R7000 isolated and secure guest wifi

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
JJT211
DD-WRT Novice


Joined: 12 Jul 2015
Posts: 11

PostPosted: Sun Feb 07, 2016 17:49    Post subject: R7000 isolated and secure guest wifi Reply with quote
I've got my guest network created, but Im having trouble keeping it isolated from my LAN. I've tried several firewall rules from various posts and none of them seem to work.

I believe it may have something to do with my build version (28514).

Can anyone tell me which firmware they've successfully deployed an isolated and secure guest wifi network on their R7000?
Sponsor
SimulationMan32
DD-WRT User


Joined: 28 Aug 2014
Posts: 135
Location: Winnipeg, MB, Canada

PostPosted: Sun Feb 07, 2016 21:28    Post subject: Reply with quote
Are you using a separate bridge (br1) if so have you tried this:

Code:
iptables -I FORWARD 2 -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD 2 -i br0 -o br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset


I case your unsure this blocks communication between main and guest networks and prevents guest network from accessing the router. Also turn on NET Isolation. That should work. If not try a more recent build.

_________________
KONG Builds for R7000, AC68U
Brainslayer for everything else
HalfBit
DD-WRT Guru


Joined: 04 Sep 2009
Posts: 776
Location: AR, USA

PostPosted: Sun Feb 07, 2016 22:23    Post subject: Reply with quote
If you haven't set up a new bridge, the interface is probably something like wl0.1 (2.4ghz VAP) or wl1.1 (5ghz VAP).

Also, I've had an isolated and secure guest wifi VAP on every build I have used so far. I followed Kong's guide: http://tips.desipro.de/2013/12/06/guest-wifi-setup-dd-wrt/

_________________
R7000 Nighthawk - DD-WRT v3.0-r50308
R7000 Nighthawk - DD-WRT v3.0-r50308
~~~~~~~~~~Dismantled for learning opportunities~~~~~~~~~~
WRT54Gv2
WRT54Gv8.2
~~~~~~~~~~Other Settings~~~~~~~~~
https://nextdns.io/?from=2d3sq39x
https://pi-hole.net/
https://github.com/DNSCrypt/dnscrypt-proxy
JJT211
DD-WRT Novice


Joined: 12 Jul 2015
Posts: 11

PostPosted: Mon Feb 08, 2016 8:10    Post subject: Reply with quote
SimulationMan32 wrote:
Are you using a separate bridge (br1) if so have you tried this:

Code:
iptables -I FORWARD 2 -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD 2 -i br0 -o br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset


I case your unsure this blocks communication between main and guest networks and prevents guest network from accessing the router. Also turn on NET Isolation. That should work. If not try a more recent build.


This was exactly what I had but it still didnt work.

Does it make any difference if im using mine as a WAP as opposed to a router?
SimulationMan32
DD-WRT User


Joined: 28 Aug 2014
Posts: 135
Location: Winnipeg, MB, Canada

PostPosted: Mon Feb 08, 2016 16:33    Post subject: Reply with quote
Yeah you need something like this:

Code:

iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr'
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset


Try that. Try with the first 2 and then add the other 4 after.

Also look here:
https://www.dd-wrt.com/wiki/index.php/Multiple_WLANs

_________________
KONG Builds for R7000, AC68U
Brainslayer for everything else
JJT211
DD-WRT Novice


Joined: 12 Jul 2015
Posts: 11

PostPosted: Tue Feb 09, 2016 4:35    Post subject: Reply with quote
Ok, thx for the link, but it appears it still isnt secure, can still access br0 from br1.

Let me go into a bit more detail about my network



pfSense lan port -> switch -> DDwrt port 1 br0 eth2 vlan 1

pfSense guest port vlan 10 -> DDwrt port 2 br1 eth1 vlan 10 tagged



So in words, my primary LAN is not vlan'd in pfSense or tagged in DD-wrt as I was having issues with it working correctly with my switch and the rest of my network. It would work properly tagged though if bypassed my switch and went directly to pfSense. But thats a deal breaker as I have a FreeNAS machine and thats how I get my TV/movies.


My guest is vlan 10 in pfsense and vlan 10 tagged going directly to pfSense guest port, no switch.


The firewall issue is definitely inside of DD-Wrt, as there's no other point in which they share anything. I just cant figure out what it might be.


I tried net/AP isolation but that would kill internet access. I believe those options are for when DD-WRT is the rrouter as well. So thats a no-go


That link was very interesting, although from the description, im not sure any of the commands pertain to my network config.



Quote:
Restrict br1 from accessing br0's subnet but pass traffic through br0 to the internet (for WAP's - WAN port disabled)

iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP



This command is close although I dont need to "pass traffic through br0 to the internet"

How can I trim that part out of the command?




Quote:
Restrict br1 from accessing br0 (do not use on WAP's)

iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP


This looks like what im looking for but its says "do not use on WAPS"

Why?

Also, whats this one all about?

Quote:
Restrict br1 from accessing the router's local sockets (software running on the router)

iptables -I INPUT -i br1 -m state --state NEW -j DROP
JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

PostPosted: Tue Feb 09, 2016 5:28    Post subject: Reply with quote
if you are using pfsense as your router and only using the ddwrt device as a wap then you need to setup vlan trunks bridging the guest network on the ddwrt device. the ddwrt device will act as a "layer 2 switch" and the vlan segregation will be done at the pfsense device.

ddwrt br0 include (vlan1, eth1 2.4GHz, eth2 5 GHz) port 1 tagged vlan 1
ddwrt br1 includes (vlan 10 wl0.1 2.4 GHz guest & wl1.1 5 GHz Guest) port 1 tagged vlan 10

in my case wl1.1 & wl1.2 are different networks (br1 canada & br2 usa) but the idea is the same

you can then isolate the ddwrt ap from the guests with

iptables -F
iptables -A INPUT -i br1 -j DROP
iptables -A INPUT -i br2 -j DROP (in my case)

then in pfsense block vlan 1 <-> vlan 10

this is not a ddwrt FW issue. it is a pfsense "layer 3" ip routing issue and an understanding of network basics irregardless of linux or freebsd solutions.



ports.PNG
 Description:
 Filesize:  92.54 KB
 Viewed:  9785 Time(s)

ports.PNG



vlans.PNG
 Description:
 Filesize:  18.21 KB
 Viewed:  9785 Time(s)

vlans.PNG


JJT211
DD-WRT Novice


Joined: 12 Jul 2015
Posts: 11

PostPosted: Tue Feb 09, 2016 7:15    Post subject: Reply with quote
Alright cool, that makes sense. Thanks for the clarification!

I was trying to avoid trunking as my cheap TP Link smart switch isnt VLAN tagging like it should. But if thats what I need to do then, Ill just have to get a new one.
JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

PostPosted: Tue Feb 09, 2016 19:12    Post subject: Reply with quote
you could always setup

pfsense -> r7000 port 1 (vlan trunk)
r7000 port 2 (base lan)-> existing switch

otherwise dlink and netgear have inexpensive smart switch options
JJT211
DD-WRT Novice


Joined: 12 Jul 2015
Posts: 11

PostPosted: Tue Feb 09, 2016 20:10    Post subject: Reply with quote
Yea I was thinking something along those lines but then I came across the NETGEAR ProSAFE GS108T. Which considering the features for the price is well worth it, not to mention a great learning tool.

Thanks again!
JAMESMTL
DD-WRT Guru


Joined: 13 Mar 2014
Posts: 856
Location: Montreal, QC

PostPosted: Tue Feb 09, 2016 20:16    Post subject: Reply with quote
the gs108tv2 you linked to is what I use. works very well
JJT211
DD-WRT Novice


Joined: 12 Jul 2015
Posts: 11

PostPosted: Fri Feb 12, 2016 4:02    Post subject: Reply with quote
OK, although I have never set up a VLAN'd network, I thought it would be pretty straight-forward but apparently I am mistaken.

I know I have pfSense and DD-Wrt setup correctly (when I bypass switch, everything works), its my VLAN config in my switch. I think its something to do with my trunk ports.

Summary of what im trying to do,

Switch
port 1 - pfSense - tagged (vlan 10 lan and vlan 11 guest)
port 2 - DD-Wrt - tagged (vlan 10 lan and vlan 11 guest)

port 3, 4, 5, 6 - untagged (vlan 10 lan)

port 7, 8 - unused

From what I understand, trunk ports should be tagged, and hosts ports are untagged but with PVID.

Am I missing something?
JJT211
DD-WRT Novice


Joined: 12 Jul 2015
Posts: 11

PostPosted: Fri Feb 12, 2016 19:07    Post subject: Reply with quote
JAMESMTL wrote:
you could always setup

pfsense -> r7000 port 1 (vlan trunk)
r7000 port 2 (base lan)-> existing switch

otherwise dlink and netgear have inexpensive smart switch options


OK cool, so I finally got everything isolated using the above config.

But I'd really like to use the previous config with my switch as the backbone of the network.

Is that how you have your network configured? If so, how are your switch ports tagged/untagged? I find this part especially confusing given I have my DD-Wrt AP tagged going into the switch.

EDIT: Nevermind, its only isolated at the Firewall but not at DD-wrt and back to the switch.
JJT211
DD-WRT Novice


Joined: 12 Jul 2015
Posts: 11

PostPosted: Sun Feb 14, 2016 14:15    Post subject: Reply with quote
I always hate when I find an old thread that has my same exact problem, but the OP never returns to post what resolved the issue. So here we go....

First disregard my last few posts as I had no idea what I was talking about. The switch GUI was a bit confusing at first, but once I realized you need to set your tagged and untagged ports for each VLAN as well as enable ingress filtering, I was good to go with the switch.

As it turns out, after double checking everything, trying diff configs and finally port mirroring diff ports on my switch (awesome feature btw) and breaking out Wireshark to actually physically see the packets ad where they were actually traveling, it was the friggin Squid package in pfSense! Once it was disabled, my Guest network, with the first set of Firewall rules, was finally secured.

Thanks for all the help!


Last edited by JJT211 on Sun Feb 14, 2016 17:33; edited 1 time in total
JamBor
DD-WRT Novice


Joined: 07 Mar 2015
Posts: 7

PostPosted: Sun Feb 14, 2016 16:44    Post subject: DD-WRT Guest Wireless Reply with quote
This site could be helpful as well:

http://www.alexlaird.com/2013/03/dd-wrt-guest-wireless/
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum