How to? E4200 guestnet segmentation

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
ironmanco
DD-WRT Novice


Joined: 02 Jul 2011
Posts: 20

PostPosted: Tue Dec 20, 2011 9:47    Post subject: How to? E4200 guestnet segmentation Reply with quote
I'm sure it's been discussed or written but can someone point me to how to segment the guestnet on a e4200?

Because of it's multiple radios it looks like it does interfaces differently. I'm not sure which interface (physical) that I create the virtual interface (2.4 or 2.4/5GHz)?

I'm running 17990.
Sponsor
mrengles
DD-WRT User


Joined: 25 Feb 2010
Posts: 149
Location: United States

PostPosted: Tue Dec 20, 2011 14:00    Post subject: Reply with quote
Take a look at these three post. It should help with setup. I have the same Router.

What does NAT do on br1:

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=148270&highlight=

This post has the proper iptables rules:

http://www.dd-wrt.com/phpBB2/viewtopic.php?t=148337&highlight=

Separate LAN And WLAN Wiki (Some of this dose not work with the E4200, so use the info above).

http://www.dd-wrt.com/wiki/index.php/Separate_LAN_and_WLAN

Good luck, let me know if you have any questions.

-mrengles

PS. Search is your friend. Twisted Evil Wink
mrengles
DD-WRT User


Joined: 25 Feb 2010
Posts: 149
Location: United States

PostPosted: Tue Dec 20, 2011 14:03    Post subject: Reply with quote
About adding the guest VAP. just hit the add button on what ever radio you want, whether is be 5ghz or 2.4ghz.
ironmanco
DD-WRT Novice


Joined: 02 Jul 2011
Posts: 20

PostPosted: Tue Dec 20, 2011 17:53    Post subject: Reply with quote
So the reason I said e4200 is that there are actually two radios. 1 2.4Ghz and 1 2.4/5Ghz. I'm looking for guidance as to which one to create the virtual interface on and I'm still seeing ambiguity on whether this can all be done via gui or whether other configuration (iptables) are needed.

There are also a bunch of other options that don't show up on the screen caps that I believe affect the configuration on this router.

Thanks
mrengles
DD-WRT User


Joined: 25 Feb 2010
Posts: 149
Location: United States

PostPosted: Tue Dec 20, 2011 21:40    Post subject: Reply with quote
I setup everything using the GUI only.

What radio do you want your guest VAP to broadcast on 2.4ghz or 5ghz? (I would use 2.4ghz because 99% of people have adapters for the 2.4ghz b/g/n band. Allot of people with older computers won't be able to even see the 5ghz network)

Here are some more photos of my E4200 with a guest WLAN separated from my private network. Neither subnets can see each other, and the guest wifi has AP isolation turned on, so guests won't be able to see other guest users connected to the VAP either. Also the router will only be manageable from your private network (br0).

Wireless > Basic Settings




Setup > Networking




Administration > Commands



Good luck.

Let me know how this works out for yeah.
mrengles
DD-WRT User


Joined: 25 Feb 2010
Posts: 149
Location: United States

PostPosted: Tue Dec 20, 2011 21:44    Post subject: Reply with quote
Here are the same iptable rule, just in TXT format so you can just copy and past.


Code:
#Restrict br0 (172.16.10.x) from br1 (192.168.1.x)
##
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP

#Restrict br1 (192.168.1.x) from br0 (172.16.10.x)
##
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP

#Restrict br1 (192.168.1.x) access to router while allowing DCHP, and DNS
##
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT

#Allow br1 (192.168.1.x) access to networked printer on br0 (172.16.4.x)
##
iptables -I FORWARD -i br1 -d 172.16.10.254 -j ACCEPT




My guest network is on subnet 192.168.1.x which might be confusing to some people. My main network subnet is 172.16.10.x (This helps when connecting with PPTP from a network you have no control over.)

Again, Good Luck.

Keep us posted on your progress.

PS. This is all running on my Cisco-Linksys E4200 v1 with BS-18007-Mega-nv60k

-mrengles
ironmanco
DD-WRT Novice


Joined: 02 Jul 2011
Posts: 20

PostPosted: Wed Dec 21, 2011 5:45    Post subject: Reply with quote
This was excellent. I haven't tested it out yet, but the configuration is there.

I'd be interested to see what other wireless tweaks you have made. I noticed that you changed the channel width (40mhz). I also noticed that you had a parameter called "extension channel" which is not available to me.

Thanks!
mrengles
DD-WRT User


Joined: 25 Feb 2010
Posts: 149
Location: United States

PostPosted: Wed Dec 21, 2011 6:39    Post subject: Reply with quote
ironmanco wrote:
This was excellent. I haven't tested it out yet, but the configuration is there.

I'd be interested to see what other wireless tweaks you have made. I noticed that you changed the channel width (40mhz). I also noticed that you had a parameter called "extension channel" which is not available to me.

Thanks!


Extension channel Will appear once your settings are saved, applied, and router rebooted. The 40 MHz setting just allows your Wifi radio to transmit at a faster rate.

Wireless-N Configuration:

http://www.dd-wrt.com/wiki/index.php/Wireless-N_Configuration

Remember search is your friend. Smile
ironmanco
DD-WRT Novice


Joined: 02 Jul 2011
Posts: 20

PostPosted: Wed Dec 21, 2011 21:15    Post subject: Reply with quote
So few more questions on the wireless configuration:

1) I noticed this quote from the wiki:
"I've done many tests with NEWD and NEWD2 wireless drivers on various builds with a WRT150N v1.1 and WRT300N v1.1 and found the 40MHz channel (2.4GHz spectrum) throughput to be extremely lackluster. Most often it gave worse throughput than 20MHz width even though I have no nearby interference on any channels."

I noticed that you are still using the 40MHz channel. Have you tested with it to find the above to be no applicable with the E4200 or at least the E4200 to be better than using the 20MHz channel?

2) I've noticed conflicting info on wireless security with N. Can you provide what config you are using? I read this:

"You MUST use WPA2 authentication with AES encryption only, or use no security at all if you wish to achieve N rates. Anything else is against the N spec and typically results in the client falling back to G rates."

I thought I read that it was suggested to use WPA2 w/TKIP+AES but that doesn't look like what they are suggesting above.

Thanks again for your help on this.
mrengles
DD-WRT User


Joined: 25 Feb 2010
Posts: 149
Location: United States

PostPosted: Wed Dec 21, 2011 22:10    Post subject: Reply with quote
ironmanco wrote:
So few more questions on the wireless configuration:

1) I noticed this quote from the wiki:
"I've done many tests with NEWD and NEWD2 wireless drivers on various builds with a WRT150N v1.1 and WRT300N v1.1 and found the 40MHz channel (2.4GHz spectrum) throughput to be extremely lackluster. Most often it gave worse throughput than 20MHz width even though I have no nearby interference on any channels."

I noticed that you are still using the 40MHz channel. Have you tested with it to find the above to be no applicable with the E4200 or at least the E4200 to be better than using the 20MHz channel?

2) I've noticed conflicting info on wireless security with N. Can you provide what config you are using? I read this:

"You MUST use WPA2 authentication with AES encryption only, or use no security at all if you wish to achieve N rates. Anything else is against the N spec and typically results in the client falling back to G rates."

I thought I read that it was suggested to use WPA2 w/TKIP+AES but that doesn't look like what they are suggesting above.

Thanks again for your help on this.


Wireless > Wireless Security




Make sure to use AES if you want to get N rates. I use the 40MHz channel width with great success on my E4200. Keep in mind you should only use 40mhz if you have little to none wifi interference. (ex Other wifi networks close by)
I can't tell you how to setup your wifi channels and widths because your location can make a huge difference. You will just have to test, test, test. and see what gives you the best results.

Good Luck.

Once you get a working guest network, backup your settings. Then you can fiddle around with other settings for faster rates, channel, or width. Find what works best for your setup. Save it, then leave it alone, except for maybe the occasional restart.

-mrengles
ironmanco
DD-WRT Novice


Joined: 02 Jul 2011
Posts: 20

PostPosted: Thu Dec 22, 2011 0:50    Post subject: Reply with quote
Looks good. So, are you just being brave having your guestnet unsecured or are you in a location that the only folks that would be on that network would be actual guests of yours? Smile
mrengles
DD-WRT User


Joined: 25 Feb 2010
Posts: 149
Location: United States

PostPosted: Thu Dec 22, 2011 1:19    Post subject: Reply with quote
ironmanco wrote:
Looks good. So, are you just being brave having your guestnet unsecured or are you in a location that the only folks that would be on that network would be actual guests of yours? Smile


Anyone can join. Guests have no access to my privet network or router. Also I have QOS setup so that they don't steal all my bandwidth. =)

I've only had a handful of users connect to the guest network. If I notice any rouge guest's, I can always Block there MAC address, or worse case Secure the guest network with encryption.

Hows everything working for you?
shmackitup
DD-WRT Novice


Joined: 06 Feb 2011
Posts: 18

PostPosted: Tue Jan 03, 2012 2:22    Post subject: Reply with quote
These settings are working perfectly for me...

I am wondering what your QoS settings were. I've tried to limit my "guest" network but my settings keep applying globally. Not sure if this has to do with the bridges or if there's a way to limit the bridge instead of an IP range.
mrengles
DD-WRT User


Joined: 25 Feb 2010
Posts: 149
Location: United States

PostPosted: Tue Jan 03, 2012 4:23    Post subject: Reply with quote
shmackitup wrote:
These settings are working perfectly for me...

I am wondering what your QoS settings were. I've tried to limit my "guest" network but my settings keep applying globally. Not sure if this has to do with the bridges or if there's a way to limit the bridge instead of an IP range.


I'll post a screen shot of QoS when I get to a desktop/labtop. I'm posting from my iPhone right now.

Smile

-mrengles
mrengles
DD-WRT User


Joined: 25 Feb 2010
Posts: 149
Location: United States

PostPosted: Tue Jan 03, 2012 17:15    Post subject: Reply with quote
shmackitup wrote:
These settings are working perfectly for me...

I am wondering what your QoS settings were. I've tried to limit my "guest" network but my settings keep applying globally. Not sure if this has to do with the bridges or if there's a way to limit the bridge instead of an IP range.





Quality of service will only limit bandwidth to your guest network when you're private subnet is using bandwith. For example say that no one is connected to your private network via Wi-Fi or wired but you have gusts connected to your Wi-Fi network, they will be able to access 100% of your broadband pipe whatever you want to call it. However, when you have clients connected to your private subnet wireless and wired and they are using bandwidth like Apple TV downloading torrents browsing the web and other activities that use high amounts of bandwith with your guest network will be limited and they will not interfere with your private network downloads or uploads.

I hope this makes a little bit more sense on how quality of service works with your guest network.
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum