Multiple WLANs iptables problems

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
DD-WRT Novice

Joined: 24 Jul 2012
Posts: 1

PostPosted: Tue Jul 24, 2012 14:06    Post subject: Multiple WLANs iptables problems Reply with quote
Hello everyone. I've searched as thoroughly as I can, but didn't see any threads relating to my problem. I also hope this is posted in the right place. Although I have gained a bit of experience with networking, I am by no means an expert, but I will try my best to explain the problem.

We have a small business network, which has recently been expanding quite a lot and we wanted to add internet access from wifi to the cafe in the building, via a Linksys WRT54GS v6. Obviously we want to place certain restrictions on it, and isolate it somewhat from the rest of our business network.

Our network is currently running fairly well, with a modem/router ( a BT Hub, unable to use with DD-WRT) wired to a 20 port switch, which is wired to a WRT54GS v6 ( running DD-WRT v24-sp2 (10/10/09) micro) which supplies another building with internet access. works as an access point and supplies our offices.

We then wanted to add a further WRT54GS v6 (, DD-WRT v24-sp2 (10/10/09) micro) wired to the network switch to supply the cafe. Now as this will be open to the public, we wanted to keep it fairly separate from our business network, with its own subnet, DHCP assignment etc, as well as somewhat restricted.

The best way to do this seemed to be using this guide:

I followed the steps and was able to get a router with a WLAN ip of, which was connecting to devices and giving out DHCP addresses properly and giving a gateway of The guide mentions that at this point "not be able to browse the internet until you add appropriate iptables commands later in the guide". So at this point we went on to trying iptables commands, starting with what we thought was appropriate:

iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT

Added in Administration -> Commands, then pressed 'Run Command'. This didn't work, and devices can connect to the router on the new subnet, but cannot browse the internet.

Are the commands we are trying to use wrong? Are they not applicable? Or are we just barking up entirely the wrong tree altogether? I was at the limit of my knowledge a while ago and would really appreciate an experienced view on this.

Thanks guys,

Joined: 20 Sep 2006
Posts: 17344
Location: Hesse/Germany

PostPosted: Wed Jul 25, 2012 22:29    Post subject: Reply with quote
upgrade 1st and read:
Forum Guidelines...How to get help
Forum Rules
Throw some buzzwords into the WIKI search Exclamation
I'm NOT rude, just offer pure facts!
Atheros (TP-Link & Clones, etc ) debrick service in EU
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
Andreas Baumert: "Kundige Menschen befragen Fachleute, ohne ihnen auf die Nerven zu gehen. Sie stellen keine Fragen, die sie mit etwas Fleiß und Lektüre selber beantworten können. Sie wissen, auf welche Quellen es ankommt,und wie man sich Zugang zu ihnen verschafft."

Joined: 18 Sep 2010
Posts: 1997

PostPosted: Thu Jul 26, 2012 1:08    Post subject: Reply with quote
I need to know something. The fact you're running a 20 port switch off the modem/router suggests to me you're actively using this switch for purposes other than just the additional routers. Otherwise, I'm not sure why it's in the picture since the modem/router (which I assume already has a switch) can surely handle your current needs (the private and public networks). Is this the case?

The reason I'm asking is that if you are using that switch for any other purposes besides those routers, then placing a pubic router off that switch gives them unfettered access to that network. As it is, you'll need to protect the modem/router itself. But if the only other devices are routers (protected by their WANs), that's fine. But I wasn't sure this was the case.

All this begs the question, why does this have anything to do w/ multiple WANs and manipulating the dd-wrt router via iptables? If both your private router and the public router are the only devices connected to the modem/router, what’s the point? There may be one, but I don’t see it.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT


Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum