AlexSC
DD-WRT Novice
Joined: 24 Jul 2012
Posts: 1
|
 Posted: Tue Jul 24, 2012 14:06 Post subject: Multiple WLANs iptables problems |
 |
Hello everyone. I've searched as thoroughly as I can, but didn't see any threads relating to my problem. I also hope this is posted in the right place. Although I have gained a bit of experience with networking, I am by no means an expert, but I will try my best to explain the problem.
We have a small business network, which has recently been expanding quite a lot and we wanted to add internet access from wifi to the cafe in the building, via a Linksys WRT54GS v6. Obviously we want to place certain restrictions on it, and isolate it somewhat from the rest of our business network.
Our network is currently running fairly well, with a modem/router (192.168.1.1 a BT Hub, unable to use with DD-WRT) wired to a 20 port switch, which is wired to a WRT54GS v6 (192.168.1.2 running DD-WRT v24-sp2 (10/10/09) micro) which supplies another building with internet access. 192.168.1.2 works as an access point and supplies our offices.
We then wanted to add a further WRT54GS v6 (192.168.1.3, DD-WRT v24-sp2 (10/10/09) micro) wired to the network switch to supply the cafe. Now as this will be open to the public, we wanted to keep it fairly separate from our business network, with its own subnet, DHCP assignment etc, as well as somewhat restricted.
The best way to do this seemed to be using this guide:
http://www.dd-wrt.com/wiki/index.php/Multiple_WLANs
I followed the steps and was able to get a router with a WLAN ip of 192.168.2.1, which was connecting to devices and giving out DHCP addresses properly and giving a gateway of 192.168.2.1. The guide mentions that at this point "not be able to browse the internet until you add appropriate iptables commands later in the guide". So at this point we went on to trying iptables commands, starting with what we thought was appropriate:
| Code: | iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT |
Added in Administration -> Commands, then pressed 'Run Command'. This didn't work, and devices can connect to the router on the new subnet, but cannot browse the internet.
Are the commands we are trying to use wrong? Are they not applicable? Or are we just barking up entirely the wrong tree altogether? I was at the limit of my knowledge a while ago and would really appreciate an experienced view on this.
Thanks guys,
Alex |
|
