Posted: Fri Oct 21, 2016 13:20 Post subject: How to make NAS accessible only by br0 network?
Hi everyone.
I have two networks br0 (main) and an isolated guest network with limited bandwidth speeds (br1). I just setup an NAS with a HDD using Samba. I can see the drive on my network but I only want to limit it to my br0 network.
Any ideas?[/url]
A bit hard to give a real good answer since don't know what router you are using or what dd-wrt build.
Any special reason for the br1??? You could throw some more firewall rules at it but it is really not nessasary.
I know cause I did it for long time
For a simple guest network that is well isolated from all - get rid of the br1, delete your firewall rules.
set the VAP as unbridged, Masquerade / NAT and put in its IP & subnetmask. Check button for net isolation.
In networking add Multiple DHCP Server selecting wl0.1 (or whatever wireless interface it is) and that should do it.
some routers / some builds you may need a reboot for all to take affect.
Should work on k3.x 27858 or later ... probably some before that too ---
sometimes a mess when you start trying to delete existing networks and DHCP servers -- I would recommend
to reset and use a recent known working build for your router.
A bit hard to give a real good answer since don't know what router you are using or what dd-wrt build.
Any special reason for the br1??? You could throw some more firewall rules at it but it is really not nessasary.
I know cause I did it for long time
For a simple guest network that is well isolated from all - get rid of the br1, delete your firewall rules.
set the VAP as unbridged, Masquerade / NAT and put in its IP & subnetmask. Check button for net isolation.
In networking add Multiple DHCP Server selecting wl0.1 (or whatever wireless interface it is) and that should do it.
some routers / some builds you may need a reboot for all to take affect.
Should work on k3.x 27858 or later ... probably some before that too ---
sometimes a mess when you start trying to delete existing networks and DHCP servers -- I would recommend
to reset and use a recent known working build for your router.
--
huh dang .. I just type too slow
My apologies! I have a new tenant moving into the basement soon.
It's the R7000. I just installed the most recent version of DD-WRT last week for this router (build 30700M). My original plan was to setup an isolated guest network with limited speeds for the tenant and I followed this guide (http://www.alexlaird.com/2013/03/dd-wrt-guest-wireless/)
It told me to use br0 (for personal) and br1 (for the guests). After following the guide, I went into the QoS and added the br1 under 'Services Priority' and limited to 5/1 Mbits (as we only have 25/3 speeds). I am on a PPPoE connection with a modem set to bridge mode.
I hope I setup the network correctly and so far everything has been going well.
I input the firewall command that was mentioned in the guide:
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
I am not sure if I should keep this command or remove as other poster has mentioned. I setup a NAS using samba but I believe both br0 and br1 are able to see it and I want to limit it to br0 only.
I am not too sure how to how to do the VAP and Masquerade stuff but what would be the different between that setup and what I have now?
Thanks!
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
# Allow Guest only DHCP & DNS Access
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
This worked FLAWLESSLY. Thank you! Do you mind explaining what exactly this command does?
Also, if I post some screenshots of my current setup, can you tell me if I setup everything properly? Such as PPPoE settings, wireless settings, QoS, NAS, etc? I just want to make sure the setup is perfect so that I don't need to change things once the tenant moves in.
I came on board to help with Guest Access not to review your whole configuration, just don't have the time. _________________ Home Network on Telus 1Gb PureFibre - 10GbE Copper Backbone
2x R7800 - Gateway & WiFi & 3xWireGuard - DDWRT r53562 Std k4.9
Off Site 1
R7000 - Gateway & WiFi & WireGuard - DDWRT r54517 Std
E3000 - Station Bridge - DDWRT r49626 Mega K4.4
Off Site 2
R7000 - Gateway & WiFi - DDWRT r54517 Std
E2000 - Wired ISP IPTV PVR Blocker - DDWRT r35531
Sorry if this is a dumb question, but why do any of that? Why not just click Net Isolation for the guest WiFi network and call it good? Or, if this is also for a wired connection, wouldn't you need to limit bandwidth based on a specific port of the router?
Tony
Sorry if this is a dumb question, but why do any of that? Why not just click Net Isolation for the guest WiFi network and call it good? Or, if this is also for a wired connection, wouldn't you need to limit bandwidth based on a specific port of the router?
Tony
I'm not too sure I'm fairly new with this stuff.
I will not be providing the tenant with any LAN ports, only wireless.
This adds to my question: I plug in a device to an open LAN port on my router, will it be on the br0 or br1 network? I want to add a switch to create more ports. It I want this switch to be on br0 along with any other open LAN ports on the R7000.
I just want the wireless of br1 strictly as an isolated network with bandwidth control for the tenant.
the NAT rule shows up beautifully. Unfortunately, I am running a build after March 21, 2016 (29300 from 4/14/2016) when BS said the bug was fixed (as are you). But hey, I'm happy now that it is persistent, at least until the next nvram erase and I lose the br1_bridged variable (hence why I am documenting for my own sake). _________________ R7000 Nighthawk - DD-WRT v3.0-r50308
R7000 Nighthawk - DD-WRT v3.0-r50308
~~~~~~~~~~Dismantled for learning opportunities~~~~~~~~~~
WRT54Gv2
WRT54Gv8.2
~~~~~~~~~~Other Settings~~~~~~~~~
https://nextdns.io/?from=2d3sq39x https://pi-hole.net/ https://github.com/DNSCrypt/dnscrypt-proxy