Create a guest Wi-Fi network with only WAN access?

Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions
View previous topic :: View next topic  
Author Message
riahc3
DD-WRT User


Joined: 04 May 2007
Posts: 324
PostPosted: Mon Apr 10, 2017 10:03    Post subject: Create a guest Wi-Fi network with only WAN access? Reply with quote
I tried the guide in the wiki and it did not work.

What is the best way to create a guest Wi-Fi network with only WAN access and no LAN access?

BTW, I want to clarify that it STOPPED working after upgrading to a newer build.
Back to top View user's profile Send private message
Sponsor
riahc3
DD-WRT User


Joined: 04 May 2007
Posts: 324
PostPosted: Mon Apr 10, 2017 10:21    Post subject: Reply with quote
My iptables:

#Allow guest bridge access to Internet
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#Block access between private and guest
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
#NAT to make Internet work
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
#Block torrent and p2p
iptables -I FORWARD -p tcp -s 192.168.88.0/24 -m connlimit --connlimit-above 50 -j DROP
iptables -I FORWARD -p ! tcp -s 192.168.88.0/24 -m connlimit --connlimit-above 25 -j DROP
#Block guest access to router services
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset
Back to top View user's profile Send private message
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6291
Location: Texas
PostPosted: Mon Apr 10, 2017 13:15    Post subject: Reply with quote
If this is a 'gateway' router (WAN is Enabled) and you are using newest build you should be able to get rid of all the custom firewall rules and click button for net isolation.
It would work best to get rid of the br1 and use unbridged in the wireless settings. After you do that just add multiple DHCP for correct interface in Networking page and do a reboot.
Back to top View user's profile Send private message
rcblackwell
DD-WRT User


Joined: 18 Jun 2009
Posts: 84
PostPosted: Mon Apr 10, 2017 14:48    Post subject: Reply with quote
mrjcd wrote:
If this is a 'gateway' router (WAN is Enabled) and you are using newest build you should be able to get rid of all the custom firewall rules and click button for net isolation.
It would work best to get rid of the br1 and use unbridged in the wireless settings. After you do that just add multiple DHCP for correct interface in Networking page and do a reboot.


Thank you for this tip. This set-up is much easier for me to understand. My routers configuration has been changed to that noted above.
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum