GuestSubnet v1.0X

1. #!/bin/sh
2. VER="v1.02"
3. #======================================================================================================= © 2016-2018 Martineau, v1.02
4. #
5. # Configure Guest WiFi with new DHCP subnet and DNS using '/etc/dnsmasq.conf' and optionally allow LAN access to specified IPs
6. #
7. # Usage:    GuestSubnet  ['help' | '-h']
8. #                        {wifi_interface | ssid } | ['del[subnet]'] ['autodnsmasq'] [ 'ssid='name] ['ip='ipaddress[,ipaddress]]
9. #
10. #           GuestSubnet  wl0.1
11. #                        Guest WiFI 2.4GHz interface wl0.1 will have the new DHCP subnet and DNS applied (default)
12. #           GuestSubnet  wl0.1 del
13. #                        Guest WiFI 2.4GHz interface wl0.1 firewall rules will be removed but subnet remains.
14. #           GuestSubnet  wl0.1 delsubnet
15. #                        Guest WiFI 2.4GHz interface wl0.1 firewall rules will be removed and subnet will be reset to Asus default.
16. #           GuestSubnet  wl0.2 autodnsmasq
17. #                        Guest WiFi 2.4GHz interface wl0.2 will have new DHCP and DNS directives inserted into /jffs/configs/dnsmasq.conf.add
18. #                        if they don't already exist.
19. #                        NOTE: dnsmasq will be bounced.
20. #           GuestSubnet  wl1.2 ip=192.168.1.99,192.168.1.100
21. #                        Guest WiFi 5GHz interface wl1.2 will allow access to LAN devices 192.168.1.99,192.168.1.100  
22. #           GuestSubnet  Guest242
23. #                        Guest WiFI SSID 'Guest242' (possibly wl0.2?) will have the new DHCP subnet and DNS applied
24. #
25. # /jffs/configs/dnsmasq.conf.add:
26. #
27. # e.g.
28. #
29. # 2.4GHz Guest #1 uses DHCP pool 10.88.241.2 - 10.88.241.20 and OpenDNS/Google DNS
30. #        interface=wl0.1
31. #        dhcp-range=wl0.1,10.88.241.2,10.88.241.20,255.255.255.0,21600s
32. #        dhcp-option=wl0.1,3,10.88.241.1
33. #        dhcp-option=wl0.1,6,208.67.220.220,8.8.8.8
34. #
35. # and will be included in /'etc/dnsmasq.conf' by command 'service restart_dnsmasq' and @boot time etc.
36.  
37. # Print between line beginning with'#==' to first blank line inclusive
38. ShowHelp() {
39.     /usr/bin/awk '/^#==/{f=1} f{print; if (!NF) exit}' $0
40. }
41. Say(){
42.    echo -e $$ $@ | logger -st "($(basename $0))"
43. }
44. SayT(){
45.    echo -e $$ $@ | logger -t "($(basename $0))"
46. }
47. # Function Parse(String delimiter(s) variable_names)
48. Parse() {
49.     #
50.     #   Parse       "Word1,Word2|Word3" ",|" VAR1 VAR2 REST
51.     #               (Effectivley executes VAR1="Word1";VAR2="Word2";REST="Word3")
52.  
53.     local string IFS
54.  
55.     TEXT="$1"
56.     IFS="$2"
57.     shift 2
58.     read -r -- "$@" <<EOF
59. $TEXT
60. EOF
61. }
62. ANSIColours () {
63.  
64.     cRESET="\e[0m";cBLA="\e[30m";cRED="\e[31m";cGRE="\e[32m";cYEL="\e[33m";cBLU="\e[34m";cMAG="\e[35m";cCYA="\e[36m";cGRA="\e[37m"
65.     cBGRA="\e[90m";cBRED="\e[91m";cBGRE="\e[92m";cBYEL="\e[93m";cBBLU="\e[94m";cBMAG="\e[95m";cBCYA="\e[96m";cBWHT="\e[97m"
66.     aBOLD="\e[1m";aDIM="\e[2m";aUNDER="\e[4m";aBLINK="\e[5m";aREVERSE="\e[7m"
67.     cRED_="\e[41m";cGRE_="\e[42m"
68.  
69. }
70. Check_Router_Mode() {
71.     local OK=1                              # Assume not Router mode
72.     case "$(nvram get sw_mode)" in
73.         0) SW_MODE="Unconfigured";;
74.         1) SW_MODE="Router";OK=0;;
75.         2) SW_MODE="Repeater";;
76.         3) SW_MODE="AP";;
77.         4) SW_MODE="Hotspot";;
78.         *) SW_MODE="Unknown nvram sw_mode value="$(nvram get sw_mode);;
79.     esac
80.     echo $SW_MODE
81.     return $OK
82. }
83. Get_WAN_IF_Name () {
84.  
85.     local IF_NAME=$(nvram get wan0_ifname)              # DHCP/Static ?
86.  
87.     # Usually this is probably valid for both eth0/ppp0e ?
88.     if [ "$(nvram get wan0_gw_ifname)" != "$IF_NAME" ];then
89.         local IF_NAME=$(nvram get wan0_gw_ifname)
90.     fi
91.  
92.     if [ ! -z "$(nvram get wan0_pppoe_ifname)" ];then
93.         local IF_NAME="$(nvram get wan0_pppoe_ifname)"      # PPPoE
94.     fi
95.  
96.     echo $IF_NAME
97.  
98. }
99. Firewall(){
100.  
101.     local FW=$1                 # 'iptables' or 'ebtables' command
102.     shift
103.  
104.     echo -en $cBRED >&2
105.     $FW "$@" 2>/dev/null                                                        # Suppress error messages
106.     local RC=$?
107.     if [ "$RC" -gt 0 ] && [ ! -z "$(echo "$@" | grep -o "\-I|\-A")" ];then  # Report errors for "-I" or "-A" actions i.e. ignore delete failures!
108.         echo -e "\a"$FW $@
109.         $FW "$@"                    # Hopefully re-running the bad command for the second time reports the original error!
110.     fi
111.    
112.     echo -en $cRESET >&2
113.  
114. }
115. Config_dnsmasqWIFI() {
116.  
117.     if [ -z $2 ];then
118.         local FN="/jffs/configs/dnsmasq.conf.add"
119.     else
120.         local FN="$2"
121.     fi
122.  
123.     local WIFI="$1"
124.  
125.     if [ -f "$FN" ];then
126.         local NOW=$(date +"%Y%m%d-%H%M%S")      # current date and time
127.         cp $FN ${FN}-$NOW                           # Create 'dnsmasq.conf.add' backup
128.         sed -i "/$WIFI/d" $FN 2> /dev/null          # Remove existing WIFI definition if it exists
129.     fi
130.  
131.     local DNS_LIST=$DNS_TO_USE
132.     if [ -z "$DNS_LIST" ];then
133.         DNS_LIST=$LAN_SUBNET".1"
134.     fi
135.  
136. cat >> $FN << EOF
137. # Guest WiFi=$WIFI uses DHCP pool ${LAN_SUBNET_PREFIX}.2 - ${LAN_SUBNET_PREFIX}.20 DNS=$DNS_TO_USE
138. interface=$WIFI
139. dhcp-range=$WIFI,${LAN_SUBNET_PREFIX}.2,${LAN_SUBNET_PREFIX}.20,255.255.255.0,14400s
140. dhcp-option=$WIFI,3,${LAN_SUBNET_PREFIX}.1
141. dhcp-option=$WIFI,6,$DNS_LIST
142. EOF
143.     service restart_dnsmasq 2>&1 >/dev/null
144.     #cat /etc/dnsmasq.conf
145.     return 0
146. }
147. WIFI_FW() {
148.  
149.     local INTERFACE=$WIFI_IF
150.  
151.     # Delete Firewall rules and reinsert if required
152.     for ACTION in $ACTIONS
153.         do
154.  
155.             # Allow use of IPTABLES.....
156.             Firewall $EBT -t broute $ACTION BROUTING -p ipv6 -i $INTERFACE -j DROP
157.             Firewall $EBT -t broute $ACTION BROUTING -p ipv4 -i $INTERFACE -j DROP
158.             Firewall $EBT -t broute $ACTION BROUTING -p arp  -i $INTERFACE -j DROP
159.            
160.            
161.             # Ebtables logging
162.             if [ "$ACTION" == "-D" ] || [ "$EBT_LOGGING" -eq 1 ];then
163.                 Firewall $EBT -t filter $ACTION INPUT    -p IPv4 -j CONTINUE --log-prefix "EBT filter INPUT"
164.                 Firewall $EBT -t filter $ACTION FORWARD  -p IPv4 -j CONTINUE --log-prefix "EBT filter FORWARD"
165.                 Firewall $EBT -t filter $ACTION OUTPUT   -p IPv4 -j CONTINUE --log-prefix "EBT filter OUTPUT"
166.                 Firewall $EBT -t broute $ACTION BROUTING -p IPv4 -j CONTINUE --log-prefix "EBT broute BROUTING"
167.                
168.                 #Firewall $EBT -t filter $ACTION INPUT -p IPv4 --ip-src $LAN_RESOURCE -j CONTINUE --log-prefix '"EBT filter INPUT"'
169.             fi
170.  
171.             # Router access
172.             Firewall $IPT $ACTION INPUT -i $INTERFACE -m state --state NEW -j $LOGDROP                  # Protect Router Block EVERYTHING!
173.             Firewall $IPT $ACTION INPUT -i $INTERFACE -p tcp --dport 53 -j ACCEPT                       # Allow VLAN to access DNSSEC?
174.             Firewall $IPT $ACTION INPUT -i $INTERFACE -p udp -m multiport --dport 53,67 -j ACCEPT       # Allow VLAN to access DNS,DHCP
175.             #Firewall $IPT $ACTION INPUT -i $INTERFACE -s $VLAN_SUBNET_PREFIX.0/24 -p tcp -m multiport --dport 22,23,80,443,51893 -j DROP   # Paranoid!
176.  
177.             Firewall $IPT $ACTION FORWARD -i $INTERFACE -o $(Get_WAN_IF_Name) -j ACCEPT             # Access T'interWeb! - here be monsters! ;-)
178.  
179.             # Applications / local LAN
180.             if [ ! -z "$LAN_RESOURCES" ];then               # My local LAN?
181.                 for LAN_RESOURCE in $LAN_RESOURCES
182.                     do
183.                         #Firewall $ACTION FORWARD -s $WIFI_SUBNET_PREFIX.0/24 -d 239.255.255.250 -j ACCEPT # Chromecast Port 1900 specific?
184.                         Firewall $IPT $ACTION FORWARD -s $WIFI_SUBNET_PREFIX.0/24 -d $LAN_RESOURCE -j ACCEPT
185.                         Firewall $IPT $ACTION FORWARD -d $WIFI_SUBNET_PREFIX.0/24 -s $LAN_RESOURCE -j ACCEPT
186.                        
187.                         # These only work if the Guest Wifi and LAN subnets are the same?
188.                         #Firewall $EBT -t filter $ACTION FORWARD -p ARP --arp-opcode 2 --arp-ip-src $LAN_RESOURCE
189.                         #Firewall $EBT -t filter $ACTION FORWARD -p ARP --arp-opcode 1 --arp-ip-dst $LAN_RESOURCE
190.                     done
191.             fi
192.            
193.  
194.             # If we need to access a Guest WiFi device (say an IoT IP CAM) from the LAN then these two ARP rules should suffice if subnet is the same?
195.             #       ff:ff:ff:ff:ff:ff is used for broadcasting to all devices on an interface
196.             local ADMIN_DEVICE="10.88.8.114"        # HP-Envy14
197.             local IOT_MAC="xx:xx:xx:xx:xx:xx"
198.             # Allow ARP broadcast from a specific IP address on the 2.4GHz Primary Wi-Fi interface to all devices on the 2.4GHz Guest Wi-Fi interface
199.             # and ARP reply from a specific MAC address on the 2.4GHz Guest Wi-Fi interface to a specific IP address on the 2.4GHz Primary Wi-Fi interface
200.             #Firewall $EBT -t filter $ACTION FORWARD -i eth1 -o $INTERFACE -p ARP --arp-ip-src $ADMIN_DEVICE -d ff:ff:ff:ff:ff:ff -j ACCEPT
201.             #Firewall $EBT -t filter $ACTION FORWARD -i $INTERFACE -o eth1 -p ARP -s $IOT_MAC --arp-ip-dst $ADMIN_DEVICE-j ACCEPT
202.            
203.             #      or from a specific IP address on the 5GHz Primary Wi-Fi interface
204.             #Firewall $EBT -t filter $ACTION FORWARD -i eth2 -o $INTERFACE -p ARP --arp-ip-src $ADMIN_DEVICE -d ff:ff:ff:ff:ff:ff -j ACCEPT
205.             #Firewall $EBT -t filter $ACTION FORWARD -i $INTERFACE -o eth2 -p ARP -s $IOT_MAC --arp-ip-dst $ADMIN_DEVICE-j ACCEPT
206.     done
207. }
208. Show_Status() {
209.  
210.     local WIFI_IF_DESC=$WIFI_IF
211.  
212.     if [ -z "$WIFI_IF" ];then
213.         local WIFI_IF_DESC="All"
214.         WIFI_IF="wl"
215.         LAN_SUBNET_PREFIX="10.88.5"     # Hack assumes my numbering scheme is implemented!
216.     fi
217.    
218.     local BASE=${#WIFI_IF}
219.     if [ "$WIFI_IF_DESC" == "All" ];then
220.         BASE=$((BASE+1))
221.     else
222.         BASE=$((BASE+${#SSID}+1))
223.     fi
224.     local LENGTH=$((18+$BASE))
225.    
226.     local EQUALS="$(printf %${LENGTH}s |tr " " "=")"
227.     echo -e "\n\n\t\tGuest WiFi" $SSID $WIFI_IF_DESC "Status";echo -e "\t\t"$EQUALS
228.     if [ "$WIFI_IF" != "wl" ];then
229.         ifconfig $WIFI_IF 2>/dev/null
230.     else
231.         for INDEX in 0.1 0.2 0.3 1.1 1.2 1.3                #Dump any configured wl0.x/wl1.x interface
232.             do
233.                 ifconfig $WIFI_IF""$INDEX 2>/dev/null
234.             done
235.     fi
236.        
237.     local LENGTH=$((22+$BASE))
238.     local EQUALS="$(printf %${LENGTH}s |tr " " "=")"
239.     echo -e "\n\tGuest WiFi" $SSID $WIFI_IF_DESC "Statistics";echo -e "\t"$EQUALS
240.     ip -s link | grep -i $WIFI_IF -A 5
241.  
242.     local LENGTH=$((33+$BASE))
243.     local EQUALS="$(printf %${LENGTH}s |tr " " "=")"
244.     echo -e "\n\tGuest WiFi" $SSID $WIFI_IF_DESC "-t filter INPUT rules";echo -e "\t"$EQUALS
245.     iptables -nvL INPUT | grep -iE "$WIFI_IF|$LAN_SUBNET_PREFIX"
246.  
247.     local LENGTH=$((35+$BASE))
248.     local EQUALS="$(printf %${LENGTH}s |tr " " "=")"
249.     echo -e "\n\tGuest WiFi" $SSID $WIFI_IF_DESC "-t filter FORWARD rules";echo -e "\t"$EQUALS
250.     iptables -nvL FORWARD | grep -iE "$WIFI_IF|$LAN_SUBNET_PREFIX"
251.  
252.        
253.     if [ "$1" = "verbose" ];then
254.         echo -e "\n"
255.         ebtables -t broute -L --Lmac2 --Lc --Ln
256.         echo -e "\n"
257.         ebtables           -L --Lmac2 --Lc --Ln
258.     else
259.         local LENGTH=$((30+$BASE))
260.         local EQUALS="$(printf %${LENGTH}s |tr " " "=")"
261.         echo -e "\n\tGuest WiFi" $SSID $WIFI_IF "ebtables -t broute";echo -e "\t"$EQUALS
262.         ebtables -t broute -L --Lmac2 --Lc --Ln | grep -i $WIFI_IF
263.  
264.         local LENGTH=$((38+$BASE))
265.         local EQUALS="$(printf %${LENGTH}s |tr " " "=")"
266.         echo -e "\n\tGuest WiFi" $SSID $WIFI_IF "ebtables -t filter FORWARD";echo -e "\t"$EQUALS
267.         ebtables           -L --Lmac2 --Lc --Ln | grep -i $WIFI_IF
268.     fi
269.  
270.     echo -e
271. }
272. Get_Subnet_Prefix (){
273.  
274.     local WIFI=$1
275.  
276.     local LANIPADDR=$(nvram get lan_ipaddr)
277.     local LAN_SUBNET=${LANIPADDR%.*}
278.     local LAN_TWO_OCTETS=$(echo "$LAN_SUBNET" | awk 'BEGIN { FS = "." } {print $1"."$2}')
279.    
280.     # My numbering scheme for third OCTET:
281.     #
282.     #       10.88.8x.0      LAN
283.     #       10.88.10x.0     Bridge          i.e. 101,102,103,104 and 105
284.     #       10.88.24x.0     Wifi 2.4GHz     i.e. 241,242 and 243
285.     #       10.88.5x.0      Wifi 5GHz       i.e. 51,52 and 53
286.     #       10.88.x0.0      VLAN keep 'x' as multiple of 10 e.g. 50 won't clash with 51 aka Guest 5GHz #1
287.     #                       but skip 60 as it is reserved by ASUS?
288.    
289.     # Since we use the 3rd octet as the subnet....
290.     case "${WIFI:0:3}" in
291.         wl0)
292.             local DIGITS="24"${WIFI:4:1}        # 2.4GHz 241-243
293.             ;;
294.         wl1)
295.             local DIGITS="5"${WIFI:4:1}         # 5Ghz 51-53
296.             ;;
297.     esac
298.    
299.     local LAN_SUBNET_PREFIX=$LAN_TWO_OCTETS".$DIGITS"       # Globally exposed variable
300.    
301.     echo $LAN_SUBNET_PREFIX $LAN_SUBNET
302. }
303. #=====================================Main===========================================================
304. Main() {}
305.  
306. ANSIColours
307.  
308. # Can only run in Router Mode;
309. if [ "$(Check_Router_Mode)" != "Router" ];then 
310.     echo -e "\e[41m\a\n\n\n\n\t\t\t\t** "$(Check_Router_Mode)" mode is not supported **\t\t\t\t\t\n\n\n\e[0m"
311.     exit 999
312. fi
313.  
314. IPT="/usr/sbin/iptables"
315. EBT="/usr/sbin/ebtables"
316.  
317.  
318. USE_DNSMASQ="Y"                                         # Require dnsmasq.conf directives for WIFI
319. AUTODNSMASQ="N"                                         # Auto create dnsmasq.conf directives for WIFI
320. #WIFI_IF="wl0.1"                                        # Guest WiFi interface (default)
321. WIFI_IF=
322. DNS_TO_USE="208.67.220.220,8.8.8.8"                     # OpenDNS/Google (default)
323. #DNS_TO_USE=
324. SSID_ID=                                                # If SSID=xxxxxx specified then it will be set
325. #LAN_RESOURCES="10.88.8.90 10.88.8.91"                  # LAN resources e.g. Roku,Chromecast-Bed1
326. #LAN_RESOURCES="10.88.8.90"                             # LAN resources e.g. Roku
327. LAN_RESOURCES=                                          # Can be overridden by cmd arg
328. DELMODE=0                                               # Delete mode? 1-Firewall rules;2-DNSMASQ subnet
329. LOGDROP="logdrop"                                       # Normally 'DROP'
330. EBT_LOGGING=0                                           # Write EBT trace logging messages to Syslog
331.  
332. if [ "$1" == "-h" ] || [ "$1" == "help" ];then
333.     echo -e $cBWHT
334.     ShowHelp
335.     echo -e $cRESET
336.     exit 0
337. fi
338.  
339. # Validate args if supplied
340. if [ ! -z $1 ];then
341.  
342.     if [ "$1" == "status" ];then
343.         # Show the details of the ALL rules rather than the details for a specific WiFi Guest interface
344.         OPT="verbose"
345.         Show_Status "$OPT"
346.         echo -e $cRESET
347.         exit 0
348.     fi
349.  
350.     if [ "$(echo $@ | grep -cw 'autodnsmasq')" -gt 0 ];then
351.         AUTODNSMASQ="Y"                                     # Insert VLAN config into dnsmasq.conf if it doesn't exist
352.     fi
353.  
354.     if [ "$(echo $@ | grep -cw 'del')" -gt 0 ];then
355.         DELMODE=1
356.     fi
357.     if [ "$(echo $@ | grep -cw 'delsubnet')" -gt 0 ];then
358.         DELMODE=2
359.     fi
360.    
361.     if [ "$(echo $@ | grep -cw 'ebtlog')" -gt 0 ];then
362.         EBT_LOGGING=1
363.     fi
364.  
365.     if [ "$(echo $@ | grep -ic 'ssid=')" -gt 0 ];then
366.         SSID_NAME=$(echo "$@" | sed -n "s/^.*ssid=//p" | awk '{print $1}')  # Apply new SSID
367.     fi
368.    
369.     if [ "$(echo $@ | grep -ic 'ip=')" -gt 0 ];then
370.         LAN_RESOURCES=$(echo "$@" | sed -n "s/^.*ip=//p" | awk '{print $1}' )   # LAN resources to allow Guest WiFi access to
371.         LAN_RESOURCES=$(echo "$LAN_RESOURCES" | cut -d" " -f1 | tr "," " ")
372.     fi
373.  
374.     # Valid WiFi interface?
375.     if [ $DELMODE -eq 0 ];then
376.         if [ ! -z $( echo $1 | grep -E "^eth[1|2]|wl[0|1]\.[1-3]$") ];then
377.             SSID=$(nvram get $1"_ssid")
378.             WIFI_DEFINED=`ifconfig | grep $1`
379.             if [ -z $SSID ]; then
380.                 echo -e "\a"$cBRED
381.                 Say "**ERROR** Guest WiFi" $1 "NOT enabled - interface doesn't have a SSID?" $SSID
382.                 echo -e $cRESET
383.                 exit 99
384.             else
385.                 WIFI_IF=$1
386.                 WIFI_PREFIX=${WIFI_IF:0:4}
387.                 WIFI_DEFINED=`ifconfig | grep $WIFI_IF`
388.                 if [ "$WIFI_DEFINED" == "" ] && [ "$CONFIG_WIFI" != "FORCE" ]; then
389.                     echo -e "\a"$cBRED
390.                     Say "**ERROR** Guest WiFi SSID:" $SSID "("$1") not ENABLED!!"
391.                     echo -e $cRESET
392.                     exit 98
393.                 else
394.                     # Check if 'Access Intranet' is currently blocked i.e there are usually 2 rules if LAN (intranet) is blocked!
395.                     RULE_CNT=`ebtables -t filter -L FORWARD | grep -c "$WIFI_IF -j DROP"`
396.                     #Say "**DEBUG** intranet ebtables rule count:" $RULE_CNT
397.                     #if [ "$RULE_CNT" != 2 ]; then
398.                         #Say "**ERROR** Guest WiFi SSID:" $SSID "("$WIFI_IF") already has intranet access!"
399.                         #exit 97
400.                     #fi
401.                 fi
402.             fi
403.         else
404.             # Check if a Guest WiFi SSID was specified (rather than the actual Guest WiFi interface)
405.             WIFI_VAR=`nvram show 2> /dev/null | grep "_ssid" | grep -e "wl[0-1]\." | grep -i $1`
406.             #Say "**DEBUG**" $WIFI_VAR
407.             if [ -z $WIFI_VAR ]; then
408.                 echo -e "\a"$cBRED
409.                 Say "**ERROR** Guest WiFi SSID:" $1 " not found"
410.                 echo -e $cRESET
411.                 exit 95
412.             else
413.                 WIFI_IF=${WIFI_VAR:0:5}
414.                 SSID=$(nvram get $WIFI_IF"_ssid")
415.                 #Say "**DEBUG**" $WIFI_VAR
416.             fi
417.         fi
418.     fi
419. fi
420.  
421. Parse "$(Get_Subnet_Prefix "$WIFI_IF")" " " LAN_SUBNET_PREFIX LAN_SUBNET
422.  
423. # Predefined dnmasq directives?....if not create them if 'autodnsmasq' command arg supplied
424. if [ -z "$(grep -iE "^dhcp-option=$WIFI_IF,3" /etc/dnsmasq.conf | awk 'BEGIN { FS = "," } {print $3}')" ] && [ $USE_DNSMASQ == "Y" ];then
425.     if [ "$AUTODNSMASQ" == "Y" ];then
426.         RC=$(Config_dnsmasqWIFI "$WIFI_IF")
427.         if [ "$?" -eq 1 ];then
428.             echo -e "\a"$cBRED
429.             Say "***ERROR Guest Wifi" $SSID "("$WIFI_IF") not defined in '/etc/dnsmasq.conf'" $RC
430.             echo -e $cRESET
431.             exit 99
432.         fi
433.     else
434.         if [ "$DELMODE" -eq 0 ];then
435.             echo -e "\a"$cBRED
436.             Say "***ERROR Guest Wifi SSID:" $SSID "("$WIFI_IF") not defined in '/etc/dnsmasq.conf'" $RC "- use 'autodnsmasq' command arg"
437.             echo -e $cRESET
438.             exit 99
439.         fi
440.     fi
441. fi
442.  
443. if [ -z "$WIFI_IF" ];then
444.     WIFI_IF=$1                          # tacky buggy if arg1 is an SSID!!!
445. fi
446.  
447. # Get dnsmasq config
448. WIFI_IP=`grep -iE "^dhcp-option=$WIFI_IF,3" /etc/dnsmasq.conf  | awk 'BEGIN { FS = "," } {print $3}'`       # Extract I/P from 'dhcp-option=$GUEST_IF,3,10.88.241.1'
449. WIFI_SUBNET_PREFIX=${WIFI_IP%.*}                                                                            # Extract first three octets of I/P
450. WIFI_MASK=`cat /etc/dnsmasq.conf | grep "255." | grep "$WIFI_IF," | awk 'BEGIN { FS = "," } {print $4}'`
451.  
452. if [ "${WIFI_IF:0:3}" == "wl0" ];then
453.     WIFI_DESC=$WIFI_DESC"2.4GHz Client "${WIFI_IF:4:1}
454. fi
455. if [ "${WIFI_IF:0:3}" == "wl1" ];then
456.     WIFI_DESC=$WIFI_DESC"5GHz Client "${WIFI_IF:4:1}
457. fi
458. if [ "$WIFI_IF" == "eth1" ];then
459.     WIFI_DESC=$WIFI_DESC"2.4GHz network"
460. fi
461. if [ "$WIFI_IF" == "eth2" ];then
462.     WIFI_DESC=$WIFI_DESC"5GHz network"
463. fi
464.  
465. # Show the details of the selected WiFi Guest
466. if [ "$(echo $@ | grep -c "status")" -gt 0 ];then
467.     OPT=
468.     if [ "$(echo $@ | grep -c "status full")" -gt 0 ];then
469.         OPT="verbose"
470.     fi
471.     Show_Status "$OPT"
472.     echo -e $cRESET
473.     exit 0
474. fi
475.  
476. # Delete request?
477. if [ "$DELMODE" -gt 0 ];then
478.     if [ ! -z "$WIFI_IF" ];then
479.         /sbin/ifconfig $WIFI_IF down 2> /dev/null                   # Bounce rather than destroy the standard WiFi!!!
480.         /sbin/ifconfig $WIFI_IF up
481.         ACTIONS="-D"
482.         WIFI_FW "delete"                                            # Reset Firewall and 'ebtables' rules
483.         TXT="rules deleted"
484.         if [ ! -z "$LAN_RESOURCES" ];then
485.             TXT=$TXT" for LAN resources "$LAN_RESOURCES
486.         fi
487.         if [ "$DELMODE" -eq 2 ];then
488.             LAN_IP=$(nvram get lan_ipaddr)
489.             FN="/jffs/configs/dnsmasq.conf.add"
490.             if [ -f "$FN" ] && [ ! -z "$WIFI_IF" ];then
491.                 NOW=$(date +"%Y%m%d-%H%M%S")                            # current date and time
492.                 cp $FN ${FN}-$NOW                                       # Create 'dnsmasq.conf.add' backup
493.                 sed -i "/$WIFI_IF/d" $FN 2> /dev/null                   # Remove existing WIFI definition if it exists
494.             fi
495.             service restart_dnsmasq 2>&1 >/dev/null
496.             TXT="$WIFI_SUBNET_PREFIX.0/24 subnet deleted, reset to Asus default. ${LAN_IP%.*}.0/24"
497.         fi
498.         echo -e $cBGRE
499.         Say "Guest WiFi" $WIFI_DESC "SSID:" $SSID "("$WIFI_IF")" $TXT
500.         echo -e $cRESET
501.         exit 0
502.     fi
503. else
504.     if [ ! -z "$WIFI_IF" ] && [ ! -z "$WIFI_IP" ] && [ ! -z "$WIFI_MASK" ] ;then
505.         /sbin/ifconfig $WIFI_IF $WIFI_IP netmask $WIFI_MASK up      # Configure the WiFi interface
506.         ACTIONS="-D -I"
507.         WIFI_FW                                                     # Set Firewall and 'ebtables' rules
508.         PRE_SSID=
509.         if [ ! -z "$SSID_NAME" ];then
510.             SSID=$SSID_NAME
511.             nvram set ${WIFI_IF}_ssid="$SSID_NAME"                  # Assign new SSID - it isn't broadcast until 'service restart_wireless' :-(
512.             PRE_SSID="New"
513.         fi
514.         echo -e $cBGRE
515.         Say "Guest WiFi" $WIFI_DESC $PRE_SSID "SSID:" $SSID "("$WIFI_IF")" $WIFI_SUBNET_PREFIX.0/24 " subnet created, using DNS" $DNS_TO_USE
516.         if [ ! -z "$LAN_RESOURCES" ];then
517.             echo -e $cBCYA
518.             for LAN_RESOURCE in $LAN_RESOURCES
519.                 do
520.                     LAN_RESOURCE_NAME=`grep -i -w "$LAN_RESOURCE" /etc/hosts.dnsmasq | awk '{print $2}'`
521.                     Say "Guest WiFi" $WIFI_DESC $PRE_SSID "SSID:" $SSID "("$WIFI_IF")"  "Access to LAN resource" $LAN_RESOURCE "("$LAN_RESOURCE_NAME") now allowed"
522.                 done
523.         fi
524.     else
525.         echo -e $cBRED
526.         Say "***ERROR*** Guest WiFi" $WIFI_DESC "SSID='"$SSID"' WIFI_IF='"$WIFI_IF"' WIFI_IP='"$WIFI_IP"' WIFI_MASK='"$WIFI_MASK"' WIFI_SUBNET_PREFIX='"$WIFI_SUBNET_PREFIX".0/24'"
527.         echo -e $cRESET
528.     fi
529. fi
530.  
531. echo -e $cRESET
532. exit 0