  
  0  
#2
Options
Re:Feature request - separate subnet for guest
2020-05-26 16:27:59

@Tony 

 

I spent more time looking at this over the weekend and after doing some Wireshark captures it looks like it is an ARP problem.  I'm assuming on the main Deco there is just a L3 switch separating the networks, which makes sense given they share the same subnet and DHCP lease settings.  I'm not sure what complications this would present to the dev team for providing a way to have a separate subnet for guest.  Do you get feedback from the dev team at all to know if they'll even consider this?  I'm curious since I need to explore other options if it isn't going to happen.  Perhaps instead of a separate subnet they can just have 2 DHCP daemons running, each bound to their own network rather than 1 bound to both.

 

Thanks.

  0  
  0  
#3
Options
Re:Feature request - separate subnet for guest
2020-05-26 22:55:45

@mniswonger 

 

There is no immediate feedback.

 

If I was looking for a solution now I would probably go for the alternative.

  0  
  0  
#4
Options
Re:Feature request - separate subnet for guest
2020-06-02 14:36:20

I found somewhat of a workaround I wanted to mention in case anyone else was wanting to use Pi-Hole or AdGuard Home.  Rather than modify the DHCP lease settings to specify DNS servers, leave them blank and instead go to More - Advanced - IPv4 and there specify your internal IP of your Pi-Hole server for the primary DNS server.  The steps to do this will vary depending on whether you have a static/dynamic IP, use PPPoE, etc., and I have not tested it with IPv6.  This seems to work except that for me, my Lancache server can't be reached by devices on the guest vlan, so if they try to download any games from Steam, etc., it fails b/c my DNS server resolves the domains to an internal IP.

  1  
  1  
#5
Options
Re:Feature request - separate subnet for guest
2020-06-05 15:43:05

Do not make the change I previously mentioned.  It will cause the main Deco to completely change the subnet (it's LAN IP) on reboot.  When I had made the change I could see in the Deco logs that an iptables rule was created and I could then see requests coming from my WAN IP to the Adguard server, which is odd, but I guess that was based on the iptables rule and how the traffic had to route.  I confirmed that port 53 was not open from outside.  This was all working great until I rebooted, and boom, the Deco decided to change it's IP to 172.16.0.1, and the only way I was able to get the app to allow me to change it back was to remove the DHCP server settings for the WAN.  I was able to reproduce this scenario 3 times to be sure this was in fact the cause and it wasn't something else going on (I had seen the Deco change it's IP before because of a bad network device poisoning the ARP table).

 

Also worth noting, if you don't specify a secondary DNS server for the WAN that resolves to a public DNS server, and you run into this scenario, the Deco will connect to the internet but it won't be able to resolve names, so the "cloud" app won't connect.  You'll basically be forced to do a factory reset.

 

 

  1  
  1  
#6
Options
Re:Feature request - separate subnet for guest
2021-08-19 15:39:28

@mniswonger 

Any updates on this?

  0  
  0  
#7
Options
Re:Feature request - separate subnet for guest
2021-08-19 15:45:02

@jacazzopardi 

 

No.  I ended up selling my Decos and getting some Omada access points and a controller.

  0  
  0  
#8
Options