Multiple SSIDs & Separate Subnets w/v24

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2, 3, 4, 5, 6, 7, 8  Next
Author Message
ApoXX
DD-WRT Novice


Joined: 27 Apr 2007
Posts: 6

PostPosted: Tue Oct 30, 2007 3:06    Post subject: Multiple SSIDs & Separate Subnets w/v24 Reply with quote
I was having some issues getting multiple SSIDs with DHCP working but finally figured out a solution so I figured I would share my configuration with anyone who is interested. There have been other threads started explaining how to set this up by creating a separate bridge but they seemed to be geared toward v23 and the bridge interface (brctl) didn't work as I had expected.

1) I setup the physical interface (wl0) as a bridged network with WPA2/AES secured network.

2) Add the new Virtual Interface under Wireless -> Basic Settings
- Set Network Configuration to Unbridged and specify whatever subnet you want
- I enabled AP Isolation to prevent clients on this network from talking to eachother
- Setup whatever security you want; I have it setup as an open network so my friends/family can connect up for casual browsing with no issues.

3) Go to Services -> Services and enter the following in the Additional DNSMasq Options box:
Code:
interface=wl0.1
dhcp-option=wl0.1,3,192.168.2.1
dhcp-option=wl0.1,6,192.168.1.1
dhcp-range=wl0.1,192.168.2.100,192.168.2.249,255.255.255.0,1440m

(The line "dhcp-option=wl0.1,6,192.168.1.1" sets 192.168.1.1 as the default DNS server; it seemed there wasn't a resolver listening on 192.168.2.1.)

4) Go to Administration -> Commands and enter the following:
Code:
iptables -I INPUT -i wl0.1 -m state --state NEW -j logaccept


The following lines will prevent users on the new subnet from communicating with computers on your main network (bridge).
Code:
iptables -I FORWARD -i wl0.1 -o br0 -j logdrop
iptables -I FORWARD -i br0 -o wl0.1 -j logdrop


I also added the following lines to restrict which services my public users have access to.
Code:
iptables -I FORWARD -i wl0.1 -o vlan1 -j logdrop
iptables -I FORWARD -i wl0.1 -o vlan1 -p tcp --dport 22 -j logaccept # ssh
iptables -I FORWARD -i wl0.1 -o vlan1 -p tcp --dport 80 -j logaccept # http
iptables -I FORWARD -i wl0.1 -o vlan1 -p tcp --dport 443 -j logaccept # https
iptables -I FORWARD -i wl0.1 -o vlan1 -p tcp --dport 465 -j logaccept # smtps
iptables -I FORWARD -i wl0.1 -o vlan1 -p tcp --dport 993 -j logaccept # imaps
iptables -I FORWARD -i wl0.1 -o vlan1 -p tcp --dport 995 -j logaccept # pop3s
iptables -I FORWARD -i wl0.1 -o vlan1 -p tcp --dport 5190 -j logaccept # aim
iptables -I FORWARD -i wl0.1 -o vlan1 -p tcp --dport 1863 -j logaccept # msn
iptables -I FORWARD -i wl0.1 -o vlan1 -p tcp --dport 5050 -j logaccept # yahoo
iptables -I FORWARD -i wl0.1 -o vlan1 -p tcp --dport 5222 -j logaccept # xmpp
iptables -I FORWARD -i wl0.1 -o vlan1 -p tcp --dport 5269 -j logaccept # xmpp


- Click Save Firewall

5) Reboot and it should be setup.

Please let me know what you guys think, it's been working well for me so far but I'm still pretty new to linux networking and iptables.


Last edited by ApoXX on Thu Nov 01, 2007 0:26; edited 1 time in total
Sponsor
ApoXX
DD-WRT Novice


Joined: 27 Apr 2007
Posts: 6

PostPosted: Tue Oct 30, 2007 18:12    Post subject: Reply with quote
One thing I noticed is that my Linux wireless configuration tool seems to get confused when there are multiple SSIDs using the same BSSID while Windows shows both SSIDs with no problems. This can be fixed by turning off SSID broadcast..

Does anyone know if there is a way to change the BSSID on the virtual wireless interfaces?
Bird333
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 809

PostPosted: Wed Oct 31, 2007 15:35    Post subject: Reply with quote
This looks much simpler to do than other 'guides' I have seen. Thanks for sharing! Very Happy I am going to try this when I get home.

Question: What allows computers on different subnets to communicate with each other by default? Your commands prevent them from talking, but I would think since they are on different subnets that they couldn't communicate by default and you would have to use commands to allow them to talk.
Bird333
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 809

PostPosted: Wed Oct 31, 2007 18:34    Post subject: Reply with quote
This didn't work for me. I am using RC-2 however, maybe RC-4 would be better. I could connect to the new virtual AP but I could never get assigned an IP address.
ApoXX
DD-WRT Novice


Joined: 27 Apr 2007
Posts: 6

PostPosted: Thu Nov 01, 2007 0:22    Post subject: Reply with quote
Yes, I'm using RC4.

Make sure you have "Use DNSMasq for DNS" checked under Setup -> Basic Setup
Also, make sure "DNSMasq" is set to enable under Services -> Services and that you pasted the DHCP configuration into "Additional DNSMasq Options" and not "Additional DHCPd Options"

Windows workgroups are limited to the specific subnet by default, however, I believe since there are no iptables rules forbidding it, computers may talk to each other on protocols other than samba/wins unless it is explicitly denied. (Without the rules, I was able to ping a computer on the 192.168.1.1 subnet from the 192.168.2.1 subnet.)
Bird333
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 809

PostPosted: Thu Nov 01, 2007 2:18    Post subject: Reply with quote
ApoXX wrote:
Yes, I'm using RC4.

Make sure you have "Use DNSMasq for DNS" checked under Setup -> Basic Setup
Also, make sure "DNSMasq" is set to enable under Services -> Services and that you pasted the DHCP configuration into "Additional DNSMasq Options" and not "Additional DHCPd Options"


You hit the nail on the head! I had the options in the wrong box. It's working now, but the only encryption I can use is WEP, but that may be related to RC-2.
Bird333
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 809

PostPosted: Thu Nov 01, 2007 12:44    Post subject: Reply with quote
See if you can figure this out. I tried to use this setup on a second router in 'Repeater' mode. The virtual AP connection works but I can't reach the main router or the internet. The repeater receives a WAN IP from the main router so I know the repeater function is working.

Main AP local ip address: 192.168.1.1
Repeater local ip: 192.168.1.2 (I can also reach it with 192.168.2.1 with your setup)

When I try to ping the main ip I get 'Destination Host Unreachable'

Thoughts?


Last edited by Bird333 on Wed Jan 02, 2008 15:31; edited 1 time in total
onix
DD-WRT User


Joined: 22 Oct 2006
Posts: 188

PostPosted: Thu Nov 01, 2007 18:50    Post subject: Using 192.168.1.1 as DNS Reply with quote
Thanks for this ApoXX. Your guide hit the sweet spot for me - I know little WRT scripting but feel comfortable with networking - and it's gotten me much futher than I had before over the last several months. Do a search on Dual (or Multiple) SSID for additional background. I don't think there are any solutions for two MAC addresses, though it has been asked before.

Here are my questions to you, and the general community:
    Why should I need steps 3) and 4) if I've already pretty much set them up in Virtual Interface under Wireless -> Basic Settings? It seems redundant.
    Using 192.168.1.1 for DNS to the virtual LAN seems to circumvent Access Point Isolation. Are there any other ways to set this up? Plus your guests will still have access to your router config page either through http://192.168.1.1 or http://192.168.2.1
    Access Restrictions seems to only work for wl0.0 - any way we could add the virtual wl0.1 network??
That's it for right now. I have loads of other questions.

_________________
WRT54GL v1.1 - DD-WRT v24-sp2 (04/07/12) vpn-small (SVN revision 18946M NEWD Eko)
WZR-HP-AG300H - DD-WRT v3.0-r30082 std (07/01/16)


Last edited by onix on Thu Nov 01, 2007 19:28; edited 1 time in total
Bird333
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 809

PostPosted: Thu Nov 01, 2007 19:15    Post subject: Re: Using 192.168.1.1 as DNS Reply with quote
onix wrote:

Here are my questions to you, and the general community:
    Why should I need steps 3) and 4) if I've already pretty much set them up in Virtual Interface under Wireless -> Basic Settings? It seems redudant.


It seems to me that all that setting up an unbridged virtual interface does is give your router another IP address. It doesn't set up DHCP configuration to handout IP's on the new network or point to the DNS server. That's why you have to add the addition config options. Maybe in future release this will be done automatically.
Bird333
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 809

PostPosted: Fri Nov 02, 2007 1:52    Post subject: Reply with quote
Bird333 wrote:
See if you can figure this out. I tried to use this setup on a second router is 'Repeater' mode. The virtual AP connection works but I can't reach the main router or the internet. The repeater receives a WAN IP from the main router so I know the repeater function is working.

Main AP local ip address: 192.168.1.1
Repeater local ip: 192.168.1.2 (I can also reach it with 192.168.2.1 with your setup)

When I try to ping the main ip I get 'Destination Host Unreachable'

Thoughts?


Well I figured this out. This is all done on the repeater. You have to remove the 'route' entry that is on the 'br0' interface with this command
Code:
route del -net 192.168.1.0 netmask 255.255.255.0 dev br0


Then remove the default gateway route that is on 'br0' with this
Code:
route del default gw 192.168.1.1 dev br0


Then add the default gateway on interface 'eth2' (WAN) with this
Code:
route add default gw 192.168.1.1 dev eth2
septicdeath
DD-WRT Novice


Joined: 07 Nov 2007
Posts: 15

PostPosted: Wed Nov 07, 2007 1:46    Post subject: Questions Reply with quote
Started messing with the configuration today. I have a cisco 871w currently configured with 2 wireless lan's (1 into my house lan, the 2nd one a guest network but still wpa protected). Trying to learn ios and now trying to configure the firewall, well I'm about ready to give up on the cisco 871w, so I grabbed my dd-wrt v24 beta (06/20/07) because I was told that I could setup a guest wlan and isolate it from my internal wlan/wired subnet. Like everyone else, I soon found out that I could create 2 wlans just fine by creating 10.1 as well. And like everyone else, I found out that users on that 10.1 could gain access to everything on my wired and primary wlan interfaces. Anyways, Im rambling. I followed the instructions here, and thought I had a grasp on it. This write up was done with a diffrent release, does it work with v24? Also unfortunately I have more than 1 issue. The first issue is with the virt wlan interface. When I change it to unbridged, I cant authenticate to the network. I was using WPA Personal, and when I check the bridged, my networks join just fine (getting the wrong dhcp assigment and no ip tables rule enforcement though). The second that I click the unbridged mode, the network drops (it should) but then when trying to re-join I cant authenticate at all. The user in this thread provided the 10.1 network with no authentication, has it been discovered that this method cant utilize authentication on the unbridged network? I'll start with that question.

O, BTW:

My device is a buffalo whr-hp-g54 with v24 beta on it.
Thanks
Luniz2k1
DD-WRT Guru


Joined: 04 Oct 2007
Posts: 1258
Location: Ohio USA

PostPosted: Wed Nov 07, 2007 1:51    Post subject: Reply with quote
v24 beta is older than the v24 RC4. Alot has changed since v24 beta. I would suggest trying this setup with v24 RC4.
_________________
(05/02/17) std - 31924
Linksys WRT400N
Buffalo WHR-G300N

Got OpenDNS?
septicdeath
DD-WRT Novice


Joined: 07 Nov 2007
Posts: 15

PostPosted: Wed Nov 07, 2007 1:59    Post subject: Thanks Reply with quote
I was just getting into checking out how old I actually was. Thanks for speeding up my knowledge.
Bird333
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 809

PostPosted: Wed Nov 07, 2007 4:26    Post subject: Reply with quote
See my post above yours. You may be having an issue with not having a route from your newly created network to the internet.
septicdeath
DD-WRT Novice


Joined: 07 Nov 2007
Posts: 15

PostPosted: Wed Nov 07, 2007 16:23    Post subject: Time to goto different forum Reply with quote
Flashed hp-54g to rc4 and now when configured for static it wont pass traffic. Leave it as DHCP and it works fine, static and nothing, even hard cox arp my business modem. Hmmm.. Thanks though...
Goto page 1, 2, 3, 4, 5, 6, 7, 8  Next Display posts from previous:    Page 1 of 8
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum