Posted: Tue Apr 07, 2015 0:01 Post subject: firewall question?
Hi,
So I was wondering if someone can help me. I have my lsp modem(static bridge) go strait to my pfsense box(192.168.1.254) which manages the dhcp. Then i have it connected to my r7000(192.168.1.151) (dhcp disabled) on its lan port. I Created a virtual (wl0.1) which ip 192.168.3.1 but i cant seem to connect. I can only connect when i disconnect it from pfsense. I figured out that i needed to create a dhcp pool in pfsense. But My question is do i keep ddwrt firewall on or off? and for 192.168.3.1 to work can i still run this command and save it to the firewall? And if so does this firewall make sure that it cannot ping my server that is 192.168.1.202 when a guest connects to the 192.168.3.1.
Thank you
if [ "`nvram get wan_proto`" = "pppoe" ]; then
wanif="`nvram get pppoe_ifname`"
else
wanif="`nvram get wan_ifname`"
fi
# Make sure br1 has access to the internet:
iptables -I INPUT -i br1 -m state --state NEW -j logaccept
iptables -I FORWARD -i br1 -o $wanif -m state --state NEW -j ACCEPT
# Keep the two wireless networks from talking to each other:
iptables -I FORWARD -i br0 -o br1 -j logdrop
iptables -I FORWARD -i br1 -o br0 -j logdrop
# Keep br1 from accessing the router:
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset
Keep the r7000 connected to the PFSENSE box by way of one if its lan ports. The DD-WRT firewall settings are a non issue as they mediate the WAN port which you won't be using.
Let PFSENSE manage DHCP for your xxx.xxx.1.xxx network. Make sure your xxx.xxx.1.151 address (the r7000) is excluded from the pool.
Make sure the r7000 is configured as a wireless access point. Setup, Wan Connection: disabled; Advanced Routing, Operating Mode: Router.
If if you haven't already, put wl0.1 on its own bridge (br1) on your r7000. (Setup->Networking).
Activate DNSMasq on the R7000 and have it handle DHCP and DNS using the google public DNS servers for your guest wireless. Use these additional DNSMasq commands under services:
That tells DNSMasq to service br1 only (where you should have put guest wireless); to hand out short 3 hours DHCP leases in the 100 to 200 range on the guess network, and to tell clients on the guest network to use google public DNS servers.
Then you have to use the WAP specific approach to the firewall script (I think that's the problem with your script). Try this:
# Keep guest network from reaching main LAN devices.
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
# NAT so the guest network can access the internet:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
# Keep the guest network users from getting at the r7000:
iptables -I INPUT -i br1 -m state --state NEW -j DROP
# But let the guest network hit the DHCP and DNS ports:
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
This is the best / easiest way to go the "walled off" guest network so far as I can tell. There are probably other approaches, but they would likely require a lot of playing with IPTABLES so that the guest network could use the PFSense box while not being able to play with the main network.
Thank you soo much for your reply So if i understood correctly that the guest network can work with 192.168.3.1 and the dhcp would manage r7000 of the guest network? I created a guide to bridge virtual adapters if you want to take alook at or give your feedback i would be very grateful. I will let you know how it goes and keep you updated.
So your guide worked perfect but on the guest i cannot get internet. The good thing is now im getting dhcp but i think the firewall rule for internet does not seem to be working. I was wondering if theres another way?
I was looking at the ip table
# NAT so the guest network can access the internet:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
Wouldn't it be br1 instead of br0?
because the rest seems to be working great
i can see the dns when i run command ipconfig/all
So your guide worked perfect but on the guest i cannot get internet. The good thing is now im getting dhcp but i think the firewall rule for internet does not seem to be working. I was wondering if theres another way?
I was looking at the ip table
# NAT so the guest network can access the internet:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
Wouldn't it be br1 instead of br0?
because the rest seems to be working great
i can see the dns when i run command ipconfig/all
Thank you again
Check two things and get back to us:
1) Is your virtual wireless interface (wl0.1) for the wireless guest net set to "bridged" or "unbridged" in the network configuration?
2) Can you run "iptables --list" from the Admin/Commands/Command Shell: and copy/paste the "INPUT" and "FORWARD" chains from the result of that command, here?
That should work. The NAT command does need to refer to br0 because that's where packets on their way back from the net will be showing up, and with the virtual network bridged to it it ought to work. Your config is just like mine and mine works, with the only difference being that I use another DD-WRT router as my gateway instead of PFSENSE.
Which means maybe we have something going on with that box.
Did you try to define a static route to the guest network submit on the PFSENSE machine or something? If so, don't. Make sure the PF Sense box is doing NOTHING at all regarding the guest network. NADA. Zilch.
Beyond that I will have to step back and let one of the true networking gurus show up and help with this one.
Final note: Under Setup/Networking you do NOT need to set up multiple DHCP server. Take that out. DNSMasq and the command set you put in there is handling DHCP and DNS for the br1 guest network. You don't need (and probably don't want) DHCPD trying to jump in the swimming pool, too.
so I deleted the multiple dhcp to try it out and nothing
then i added the line you told me so it looks like this
# Keep guest network from reaching main LAN devices.
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
# NAT so the guest network can access the internet:
iptables -t nat -I POSTROUTING -s 192.168.3.0/24 -j SNAT --to `nvram get lan_ipaddr`/`nvram get lan_netmask`
# Keep the guest network users from getting at the r7000:
iptables -I INPUT -i br1 -m state --state NEW -j DROP
# But let the guest network hit the DHCP and DNS ports:
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
and nothing
but thank you soo much atleast now im getting the dhcp all i need is internet which is something with the firewall commands. Quick question so you running one ddwrt as the gateway that is connected to another ddwrt but as a router? right now thats how I have it.