[Solved] Virtual Interface WLAN can't ping own gateway

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
View previous topic :: View next topic  
Author Message
tamufan
DD-WRT Novice


Joined: 12 Oct 2017
Posts: 2
Location: Houston, Texas, USA
PostPosted: Thu Oct 12, 2017 23:12    Post subject: [Solved] Virtual Interface WLAN can't ping own gateway Reply with quote
SEE SOLUTION IN MY REPLY BELOW

I see this question has come up before but the recommended fix did not work. My setup:

Primary WLAN ath0,ath1: 192.168.2.1/25 bridged
Guest WLAN ath0.1: 172.16.1.1/24 unbridged virtual interface
IoT WLAN ath0.2: 192.168.3.1/25 unbridged virtual interface
Router: Netgear WNDR3800 running DD-WRT v3.0-r33413 std (09/27/17)

Both unbridged WLANs are work great, devices receive an address, can access internet but neither can ping their gateway. (ping to 192.168.3.1 returns "request timeout")

Why is this a problem you ask? Well Belkin in their infinite wisdom coded their Wemo switch to ping its local gateway as a test for network connectivity. The Wemo device is on the WLAN, answers pings, and can be controlled by the Wemo app as long as it is on same WLAN. But the switch flashes amber light indicating "no connectivity" and the app will not allow remote access to be enabled.

I read and attempted guide at http://www.dd-wrt.com/wiki/index.php/Multiple_WLANs (Several times) Things worked great up to point where the WLAN ath0.2 is moved to its own bridge and DHCP server; connections to that WLAN no longer receive an address and instead adopt a link-local IP.

Help needed. Either a) get gateway to answer pings when in unbridged mode, or b) assistance with bridged configuration.

Thanks for any help. --John.

=======================================================


iptables in the bridged mode with separate bridge and DHCP server. (the one that gives link local)

Code:

root@DD-WRT:~# iptables -vnL INPUT --line-numbers
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     9411 1306K ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
2        1   572 ACCEPT     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:68
3        0     0 DROP       udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
4        0     0 DROP       udp  --  br0    *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
5        0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:520
6     4659  405K ACCEPT     0    --  br0    *       0.0.0.0/0            0.0.0.0/0           
7      826  230K ACCEPT     0    --  br1    *       0.0.0.0/0            0.0.0.0/0           
8        0     0 DROP       icmp --  eth1   *       0.0.0.0/0            0.0.0.0/0           
9       40  1440 DROP       2    --  *      *       0.0.0.0/0            0.0.0.0/0           
10       0     0 ACCEPT     0    --  lo     *       0.0.0.0/0            0.0.0.0/0           state NEW
11       0     0 ACCEPT     0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW
12     164 53792 ACCEPT     udp  --  ath0.1 *       0.0.0.0/0            0.0.0.0/0           udp dpt:67
13       0     0 ACCEPT     udp  --  ath0.1 *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
14       0     0 ACCEPT     tcp  --  ath0.1 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53
15       0     0 DROP       0    --  ath0.1 *       0.0.0.0/0            0.0.0.0/0           state NEW
16       0     0 ACCEPT     0    --  ath0.1 *       0.0.0.0/0            0.0.0.0/0           
17       0     0 ACCEPT     udp  --  ath0.2 *       0.0.0.0/0            0.0.0.0/0           udp dpt:67
18       0     0 ACCEPT     udp  --  ath0.2 *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
19       0     0 ACCEPT     tcp  --  ath0.2 *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53
20       0     0 DROP       0    --  ath0.2 *       0.0.0.0/0            0.0.0.0/0           state NEW
21       0     0 ACCEPT     udp  --  br1    *       0.0.0.0/0            0.0.0.0/0           udp dpt:67
22       0     0 ACCEPT     udp  --  br1    *       0.0.0.0/0            0.0.0.0/0           udp dpt:53
23       0     0 ACCEPT     tcp  --  br1    *       0.0.0.0/0            0.0.0.0/0           tcp dpt:53
24       0     0 DROP       0    --  br1    *       0.0.0.0/0            0.0.0.0/0           state NEW
25       0     0 ACCEPT     0    --  br1    *       0.0.0.0/0            0.0.0.0/0           
26     577 62472 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0

root@DD-WRT:~# iptables -vnL FORWARD --line-numbers
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 DROP       0    --  ath0.1 *       0.0.0.0/0            192.168.1.254       
2        0     0 DROP       0    --  ath0.1 *       0.0.0.0/0            192.168.1.254       
3        0     0 DROP       0    --  ath0.1 *       0.0.0.0/0            192.168.1.254       
4    19701   18M ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
5        0     0 DROP       0    --  br1    *       0.0.0.0/0            192.168.2.0/24      state NEW
6        0     0 DROP       0    --  ath0.2 *       0.0.0.0/0            192.168.2.0/24      state NEW
7        0     0 DROP       0    --  ath0.1 *       0.0.0.0/0            192.168.2.0/24      state NEW
8        0     0 ACCEPT     47   --  *      eth1    192.168.2.0/24       0.0.0.0/0           
9        0     0 ACCEPT     tcp  --  *      eth1    192.168.2.0/24       0.0.0.0/0           tcp dpt:1723
10       0     0 ACCEPT     0    --  ath0.1 *       0.0.0.0/0            0.0.0.0/0           
11      37  1776 ACCEPT     0    --  br1    *       0.0.0.0/0            0.0.0.0/0           
12    1986  640K lan2wan    0    --  *      *       0.0.0.0/0            0.0.0.0/0           
13     435  229K ACCEPT     0    --  br0    br0     0.0.0.0/0            0.0.0.0/0           
14    1551  411K ACCEPT     0    --  br0    eth1    0.0.0.0/0            0.0.0.0/0           
15       0     0 ACCEPT     0    --  br1    eth1    0.0.0.0/0            0.0.0.0/0           
16       0     0 TRIGGER    0    --  eth1   br0     0.0.0.0/0            0.0.0.0/0           TRIGGER type:in match:0 relate:0
17       0     0 trigger_out  0    --  br0    *       0.0.0.0/0            0.0.0.0/0           
18       0     0 DROP       0    --  br0    ath0.1  0.0.0.0/0            0.0.0.0/0           state NEW
19       0     0 DROP       0    --  br0    ath0.2  0.0.0.0/0            0.0.0.0/0           state NEW
20       0     0 DROP       0    --  br0    br1     0.0.0.0/0            0.0.0.0/0           state NEW
21       0     0 ACCEPT     0    --  br0    *       0.0.0.0/0            0.0.0.0/0           state NEW
22       0     0 DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0

root@DD-WRT:~# iptables -vnL OUTPUT --line-numbers
Chain OUTPUT (policy ACCEPT 2766 packets, 350K bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     8657 1272K ACCEPT     0    --  *      br0     0.0.0.0/0            0.0.0.0/0           
2        0     0 ACCEPT     0    --  *      br1     0.0.0.0/0            0.0.0.0/0


NOTE: PUBLIC IP MASKED AS "aaa.bbb.ccc.ddd"
root@DD-WRT:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       icmp --  anywhere             aaa-bbb-ccc-ddd.lightspeed.hstntx.sbcglobal.net to:192.168.2.1
TRIGGER    0    --  anywhere             aaa-bbb-ccc-ddd.lightspeed.hstntx.sbcglobal.net TRIGGER type:dnat match:0 relate:0

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       0    --  192.168.2.0/24       anywhere            to:aaa.bbb.ccc.ddd
MASQUERADE  0    --  anywhere             anywhere            mark match 0x80000000/0x80000000
SNAT       0    --  172.16.1.0/24        anywhere            to:aaa.bbb.ccc.ddd
SNAT       0    --  anywhere             anywhere            to:aaa.bbb.ccc.ddd

_________________
-- John P.

Last edited by tamufan on Fri Oct 13, 2017 17:28; edited 2 times in total
Back to top View user's profile Send private message
Sponsor
tamufan
DD-WRT Novice


Joined: 12 Oct 2017
Posts: 2
Location: Houston, Texas, USA
PostPosted: Fri Oct 13, 2017 17:25    Post subject: [SOLVED] Virtual Interface WLAN works except can't ping own Reply with quote
OK, it turns out my issue of devices not getting an IP address when accessing the wireless network was self-inflicted. The netmask for each bridge was left as all zeros (my bad) which prevented the dhcp server from acting as expected.

In fact the contents of /tmp/dnsmasq.conf file had non-sense entries for br1 and br2 dhcp ranges.
dhcp-range=br1,0.0.0.100,0.0.0.149,0.0.0.0,1440m
dhcp-range=br2,0.0.0.100,0.0.0.149,0.0.0.0,1440m

So after adding netmask value of 255.255.255.0 to the two new bridges, devices connecting to wireless could obtain an IP address and access internet. The next step is to restrict access to each other and the router itself. Below is a list of iptables rules added under Administration->Commands with "Save Firewall" button. NOTE: Comments are added for clarity and are NOT to be entered in Adminstration->Commands window.

Code:

# Prevent access to AT&T Residential Gateway control interface
iptables -I FORWARD -d 192.168.1.254 -i br1 -j DROP
iptables -I FORWARD -d 192.168.1.254 -i br2 -j DROP
# Prevent "guest" type bridges from access primary LAN nor each other
iptables -I FORWARD -i br1 -o br0 -j DROP
iptables -I FORWARD -i br1 -o br2 -j DROP
iptables -I FORWARD -i br2 -o br0 -j DROP
iptables -I FORWARD -i br2 -o br1 -j DROP
# Prevent "guest" type bridges from accessing anything on router.
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br2 -m state --state NEW -j DROP
# Allow "guest" type bridges access to DHCP and DNS servers
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i br2 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br2 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br2 -p tcp --dport 53 -j ACCEPT
# Allow "guest" type bridges to ping their own gateway since "drop all local
#  router access" line will prevent pings from operating.
iptables -I INPUT -i br1 -p icmp -d `nvram get br1_ipaddr` -j ACCEPT
iptables -I INPUT -i br2 -p icmp -d `nvram get br2_ipaddr` -j ACCEPT


Hopefully this helps someone else from falling in the same hole I did.
_________________
-- John P.
Back to top View user's profile Send private message
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum