[pksml]

I have two wireless SSIDs in the 2.4ghz spectrum. I want to split them up.

I have made a bridge (br1), assigned ath0.1 to the br1, and set up dhcp (or so I think).

When I connect to the guest network (ath0.1), I am not getting an IP address. Notice the second screenshot -- at the bottom, it says "Multiple DHCP Server
Interface ath0.1: IP 0.0.0.0/0.0.0.0". That's not right! It should look more like this pic --> http://alexlaird.com/content/uploads/2013/03/bridge-dhcp.png

Can anybody figure out what's wrong? Thanks!

[mwbuss8]

I'm guessing you added the bridge, applied, then tried to set the IP and add the DHCP server all in one go. The bridge needs to have it's IP before DHCP is added to it. Basically, the IP shows as 0.0.0.0 because that's what it was when the DHCP server was added to the bridge. Delete your DHCP, apply settings, then add it again, set it to br1, and apply again. It should be good.

[pksml]

Thanks for the information! Since my original post, I messed up my config and had to do a 30-30-30 reset. Lost my VPN info, but oh well...

Anyways, I added the DHCP server after creating the bridge and specifying its IP and subnet mask. It's now handing out IP addresses! That's a big step forward. Only problem now is I don't have internet access. Do I need any rules or IPtables commands to enable that?

More info: I can ping the router (192.168.11.1) from the 192.168.12.xxx subnet, but not hosts attached to the router (like 192.168.11.140). If I change to the regular wifi connection (ath0), I can ping everything just fine and have internet.

[mwbuss8]

iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`

Save firewall.

This page is worth reading through http://www.dd-wrt.com/wiki/index.php/Multiple_WLANs

Are you trying for one SSID with VPN and one without? I did this for a not so tech savvy friend a while back and it worked out very well. Its super easy for the end user.

[pksml]

That did the magic! It can access the WAN. Just one more thing and I'll be a happy camper: I want to access 192.168.12.xxx hosts from LAN and ath0 WLAN. (From 192.168.12.121, I can't ping 192.168.11.xxx hosts.) Any thoughts on how to enable that?

[mwbuss8]

Firewall commands for communication between bridges are in the link from my previous post. As I said, its worth reading through.

[pksml]

I took a look at that link. Lots of good info! From what I read in other tutorials, once you separate subnets in the WLANs, traffic still flows between the bridges. That doesn't happen in my case. I'm glad the internet now works, but nothing (or very little) flows between the bridges (i.e. from LAN & br0 to br1).

The 'Multiple WLANs' page talks about 'Allow br1 access to br0, the WAN, and any other subnets (required if SPI firewall is on)'.

What I want to do is allow br0 to access br1. I want hosts on br0 to have full access to hosts on br1. And I don't want traffic initiated by br1 to flow to br0. I hope this makes sense

Here's my firewall script so far:

[mwbuss8]

iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP

Try this. It should allow connection to br1 initiated by br0, but not the other way around. Test with trusted clients first, as I haven't personally done this.

[mwbuss8]

Also note that it likely won't show up in a list of network devices, since its on a different subnet. You'll probably need to manually enter the IP address.

[pksml]

I tried those firewall rules and rebooted router.

From 192.168.11.xxx (br0):

Can ping 192.168.11.1 (router)
Can ping and tracert 192.168.12.1 (router)
Problem: Cannot ping or tracert 192.168.12.121 (host on br1)

From 192.168.12.xxx (br1):

Can ping 192.168.12.1 (router)
Can ping 192.168.11.1 (router)
Cannot ping or tracert 192.168.11.140 (host on br0)

[pksml]

Not sure if this helps anything, but here is the router's routing table:

[mwbuss8]

iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br0 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

Save firewall. Try that. If it works, add this to the end of it, save, and try again.

iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP

Another question, being a web-connected meter, does it need local network access at all, or just internet access?

[pksml]

[mwbuss8]

The reason I ask is because br1 could have full access to br0 as long as it doesn't have WAN access because itncant send anything out that way. We could fully open up communication between bridges and remove WAN access from br1.

[pksml]