RT-N66U guest network and NAT issues

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
View previous topic :: View next topic  
Author Message
bumgarb
DD-WRT Novice


Joined: 01 Jul 2013
Posts: 7
PostPosted: Mon Sep 08, 2014 0:51    Post subject: RT-N66U guest network and NAT issues Reply with quote
I have an RT-N66U running kong 24200M. This is the first fork/build that has gotten as close to my need after having tried about a half dozen forks and many more builds.

The problem I'm currently having is that if I use Kong's method for guest networks, my Xbox One on my non-guest network lists my NAT status is STRICT. I can't get this to go away (reboots,forwarding,etc have been tried).

If I setup up the guest network the old way, then after about 4 hours the 2.4GHz guest network stops allowing connections. The network is still visible but guests get authentication errors. If I just reboot the router, it still doesn't work, but if I "edit" the firewall rules (simply put in a space, delete the space and save) then the guest network allows connections again. Here are the firewall rules I'm using for this method.
Code:

iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
#iptables -I INPUT -p udp --sport 67 --dport 68 -j ACCEPT
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT


Obviously, editing the firewall every 4 hours or so won't work. (using the old method)
Having the primary network NAT STRICT won't work. (using kongs method)

Can someone walk me through what I may be doing wrong?


Some additional info:
I have some old WRT54Gs laying around that I could use for the guest network, but I don't know how to securely isolate that and still allow Internet and administration (just plugging into the WAN of those doesn't seem like real security).
I've tried a lot of builds, most of which didn't get near as close as Kong 24200M for my needs.
For now, I need both 2.4GHz 802.11g and 5GHz 802.11n for primary network.
Again the guest is 2.4GHz 802.11g.
I use static DHCP, UPnP (preferred) or Forwarding (if needed), QoS.

Eventually I want to start using the 40MHz width for 5G and add in IPv6, so if I need to move to some new hardware, suggestions are welcome.
Or if you can direct me some good info on setting up IPv6 and that fixes the NAT, I'm cool with that.

Thanks for any info!
Back to top View user's profile Send private message
Sponsor
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum