Joined: 24 Jul 2012
|Posted: Tue Jul 24, 2012 14:06 Post subject: Multiple WLANs iptables problems
|Hello everyone. I've searched as thoroughly as I can, but didn't see any threads relating to my problem. I also hope this is posted in the right place. Although I have gained a bit of experience with networking, I am by no means an expert, but I will try my best to explain the problem.
We have a small business network, which has recently been expanding quite a lot and we wanted to add internet access from wifi to the cafe in the building, via a Linksys WRT54GS v6. Obviously we want to place certain restrictions on it, and isolate it somewhat from the rest of our business network.
Our network is currently running fairly well, with a modem/router (192.168.1.1 a BT Hub, unable to use with DD-WRT) wired to a 20 port switch, which is wired to a WRT54GS v6 (192.168.1.2 running DD-WRT v24-sp2 (10/10/09) micro) which supplies another building with internet access. 192.168.1.2 works as an access point and supplies our offices.
We then wanted to add a further WRT54GS v6 (192.168.1.3, DD-WRT v24-sp2 (10/10/09) micro) wired to the network switch to supply the cafe. Now as this will be open to the public, we wanted to keep it fairly separate from our business network, with its own subnet, DHCP assignment etc, as well as somewhat restricted.
The best way to do this seemed to be using this guide:
I followed the steps and was able to get a router with a WLAN ip of 192.168.2.1, which was connecting to devices and giving out DHCP addresses properly and giving a gateway of 192.168.2.1. The guide mentions that at this point "not be able to browse the internet until you add appropriate iptables commands later in the guide". So at this point we went on to trying iptables commands, starting with what we thought was appropriate:
|iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
Added in Administration -> Commands, then pressed 'Run Command'. This didn't work, and devices can connect to the router on the new subnet, but cannot browse the internet.
Are the commands we are trying to use wrong? Are they not applicable? Or are we just barking up entirely the wrong tree altogether? I was at the limit of my knowledge a while ago and would really appreciate an experienced view on this.
Joined: 18 Sep 2010
|Posted: Thu Jul 26, 2012 1:08 Post subject:
|I need to know something. The fact you're running a 20 port switch off the modem/router suggests to me you're actively using this switch for purposes other than just the additional routers. Otherwise, I'm not sure why it's in the picture since the modem/router (which I assume already has a switch) can surely handle your current needs (the private and public networks). Is this the case?
The reason I'm asking is that if you are using that switch for any other purposes besides those routers, then placing a pubic router off that switch gives them unfettered access to that network. As it is, you'll need to protect the modem/router itself. But if the only other devices are routers (protected by their WANs), that's fine. But I wasn't sure this was the case.
All this begs the question, why does this have anything to do w/ multiple WANs and manipulating the dd-wrt router via iptables? If both your private router and the public router are the only devices connected to the modem/router, what’s the point? There may be one, but I don’t see it.