Posted: Sun Feb 07, 2016 17:49 Post subject: R7000 isolated and secure guest wifi
I've got my guest network created, but Im having trouble keeping it isolated from my LAN. I've tried several firewall rules from various posts and none of them seem to work.
I believe it may have something to do with my build version (28514).
Can anyone tell me which firmware they've successfully deployed an isolated and secure guest wifi network on their R7000?
I case your unsure this blocks communication between main and guest networks and prevents guest network from accessing the router. Also turn on NET Isolation. That should work. If not try a more recent build. _________________ KONG Builds for R7000, AC68U
Brainslayer for everything else
I case your unsure this blocks communication between main and guest networks and prevents guest network from accessing the router. Also turn on NET Isolation. That should work. If not try a more recent build.
This was exactly what I had but it still didnt work.
Does it make any difference if im using mine as a WAP as opposed to a router?
Ok, thx for the link, but it appears it still isnt secure, can still access br0 from br1.
Let me go into a bit more detail about my network
pfSense lan port -> switch -> DDwrt port 1 br0 eth2 vlan 1
pfSense guest port vlan 10 -> DDwrt port 2 br1 eth1 vlan 10 tagged
So in words, my primary LAN is not vlan'd in pfSense or tagged in DD-wrt as I was having issues with it working correctly with my switch and the rest of my network. It would work properly tagged though if bypassed my switch and went directly to pfSense. But thats a deal breaker as I have a FreeNAS machine and thats how I get my TV/movies.
My guest is vlan 10 in pfsense and vlan 10 tagged going directly to pfSense guest port, no switch.
The firewall issue is definitely inside of DD-Wrt, as there's no other point in which they share anything. I just cant figure out what it might be.
I tried net/AP isolation but that would kill internet access. I believe those options are for when DD-WRT is the rrouter as well. So thats a no-go
That link was very interesting, although from the description, im not sure any of the commands pertain to my network config.
Quote:
Restrict br1 from accessing br0's subnet but pass traffic through br0 to the internet (for WAP's - WAN port disabled)
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
This command is close although I dont need to "pass traffic through br0 to the internet"
How can I trim that part out of the command?
Quote:
Restrict br1 from accessing br0 (do not use on WAP's)
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
This looks like what im looking for but its says "do not use on WAPS"
Why?
Also, whats this one all about?
Quote:
Restrict br1 from accessing the router's local sockets (software running on the router)
iptables -I INPUT -i br1 -m state --state NEW -j DROP
Joined: 13 Mar 2014 Posts: 856 Location: Montreal, QC
Posted: Tue Feb 09, 2016 5:28 Post subject:
if you are using pfsense as your router and only using the ddwrt device as a wap then you need to setup vlan trunks bridging the guest network on the ddwrt device. the ddwrt device will act as a "layer 2 switch" and the vlan segregation will be done at the pfsense device.
ddwrt br0 include (vlan1, eth1 2.4GHz, eth2 5 GHz) port 1 tagged vlan 1
ddwrt br1 includes (vlan 10 wl0.1 2.4 GHz guest & wl1.1 5 GHz Guest) port 1 tagged vlan 10
in my case wl1.1 & wl1.2 are different networks (br1 canada & br2 usa) but the idea is the same
you can then isolate the ddwrt ap from the guests with
iptables -F
iptables -A INPUT -i br1 -j DROP
iptables -A INPUT -i br2 -j DROP (in my case)
then in pfsense block vlan 1 <-> vlan 10
this is not a ddwrt FW issue. it is a pfsense "layer 3" ip routing issue and an understanding of network basics irregardless of linux or freebsd solutions.
Alright cool, that makes sense. Thanks for the clarification!
I was trying to avoid trunking as my cheap TP Link smart switch isnt VLAN tagging like it should. But if thats what I need to do then, Ill just have to get a new one.
Yea I was thinking something along those lines but then I came across the NETGEAR ProSAFE GS108T. Which considering the features for the price is well worth it, not to mention a great learning tool.
OK, although I have never set up a VLAN'd network, I thought it would be pretty straight-forward but apparently I am mistaken.
I know I have pfSense and DD-Wrt setup correctly (when I bypass switch, everything works), its my VLAN config in my switch. I think its something to do with my trunk ports.
Summary of what im trying to do,
Switch
port 1 - pfSense - tagged (vlan 10 lan and vlan 11 guest)
port 2 - DD-Wrt - tagged (vlan 10 lan and vlan 11 guest)
port 3, 4, 5, 6 - untagged (vlan 10 lan)
port 7, 8 - unused
From what I understand, trunk ports should be tagged, and hosts ports are untagged but with PVID.
pfsense -> r7000 port 1 (vlan trunk)
r7000 port 2 (base lan)-> existing switch
otherwise dlink and netgear have inexpensive smart switch options
OK cool, so I finally got everything isolated using the above config.
But I'd really like to use the previous config with my switch as the backbone of the network.
Is that how you have your network configured? If so, how are your switch ports tagged/untagged? I find this part especially confusing given I have my DD-Wrt AP tagged going into the switch.
EDIT: Nevermind, its only isolated at the Firewall but not at DD-wrt and back to the switch.
I always hate when I find an old thread that has my same exact problem, but the OP never returns to post what resolved the issue. So here we go....
First disregard my last few posts as I had no idea what I was talking about. The switch GUI was a bit confusing at first, but once I realized you need to set your tagged and untagged ports for each VLAN as well as enable ingress filtering, I was good to go with the switch.
As it turns out, after double checking everything, trying diff configs and finally port mirroring diff ports on my switch (awesome feature btw) and breaking out Wireshark to actually physically see the packets ad where they were actually traveling, it was the friggin Squid package in pfSense! Once it was disabled, my Guest network, with the first set of Firewall rules, was finally secured.
Thanks for all the help!
Last edited by JJT211 on Sun Feb 14, 2016 17:33; edited 1 time in total