Posted: Sun Sep 27, 2015 23:45 Post subject: Multiple WLANs problem
I have two wireless SSIDs in the 2.4ghz spectrum. I want to split them up.
I have made a bridge (br1), assigned ath0.1 to the br1, and set up dhcp (or so I think).
When I connect to the guest network (ath0.1), I am not getting an IP address. Notice the second screenshot -- at the bottom, it says "Multiple DHCP Server
Interface ath0.1: IP 0.0.0.0/0.0.0.0". That's not right! It should look more like this pic --> http://alexlaird.com/content/uploads/2013/03/bridge-dhcp.png
I'm guessing you added the bridge, applied, then tried to set the IP and add the DHCP server all in one go. The bridge needs to have it's IP before DHCP is added to it. Basically, the IP shows as 0.0.0.0 because that's what it was when the DHCP server was added to the bridge. Delete your DHCP, apply settings, then add it again, set it to br1, and apply again. It should be good.
Thanks for the information! Since my original post, I messed up my config and had to do a 30-30-30 reset. Lost my VPN info, but oh well...
Anyways, I added the DHCP server after creating the bridge and specifying its IP and subnet mask. It's now handing out IP addresses! That's a big step forward. Only problem now is I don't have internet access. Do I need any rules or IPtables commands to enable that?
More info: I can ping the router (192.168.11.1) from the 192.168.12.xxx subnet, but not hosts attached to the router (like 192.168.11.140). If I change to the regular wifi connection (ath0), I can ping everything just fine and have internet.
Are you trying for one SSID with VPN and one without? I did this for a not so tech savvy friend a while back and it worked out very well. Its super easy for the end user.
That did the magic! It can access the WAN. Just one more thing and I'll be a happy camper: I want to access 192.168.12.xxx hosts from LAN and ath0 WLAN. (From 192.168.12.121, I can't ping 192.168.11.xxx hosts.) Any thoughts on how to enable that? _________________ Stephen
Need a LitlURL? http://CodeBin.yi.org
I took a look at that link. Lots of good info! From what I read in other tutorials, once you separate subnets in the WLANs, traffic still flows between the bridges. That doesn't happen in my case. I'm glad the internet now works, but nothing (or very little) flows between the bridges (i.e. from LAN & br0 to br1).
The 'Multiple WLANs' page talks about 'Allow br1 access to br0, the WAN, and any other subnets (required if SPI firewall is on)'.
What I want to do is allow br0 to access br1. I want hosts on br0 to have full access to hosts on br1. And I don't want traffic initiated by br1 to flow to br0. I hope this makes sense
Here's my firewall script so far:
Code:
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j ACCEPT
The weird explanation behind this is: I'm hoping to get an 'energy bridge' that will interface between my electrical meter and my LAN. My smartphone (on br0) will get real-time info from this energy bridge (connected wirelessly over br1).
I don't trust any internet-connected device on my home network that I can't control
Any thoughts on how to allow traffic initiated from br0 to get to br1 and back (ping, HTTP connections, etc)? _________________ Stephen
Need a LitlURL? http://CodeBin.yi.org
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
Try this. It should allow connection to br1 initiated by br0, but not the other way around. Test with trusted clients first, as I haven't personally done this.
Also note that it likely won't show up in a list of network devices, since its on a different subnet. You'll probably need to manually enter the IP address.
Can ping 192.168.11.1 (router)
Can ping and tracert 192.168.12.1 (router)
Problem: Cannot ping or tracert 192.168.12.121 (host on br1)
From 192.168.12.xxx (br1):
Can ping 192.168.12.1 (router)
Can ping 192.168.11.1 (router)
Cannot ping or tracert 192.168.11.140 (host on br0)
mwbuss8 wrote:
Also note that it likely won't show up in a list of network devices, since its on a different subnet. You'll probably need to manually enter the IP address.
Tried navigating in explorer from br0 to \\192.168.12.121 and no success yet.
So something is still missing. I've read many people having the same problem on different forums but haven't run into a solution yet. I hope we can figure it out! I appreciate your time, mwbuss8! _________________ Stephen
Need a LitlURL? http://CodeBin.yi.org
Another question, being a web-connected meter, does it need local network access at all, or just internet access?
I'm not sure if it needs access to the world wide web or not. The main benefit is for me to get real-time data on my phone through my network.
Already accomplished: I'd like to keep it partitioned so it doesn't have access to my LAN devices.
I also want to keep my phone on my regular WLAN (br0), but get info from the energy device on br1.
BTW, I'll be testing those IPtables rules here in a few hours. I'll report back. Thanks! _________________ Stephen
Need a LitlURL? http://CodeBin.yi.org
The reason I ask is because br1 could have full access to br0 as long as it doesn't have WAN access because itncant send anything out that way. We could fully open up communication between bridges and remove WAN access from br1.
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
Save firewall. Try that.
Rebooted router with these firewall rules. Didn't work. No ping or traceroute between subnets.
mwbuss8 wrote:
The reason I ask is because br1 could have full access to br0 as long as it doesn't have WAN access because itncant send anything out that way. We could fully open up communication between bridges and remove WAN access from br1.
That sounds like a plan. How would I go about this?
(Another question: I know my router doesn't do VLANs because it's Atheros, but would VLANs actually do what I was originally trying to do?) _________________ Stephen
Need a LitlURL? http://CodeBin.yi.org