Joined: 05 Apr 2017 Posts: 981 Location: Louisiana, USA
Posted: Mon Sep 18, 2017 13:01 Post subject:
haxelmans wrote:
If i do not use NAT en the guest users are in the same subnet. They can reach my NAS and server on the network.
That is no good. That is the reason i want them in a seperate subnet.
FIRMWARE:OpenWrt SNAPSHOT r8217-2cc821e / LuCI Master (git-18.276.41146-280dd33) MODEM:ARRIS SURFBoard SB8200 ROUTER:Linksys WRT32X USB NAS:Western Digital BLACK 1 TB Hardrive + Startech USB 3.0 External SATA III Enclosure
This has been an interesting experience, to say the least.
DD-WRT 3.0 Build 33342
Router: WRT1900ACSv2
Interface 1 is 5GHz
Interface 2 is 2.4GHz
Setup: Router is doing everything: WiFi, DHCP, DNS (via DNSMasq). There are no other routers or WAP's.
To summarize my experiences thus far:
Added a VAP to Interface 2 with basic settings (bridged). VAP SIDD wasn't broadcast, and wasn't accessible.
Added a VAP to Interface 1. It was broadcast, but all WiFi (Int. 1&2) became unavailable. I restored from an earlier backup and was able to resume
Added a VAP to interface 2 with all my settings (security, etc.)
Added another VAP to interface 2 with basic settings. The "Basic" VAP was visible, but the one I really wanted (the first one) was not. No way to delete the 1st VAP without first deleting the second.
Restored from backup once again, and rebooted.
So, I'm back to square one. I've read bits and pieces of what it takes to get a VAP running on recent builds when using DNSMasq for DHCP. You can't use the GUI interface to simply setup another DHCP range--it must be added through DNSMasq configuration.
I've also read that if you want to isolate the guest network from your regular WAP's, you need to configure an additional bridge.
I'd be most grateful for comments and suggestions from folks who have actually done this (and gotten it working) on a recent build. I'm reasonably experienced with DD-WRT, but the last time I configured a guest network was on v. 24, and things were less complication.
In summary, there's just a few configuration steps. The final step involves manually editing the firewall (iptables) configuration - I've included my firewall config as well. You can enter these via the GUI, you don't have to SSH into the router.
Create two bridged virtual interfaces on ath0 and ath1. This will nullify the Net Isolation and NAT/Masquerade code, which only applies to unbridged virtual interfaces.
Enable AP Isolation on both virtual interfaces. NOTE: I'm fairly certain that AP Isolation will only work at the virtual interface level and creating a bridge group from both interfaces will allow clients on 2.4Ghz to see clients on 5Ghz and vice versa.
Create the br1 bridge interface and give it an IP address. Disable both Net Isolation and NAT/Masquerade since this will be accomplished via manual iptables rules.
Create DHCP server and assign it to br1.
Add the iptables rules.
My firewall rules with explanations:
# Block any remaining traffic from guest LAN after all other rules have been checked
iptables -I INPUT 2 -i br1 -m state --state NEW -j DROP
Posted: Fri Sep 29, 2017 11:11 Post subject: Guest VAP now operational
THIS JUST IN:
I updated to the latest build (33413), added a VAP to ath1, the 2.4GHz interface. The SSID didn't broadcast.
I changed the security to WPA2 Personal/AES, and the SSID now broadcasts.
My security settings on the two physical interfaces are:
WPA2 Personal / TKIP + AES
Apparently, for a VAP, those settings don't work.
I've read every post and online doc I could find about a "Guest" network on DD-WRT. I've opted for a basic setup.
I did NOT add a bridge
I DID create a separate DHCP range
Network Configuration is Unbridged
Masquerade/NAT is Enabled
Net Isolation is Enabled
Forced DNS redirection is Enabled
If I've made any major gaffs or omissions that those more experienced than myself think should be changed, by all means, please post! _________________ Router: Linksys WRT1900ACSv2
Modem: Verizon Fios DD-WRT v3.0-r44048 std (08/02/20)
ISP: Verizon Fios
NAS: ReadyNas314
The more secure way to do this today probably might be to put the guest network in its own Vlan. _________________ Linksys WRT3200ACM
Build: B.S.'s DD-WRT v3.0-r32597 std (07/08/17)
Posted: Fri Sep 29, 2017 19:04 Post subject: Re: Guest VAP now operational
giles02134 wrote:
THIS JUST IN:
Check out the thread in my signature which I document my adventures in vlaning.
If you follow the thread, somewhere in it I think I list the configuration for a wireless guest network that works. Also lots of resources for setting up a wireless guest network, the principles of which were applicable and interrelated to Vlaning.
I can personally attest that I can get wireless guest networks working on the 3200acm through following the material posted there (though I am still having issues assigning ethernet ports to different Vlans .) _________________ Linksys WRT3200ACM
Build: B.S.'s DD-WRT v3.0-r32597 std (07/08/17)
Posted: Mon Oct 02, 2017 0:02 Post subject: Re: Guest VAP now operational
giles02134 wrote:
THIS JUST IN:
I updated to the latest build (33413), added a VAP to ath1, the 2.4GHz interface. The SSID didn't broadcast.
I changed the security to WPA2 Personal/AES, and the SSID now broadcasts.
My security settings on the two physical interfaces are:
WPA2 Personal / TKIP + AES
Apparently, for a VAP, those settings don't work.
I've read every post and online doc I could find about a "Guest" network on DD-WRT. I've opted for a basic setup.
I did NOT add a bridge
I DID create a separate DHCP range
Network Configuration is Unbridged
Masquerade/NAT is Enabled
Net Isolation is Enabled
Forced DNS redirection is Enabled
If I've made any major gaffs or omissions that those more experienced than myself think should be changed, by all means, please post!
@giles, thank you for playing around with this and sending out the results. I have been using old directions from a very old build and using IPTABLES in the firewall to get the results that I get when using yur instructions. I also wonder if this is the source of my router rejecting the builds after 33006. I will let folks know. I did a rebuild with 33413 and with these guest network instructions. Will keep you all posted.
edit: after 5 hours still rebooted. Back to 33006. _________________ WRT3200ACM x2 presently running LEDE.
Posted: Fri Oct 27, 2017 6:39 Post subject: Guest Network Further Adventures Update??
Has the 48 hour record been broken? I have the 1900AVSV2 and want to get a guest network working so I am trying to follow your lead. Hoping it is not leading to a rat hole.
All is running well now. I have my router set to reboot at 3:00a.m. each day, but since I reconfigured the WiFi security settings, I've not had any issues.
There are many posts about setting up guest networks that involve adding another bridge, and some firewall rules. I'm not enough of a Linux/DD-WRT guru to know if that's really necessary. I suspect that you'll get as many different answers as people you ask.
Here's what works for me on the most current release. This all assumes you've added a VAP to one of your physical interfaces. On my unit, ath1 is the 2.4GHz, so my VAP is ath1.1.
On the basic setup page:
Use dnsmasq for DNS
Use dnsmasq for DHCP
On the Wireless Basic Settings page:
Network mode is MIXED for both interfaces
On the Wireless Security Page
All interfaces (including your VAP) set to WPA2 Personal/AES (NOTE: AES only!
Under Setup/Networking, scroll down to your virtual interface (e.g. ath1.1):
Bridge Assignment: Unbridged
Multicast forwarding: Disable (default)
Masquerade / NAT: Enable
Net Isolation: Enable
Forced DNS Redirection: Enable
Optional DNS Target should be set to an external server, like Google: 8.8.8.8
IP Address: Set to a different starting point than your "Real" interfaces. If your primary interface is 192.168.1.1, then make this 192.168.15.1 or something like that.
Under DHCPD, configure another DHCP range for your virtual interface. For example, if you've attached your VAP to ath1, then the VAP will be ath1.1. BE SURE YOU PICK THE CORRECT ONE!
NOTE: Before you leave one setup page for the next, be sure to click "SAVE" at the bottom of the page. When you're done, click "Apply Settings". Or you could simply reboot the router.
Anyway, that's my story, and I'm sticking to it. _________________ Router: Linksys WRT1900ACSv2
Modem: Verizon Fios DD-WRT v3.0-r44048 std (08/02/20)
ISP: Verizon Fios
NAS: ReadyNas314