question: how to create isolated wifi from the LAN?

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
callisto96
DD-WRT Novice


Joined: 08 Apr 2012
Posts: 2

PostPosted: Thu Apr 12, 2012 6:41    Post subject: question: how to create isolated wifi from the LAN? Reply with quote
hi all,
I would like to know if there is a way for me to broadcast 2 SSIDs from my router one will be called "Main" and the other "secondary".

the "Main" should give full access to the network and internet.

the "secondary" should only give access to the internet but without any access to the LAN.

this way someone who gets access to "main" will see all my computers on the network but someone that access "secondary" will be able to access the internet but will not be able to see my computers that is on the LAN.

I found how to add a second SSID and I tried "wifi isolation" but it only isolated the client from other wifi clients and not from the LAN.

I searched the forums ad the wiki but I couldn't find something like this.

hope someone knows how to do it...
Thanks in advance,
David.

Tech info:
my router is "D-Link DIR-300 A1" using V24 preSP2 [beta] build 13064 of dd-wrt
Sponsor
routvol
DD-WRT User


Joined: 02 Feb 2009
Posts: 74

PostPosted: Thu Apr 12, 2012 8:46    Post subject: Reply with quote
i am not sure but since wlan1 has a defined ip range and wlan2 has a defined ip range you could use iptables.

drop all packets from wlan2 with a destination outside of your network.
drop all packets from wlan1 with a destination of your network and allow all others.
callisto96
DD-WRT Novice


Joined: 08 Apr 2012
Posts: 2

PostPosted: Thu Apr 12, 2012 9:12    Post subject: Reply with quote
routvol wrote:
i am not sure but since wlan1 has a defined ip range and wlan2 has a defined ip range you could use iptables.

drop all packets from wlan2 with a destination outside of your network.
drop all packets from wlan1 with a destination of your network and allow all others.


how do I do that ?
routvol
DD-WRT User


Joined: 02 Feb 2009
Posts: 74

PostPosted: Thu Apr 12, 2012 9:46    Post subject: Reply with quote
here are some links where you can start from:
http://www.dd-wrt.com/wiki/index.php/Iptables_command
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch14_:_Linux_Firewalls_Using_iptables

good luck
Big_T
DD-WRT Novice


Joined: 22 Nov 2010
Posts: 7
Location: Ohio

PostPosted: Sun Apr 15, 2012 22:05    Post subject: Reply with quote
I'm doing something similar on my network, and here's what worked for me:

Wireless -> Basic Settings -> Add Virtual Interface
- Make sure you select Bridged Mode here
- I have AP Isolation disabled

Setup -> Networking -> Bridging -> Add (button)
- Name: br1
- STP: off (unless you need it for WDS)
- IP Address/Mask - select an IP address not in the rang of your LAN, i.e. my LAN is 192.168.155.0/24, so here I used 192.168.40.1/24
- Apply Settings

Setup -> Networking-> Assign to Bridge -> Add (button)
- Select br1 from the first drop-down list
- Select wl0.1 from the second drop down list
- Don't mess the with priority
- Apply Settings

-- Begin DHCP config --
If you're running DHCP on your router, then:
Setup -> Networking -> DHCPd -> Multiple DHCP Server -> Add
- Configuration is straight-forward
- Apply settings

If you're running DHCP on another device (not this router)
Services-> DNSMasq
- DISABLE (I could not get dnsmasq to work on this page)
- Apply Settings

Administration -> Commands
- Add the following to your startup script, replacing the x's with the information for your secondary network:

dnsmasq -i br1 --dhcp-range=br1,192.168.x.100,192.168.x.149,255.255.255.0,24h --dhcp-option=br1,3,192.168.x.1 --dhcp-option=br1,6,8.8.8.8,8.8.4.4
-- End DHCP config --

To block the secondary network traffic from accessing your lan, add the following to your firewall script. Replace x's with the numbers for your secondary network and y's with numbers from your LAN:

iptables -A INPUT -p ! icmp -s 192.168.x.0/24 -j DROP
iptables -A FORWARD -s 192.168.x.0/24 -d 192.168.y.0/24 -j DROP
iptables -A FORWARD -s 192.168.x.0/24 -d ! 192.168.y.0/24 -j FORWARD

The first rule blocks all traffic except ICMP from your secondary WLAN destined for your router. This allows devices on the secondary network to ping the router, important for troubleshooting. Once your up and running and stable you can take it out.

The next line says block all traffic from the secondary network destined for your LAN

The third line says allow all traffic from your secondary network NOT destined for you LAN

The only other thing you'll have to do is configure your firewall script to NAT traffic sourced from the secondary network, which I'm not sure how to do (I'm doing natting on a m0n0wall device)
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Mon Apr 16, 2012 1:34    Post subject: Reply with quote
Just follow the Multiple WLAN guide on the wiki.
_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum