Posted: Thu Apr 12, 2012 6:41 Post subject: question: how to create isolated wifi from the LAN?
hi all,
I would like to know if there is a way for me to broadcast 2 SSIDs from my router one will be called "Main" and the other "secondary".
the "Main" should give full access to the network and internet.
the "secondary" should only give access to the internet but without any access to the LAN.
this way someone who gets access to "main" will see all my computers on the network but someone that access "secondary" will be able to access the internet but will not be able to see my computers that is on the LAN.
I found how to add a second SSID and I tried "wifi isolation" but it only isolated the client from other wifi clients and not from the LAN.
I searched the forums ad the wiki but I couldn't find something like this.
hope someone knows how to do it...
Thanks in advance,
David.
Tech info:
my router is "D-Link DIR-300 A1" using V24 preSP2 [beta] build 13064 of dd-wrt
i am not sure but since wlan1 has a defined ip range and wlan2 has a defined ip range you could use iptables.
drop all packets from wlan2 with a destination outside of your network.
drop all packets from wlan1 with a destination of your network and allow all others.
i am not sure but since wlan1 has a defined ip range and wlan2 has a defined ip range you could use iptables.
drop all packets from wlan2 with a destination outside of your network.
drop all packets from wlan1 with a destination of your network and allow all others.
I'm doing something similar on my network, and here's what worked for me:
Wireless -> Basic Settings -> Add Virtual Interface
- Make sure you select Bridged Mode here
- I have AP Isolation disabled
Setup -> Networking -> Bridging -> Add (button)
- Name: br1
- STP: off (unless you need it for WDS)
- IP Address/Mask - select an IP address not in the rang of your LAN, i.e. my LAN is 192.168.155.0/24, so here I used 192.168.40.1/24
- Apply Settings
Setup -> Networking-> Assign to Bridge -> Add (button)
- Select br1 from the first drop-down list
- Select wl0.1 from the second drop down list
- Don't mess the with priority
- Apply Settings
-- Begin DHCP config --
If you're running DHCP on your router, then:
Setup -> Networking -> DHCPd -> Multiple DHCP Server -> Add
- Configuration is straight-forward
- Apply settings
If you're running DHCP on another device (not this router)
Services-> DNSMasq
- DISABLE (I could not get dnsmasq to work on this page)
- Apply Settings
Administration -> Commands
- Add the following to your startup script, replacing the x's with the information for your secondary network:
To block the secondary network traffic from accessing your lan, add the following to your firewall script. Replace x's with the numbers for your secondary network and y's with numbers from your LAN:
iptables -A INPUT -p ! icmp -s 192.168.x.0/24 -j DROP
iptables -A FORWARD -s 192.168.x.0/24 -d 192.168.y.0/24 -j DROP
iptables -A FORWARD -s 192.168.x.0/24 -d ! 192.168.y.0/24 -j FORWARD
The first rule blocks all traffic except ICMP from your secondary WLAN destined for your router. This allows devices on the secondary network to ping the router, important for troubleshooting. Once your up and running and stable you can take it out.
The next line says block all traffic from the secondary network destined for your LAN
The third line says allow all traffic from your secondary network NOT destined for you LAN
The only other thing you'll have to do is configure your firewall script to NAT traffic sourced from the secondary network, which I'm not sure how to do (I'm doing natting on a m0n0wall device)
Just follow the Multiple WLAN guide on the wiki. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)