Posted: Sun Apr 27, 2014 18:26 Post subject: Yet another multiple WLAN/Guest access point thread :)
Hi all, starting this thread on the recommendation of another member, hopefully he will find it
I am trying to set up a completely isolated 'Guest' wireless access point that does not have access to other network shares/resources etc on the cabled side.
My main modem is a D-Link DSL-2740R (DHCP controller with IP range 192.168.0.x) connected to this via cable is a Linksys WRT54GL v1.1 running DD-WRT v24-sp2 (08/12/10) std - build 14929 (IP range 192.168.1.x)
And I have set the VAP to use IP range 192.168.10.x
I have used the guides below all with the same result (30/30/30 reset in between each attempt) everything works except the VAP still has access to all resources on the LAN and other IP ranges
I've been at this everyday since my post and starting to think its a problem with the firewall rules, I'm using the howtogeek guide from my post above, the rules are as follows
The top 2 are to prevent guest access to the LAN (my goal here) and the bottom 4 are to remove guest access to the dd-wrt router, now the reason I think it's a problem here is because the bottom 4 rules work, no access of any kind to the router, it's just anyone connect to the guest access point (192.168.10.x) still has access to all shares etc on 192.168.0.x side of the network ???
Thanks newnews but no change, I added your line to the top of the list, rebooted the router and can access all shares at 192.168.0.x while on the 'Guest' wifi (192.168.10.x) ?
My advice would be to follow my instructions again and if you are connecting to the Guest wifi and not obtaining an IP address lease, statically assign one to you NIC in the 192.168.10.X subnet with all the needed info and then see if you can 1) get out on the Internet and 2) access the 192.168.0.x subnet. By doing this you would be able to isolate the problem down to DHCP on the Guest wifi (br1) not working. There are multiple ways to set up DHCP and you could then work around that problem. That's what I would do.
Thanks 80sguitartist will try at the weekend and report back, but I find it amazing it's this hard to achieve something that seems so simple, surly there is a simple rule that will just drop all traffic to the 4 Ethernet ports on the back of the router or even drop all traffic to 192.168.0.x addresses ???
Yeah I know. You think it would be easier but just think of this:
I've seen tons of routers with stock firmware from Cisco/Linksys, Belkin, Engenius, etc and a lot of them let a user configure "Guest" access to have multiple SSIDs. I have no freaking idea what the point of it is. Reason, they do nothing at all to prevent users from one "private" lan to get access to another "guest". They are pointless. You still get an IP on the same subnet and with the exception of AP Isolation (pointless with LAN connections) you can come right across the network and see other wired devices. Again, pointless. DD-WRT does the same thing UNLESS you set up the iptable firewall scripts. You can't do that with stock firmware which is why DD-WRT kicks butt in that area.
So while it can be a pain in the butt, at least it can be done. Sorry you're having such a hard time.
Yeah I know. You think it would be easier but just think of this:
I've seen tons of routers with stock firmware from Cisco/Linksys, Belkin, Engenius, etc and a lot of them let a user configure "Guest" access to have multiple SSIDs. I have no freaking idea what the point of it is. Reason, they do nothing at all to prevent users from one "private" lan to get access to another "guest". They are pointless. You still get an IP on the same subnet and with the exception of AP Isolation (pointless with LAN connections) you can come right across the network and see other wired devices. Again, pointless. DD-WRT does the same thing UNLESS you set up the iptable firewall scripts. You can't do that with stock firmware which is why DD-WRT kicks butt in that area.
So while it can be a pain in the butt, at least it can be done. Sorry you're having such a hard time.
All true, and you can go quite a bit farther than that. For example, I have one DD-WRT router (an old Buffalo WHR-HP-G54 running 14929) with two SSID's - one main, one guest. The router is running as an access point, and does VLAN tagging with all packets. A smart switch controls the access of the two VLANs to various network resources such as a printer and private file server, and both VLANs have access to the Internet through a second router running DD-WRT build 23919 (each VLAN with its own subnet) -- this one an Asus n66u gigabit router.
This sort of setup is convenient both for flexibility and for the fact that good WiFi coverage for my house is best done from the main level, but network routing needs to be done from the basement. DD-WRT lets it work.
My advice would be to follow my instructions again and if you are connecting to the Guest wifi and not obtaining an IP address lease, statically assign one to you NIC in the 192.168.10.X subnet with all the needed info and then see if you can 1) get out on the Internet and 2) access the 192.168.0.x subnet. By doing this you would be able to isolate the problem down to DHCP on the Guest wifi (br1) not working. There are multiple ways to set up DHCP and you could then work around that problem. That's what I would do.
Tried static IP address no internet or access to local network?
One I don't understand from the howtogeek guide is the firewall line
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
I tested on mine setup. If I connect to guest network(I use 172.16.0.x), I am not able to access the shares on other PC connected to private network. However, only exception is I am able to access the share on the router itself(i.e. USB drive attached to the router). I still cannot figure out how to disable it.
80sguitartist wrote:
My advice would be to follow my instructions again and if you are connecting to the Guest wifi and not obtaining an IP address lease, statically assign one to you NIC in the 192.168.10.X subnet with all the needed info and then see if you can 1) get out on the Internet and 2) access the 192.168.0.x subnet. By doing this you would be able to isolate the problem down to DHCP on the Guest wifi (br1) not working. There are multiple ways to set up DHCP and you could then work around that problem. That's what I would do.
Last edited by newnews on Sat May 03, 2014 3:44; edited 1 time in total
WOW thanks rizla7 that's a lot to take in now I have some questions, and my knowledge here is vague to bare with me please
1. You say that's a pretty old build, I think it is the recommended build from the Peacock Thread (assuming I have read it correctly and the thread is up to date) is there a better build?
2. My understanding of double nat is exactly what i'm trying to achieve, I want one part of the network on 192.168.0.x and the guest wifi from the wrt54gl (plugged into the d-link modem via cable) on 192.168.10.x, but the two are bridged? correct? so they can communicate, so I just want the two unbridged?
So my double nat works when I follow the howtogeek guide to the extent that we have internet and can see all shares on 192.168.0.x but I just want internet from the wrt54gl and all shares securely blocked from guest access.
It's 80sguitartist's guide where I get no internet or access to any shares.
And question 3, is it possible that 100's or possibly 1000's of people have followed the howtogeek or one the other guides in my first post and are blissfully unaware that the guest access point is not actually doing its job correctly?
It's been a long night but seem to have made some progress and looking for opinions, right here goes first I followed the howtogeek guide from my first post, then did the 'Assign to bridge' part of this guide,
http://www.dd-wrt.com/wiki/index.php/Separate_LAN_and_WLAN
and then from the same guide made a firewall script that looks like this
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
and it seems to have worked, I can't access any resources on the 192.168.0.x side of things, even a website running at 192.168.0.50 am I missing anything here or have I finally cracked it?
Finally got it working, and yes it works after re-boot and power cycle, been up and running for well over a week now, my firewall script looks like this,
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
am I missing anything here or have I finally cracked it?