eginnc
DD-WRT Novice
Joined: 23 Jul 2017
Posts: 49
|
 Posted: Sun Jul 23, 2017 15:47 Post subject: Need Help Configuring Secondary Router for LAN+WiFi+Guest Wi |
 |
I’m in over my head and welcome any help. As will become evident at the end of this post, I do not understand how to use use iptables commands and am copying stuff I found in tutorials and trying blindly. Everything is working except Internet connection to WiFi guest (I can connect to WiFi Guest, but there is no internet). Here’s my setup:
Cable Modem [70 MB/s]===>Main Router<==>4 Wired Ethernet Lines to LAN Ports
Wired LAN Ports:
1: To Ooma Telo, with Telo serving as Secondary Router to ROKU streaming device
2: Desktop PC
3: Security System Interface
4: Upstairs to Secondary Router
4.a Wired Ethernet from Main Router is plugged into Secondary Router LAN port
4.b. Desktop PC is plugged into secondary router WAN port [WAN is disabled and set to switch, so I should have 5 LAN ports on the secondary router and no WAN port]
Main and Secondary routers are TP-Link WR841N running dd-wrt r31899.
Main Router set up:
Gateway mode
Local IP X.Y.Z.1 (subnet mask 255.255.255.0)
DHCP addresses start at X.Y.Z.100
Wifi is disabled in dd-wrt (I also removed antennas to save space)
Setup as DHCP server for network
Secondary Router:
AP Mode
Local IP X.Y.Z.3 (subnet mask 255.255.255.0)
WAN Connection Type “Disabled” and WAN port assigned to switch
DHCP Server disabled
WiFi mode set to NG Mixed on channel 1 (when I get this working I will replicate the setup exactly and set a second router up as another AP on Channel 11)
Primary WiFi AP setup as ath0
Virtual AP set up as ath0.1
WPA2/AES security on both ath0 and ath0.1
I created br1 at IP X.Y.Z+3.1 [255.255.255.0 mask], and assigned ath0.1 to br1
I added a DHCP server for br1
So far so good. Everything (including main WiFi), except the guest network is great, and the new wired connections are tremendously faster than my prior mostly wireless setup.
Before I went to this wired set up, I had WiFi on the main router and no secondary router, and the guest WiFi was set up on the main router (and working) as above for the secondary router (assigned to a br1), plus the following commands:
| Code: | # Enable NAT on the WAN port to correct a bug in builds over 17000
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
# Allow br1 access to br0, the WAN, and any other subnets (required if SPI firewall is on)
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
# Restrict br1 from accessing br0 (do not use on WAP's)
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
# Restrict br1 from telnet, SSH or GUI access to the router
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset
|
This didn’t work with my new setup on the secondary router. I figured it had something to do with the “do not use on WAP” since, duh, the secondary router was set up as a WAP, and maybe something to do with the fact that I no longer had a WAN port on the secondary router. So I tried this.
| Code: | # Enable NAT on the WAN port to correct a bug in builds over 17000
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
# Allow br1 access to br0, the WAN, and any other subnets (required if SPI firewall is on)
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
# Restrict br1 from accessing br0's subnet but pass traffic through br0 to the internet (for WAP's - WAN port disabled)
# Enable NAT for traffic being routed out br0 so that br1 has connectivity (for WAP's - WAN port disabled)
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
# Restrict br1 from telnet, SSH or GUI access to the router
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset |
Still not working. I can connect to the Guest WiFi, but there is no internet access on the Guest WiFi. Otherwise, everything on the network, including the main WiFi, works great.
Any help or suggestions would be MOST welcome. Especially explanations on what is wrong with my iptables commands. I'd like to understand what I'm doing (wouldn't we all  ) if possible. For example, what's that "Enable NAT on WAN port to correct a bug in builds after 17000 thing about? And do I need to do it on LAN ports now that I have no WAN ports on the secondary router? Thank you. |
|
eginnc
DD-WRT Novice
Joined: 23 Jul 2017
Posts: 49
|
| Posted: Mon Jul 24, 2017 2:49 Post subject: |
|
Success! Thank you so much!
After the time spent banging my head against the wall trying to get the old br1 method to work, if the kids devices cannot connect to the same strongest channel to be on the same access point radio (same subnet) for multiplayer games, then they need to move closer to the same AP radio...LOL! I definitely won't be looking back to the br1 approach. |
|
