bumgarb DD-WRT Novice
Joined: 01 Jul 2013 Posts: 7
|
Posted: Mon Sep 08, 2014 0:51 Post subject: RT-N66U guest network and NAT issues |
|
I have an RT-N66U running kong 24200M. This is the first fork/build that has gotten as close to my need after having tried about a half dozen forks and many more builds.
The problem I'm currently having is that if I use Kong's method for guest networks, my Xbox One on my non-guest network lists my NAT status is STRICT. I can't get this to go away (reboots,forwarding,etc have been tried).
If I setup up the guest network the old way, then after about 4 hours the 2.4GHz guest network stops allowing connections. The network is still visible but guests get authentication errors. If I just reboot the router, it still doesn't work, but if I "edit" the firewall rules (simply put in a space, delete the space and save) then the guest network allows connections again. Here are the firewall rules I'm using for this method.
Code: |
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
#iptables -I INPUT -p udp --sport 67 --dport 68 -j ACCEPT
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
|
Obviously, editing the firewall every 4 hours or so won't work. (using the old method)
Having the primary network NAT STRICT won't work. (using kongs method)
Can someone walk me through what I may be doing wrong?
Some additional info:
I have some old WRT54Gs laying around that I could use for the guest network, but I don't know how to securely isolate that and still allow Internet and administration (just plugging into the WAN of those doesn't seem like real security).
I've tried a lot of builds, most of which didn't get near as close as Kong 24200M for my needs.
For now, I need both 2.4GHz 802.11g and 5GHz 802.11n for primary network.
Again the guest is 2.4GHz 802.11g.
I use static DHCP, UPnP (preferred) or Forwarding (if needed), QoS.
Eventually I want to start using the 40MHz width for 5G and add in IPv6, so if I need to move to some new hardware, suggestions are welcome.
Or if you can direct me some good info on setting up IPv6 and that fixes the NAT, I'm cool with that.
Thanks for any info! |
|