Guest Network

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
IT_cog_MD
DD-WRT User


Joined: 02 Dec 2017
Posts: 57

PostPosted: Sat Jan 27, 2018 3:32    Post subject: Guest Network Reply with quote
It seems like it should be an easy ask but I just cant get the Guest Mode to work.

I am set up as a WAP. attaced a bunch of photos for settings



firewall.png
 Description:
 Filesize:  5.84 KB
 Viewed:  4899 Time(s)

firewall.png



DNSMasq.png
 Description:
 Filesize:  13.25 KB
 Viewed:  4899 Time(s)

DNSMasq.png



DHCPSettin.png
 Description:
 Filesize:  13.89 KB
 Viewed:  4899 Time(s)

DHCPSettin.png


Sponsor
IT_cog_MD
DD-WRT User


Joined: 02 Dec 2017
Posts: 57

PostPosted: Sat Jan 27, 2018 3:33    Post subject: Reply with quote
Second post for 1 more image. I am at a loss what elese to do. I can connect but no internet. and every thing i read says enable NAT but there is no NAT option


wl01.png
 Description:
 Filesize:  17.91 KB
 Viewed:  4898 Time(s)

wl01.png


IT_cog_MD
DD-WRT User


Joined: 02 Dec 2017
Posts: 57

PostPosted: Sat Jan 27, 2018 4:26    Post subject: Reply with quote
So i changed it up a little and converted it to a gateway. and now guest mode doesnt work. But i did find NAT with gateway active. SO NAT must be associated with the Gateway.

Maybe this is my setup. My dd-wrt router is behind the ISP router. The ISP router is subnet 11. The dd-wrt router is broadcast my guest network on subnet 10.

Is guest mode possible if the dd-wrt router is attached to the ISP router? I have a computer that is connected ot the ISP router and whn i attach to the dd-wrt under guest network with AP isolation, NAT, Unbridged and net isolation i can still remote desktop and connect to the computer on the ISP router. which i dont want to do as a guest.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sat Jan 27, 2018 8:55    Post subject: Reply with quote
What firmware version are you using?

For setting up a WAP: https://www.dd-wrt.com/wiki/index.php/Wireless_access_point

I personally am lazy so I use the GUI to setup my Guest network see attached doc, for WAP see last section (I know @Eibgrad will disapprove and to be honest he has superior knowledge Smile ).

You can also follow @MRJCD's guide: https://www.dd-wrt.com/phpBB2/viewtopic.php?p=1047143#1047143

Important always reboot after setting up or changing anything otherwise it will not work



DDWRT Virtual Access Point Public.doc
 Description:

Download
 Filename:  DDWRT Virtual Access Point Public.doc
 Filesize:  250 KB
 Downloaded:  145 Time(s)


_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Sat Jan 27, 2018 10:36    Post subject: Reply with quote
Your original pics from 1st post you might try:
DNSMasq options list interface IP first then DHCP range then DNS.

DNSMasq can be real bitchy about what comes first but on the thinking hand it would make sense to have an active interface before to give it a DHCP range to hand out.....so give that a try in your WAP.
Do a reboot see what shakes out Rolling Eyes

EDIT:
example for DNSMasq addittional options for WAP described in 1st post:
interface=wl0.1
dhcp-option=wl0.1,3,192.168.10.1
dhcp-range=wl0.1,192.168.10.100,192.168.10.149,255.255.255.0,1h

There should be no need to use the DNS (6) option in this case since all of wl0.1 clients will use its LAN IP as DNS just like main interface on a dd-wrt gateway. This option is usually used for a different 'Target DNS' --- and that will only work on a WAP if main router is not catching everything on port 53. If you don't get DNS you can try using it but 99% chance if you don't get DNS on a WAP Guest Network it is a problem in the firewall.


Notice I also changed the 60m to 1h ... I use 12h on all my guest networks -- just seems more reasonalble.
The point being what you may see in DNSMasq official MAN pages may not always work w/dd-wrt.
I have no idea what build you are using but you should be aware that dd-wrt tends to break small things from time to time making consistency across builds (and multiple routers) a trying endeavor to keep track of.
I know a while back their was a screw-up for many many builds (several months) where dd-wrt 'multiple DHCP server' lease time read the input as hrs rather than minutes and its default was 1440 which actualy gave lease time as 60 days .... didn't see anyone talking about it and me being the good 'lil minion I just didn't mention it ...all sorts of things get outta-whack here
IT_cog_MD
DD-WRT User


Joined: 02 Dec 2017
Posts: 57

PostPosted: Sat Jan 27, 2018 21:54    Post subject: Reply with quote
I followed MRJCD guide. That is how i originally set it up and i get no isolation.

My setup is like this
ISP router connects to a switch.
The switch supplies connection to a computer and to this WAP wanting a guest network.

when i set it up per guide from MRJCD, i can renmote desktop to the computer connected to the switch.

I am going to try the bridge method now.
IT_cog_MD
DD-WRT User


Joined: 02 Dec 2017
Posts: 57

PostPosted: Sun Jan 28, 2018 0:03    Post subject: Reply with quote
Ok I have tried all the options given. I either have access to all computers or using the bridge method no access to Internet.

When using the bridge method should I set it up as a gateway rather then a WAP?

Also I am running Jan 8 firmware on a Asus rt-ac66u
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Sun Jan 28, 2018 0:28    Post subject: Reply with quote
if you have setup as br1 and all correct and getting DHCP.
you should throw this in the commands page and 'SAVE as FIREWALL'
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`


see ifin dat'll help ya

and yea this is for a WAP -- WAN disabled --- operating mode = router
jwh7
DD-WRT Guru


Joined: 25 Oct 2013
Posts: 2670
Location: Indy

PostPosted: Sun Jan 28, 2018 1:40    Post subject: Reply with quote
A reminder, the Guest Network wiki has a section for "VAP with no WAN":
https://www.dd-wrt.com/wiki/index.php/Guest_Network#VAP_with_no_WAN
mrjcd wrote:
iptables -I FORWARD -i br1 [...]
Can you guys critique that section, particularly with regard to "-i" difference with the above:
Wiki wrote:
iptables -I FORWARD -i wl0.1 [...]
Is the latter specific to the new dnsmasq method only, while "br1" would be used with a VAP for the other method? I.e. to clarify this in the wiki.

Fwiw, I've tested the dnsmasq+VAP method on two (W)AP's.

_________________
# NAT/SFE/CTF: limited speed w/ DD # Repeater issues # DD-WRT info: FAQ, Builds, Types, Modes, Changes, Demo #
OPNsense x64 5050e ITX|DD: DIR-810L, 2*EA6900@1GHz, R6300v1, RT-N66U@663, WNDR4000@533, E1500@353,
WRT54G{Lv1.1,Sv6}@250
|FreshTomato: F7D8302@532|OpenWRT: F9K1119v1, RT-ACRH13, R6220, WNDR3700v4
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Sun Jan 28, 2018 2:04    Post subject: Reply with quote
jwh7 wrote:
A reminder, the Guest Network wiki has a section for "VAP with no WAN":
https://www.dd-wrt.com/wiki/index.php/Guest_Network#VAP_with_no_WAN
mrjcd wrote:
iptables -I FORWARD -i br1 [...]
Can you guys critique that section, particularly with regard to "-i" difference with the above:
Wiki wrote:
iptables -I FORWARD -i wl0.1 [...]
Is the latter specific to the new dnsmasq method only, while "br1" would be used with a VAP for the other method? I.e. to clarify this in the wiki.

Fwiw, I've tested the dnsmasq+VAP method on two (W)AP's.


the first rule interface br1 should block anything that is bridged to br1 from accessing devices on main network.

could be replaced with wl0.1 or ath0.1 but AFAIK it is not needed there because net isolation will do the job.

net isolation works somewhat on the WAP when multiple interfaces are bridged via br1 but is not reliable and if I remember correctly you could always get to the main router using it's IP..... also remember this may vary on some builds.
I actually haven't tested it much in a few months.

2nd rule just allows other interfaces on the WAP access to it's LAN therefore onto main subnets WAN.
It's same and only rule needed if running ovpn server on a WAP.
I can say I don't fully understand it because looks to me as direct conflict with first but imma no genius in such
IT_cog_MD
DD-WRT User


Joined: 02 Dec 2017
Posts: 57

PostPosted: Sun Jan 28, 2018 5:11    Post subject: Reply with quote
mrjcd wrote:
if you have setup as br1 and all correct and getting DHCP.
you should throw this in the commands page and 'SAVE as FIREWALL'
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`


see ifin dat'll help ya

and yea this is for a WAP -- WAN disabled --- operating mode = router


I got it up and running now looking at your guide. I went back to not using the bridge. Not sure why it worked now and not earlier, but it is working good now thanks
A$h x
DD-WRT Novice


Joined: 22 Apr 2008
Posts: 24

PostPosted: Mon Feb 19, 2018 11:33    Post subject: Reply with quote
I have the same issue. My router is running in DHCP to pull the WAN connection from the cable modem.
I've setup the VAP (unbridged), and assigned wl0.1 in DHCPd.

Devices can connect and be assinged IP addresses, but no internet connection. I used the GUI method in the wiki (same as the guide posted by egc) but it simply doesn't work. I assume I'll have to use the terminal commands posted.

I'm actually at loss as I've tried various methods, and will have to do a factory reset to make sure I'm starting from a clean install. Can someone please help?

Config as follows:

Test_vap (wl0.1)
IP address 192.168.2.1
DHCP range 192.168.2.3-100
subnet: 255.255.255.0

DD-WRT build 34876
jwh7
DD-WRT Guru


Joined: 25 Oct 2013
Posts: 2670
Location: Indy

PostPosted: Mon Feb 19, 2018 16:22    Post subject: Reply with quote
A$h x wrote:
Devices can connect and be assinged IP addresses, but no internet connection. I used the GUI method in the wiki (same as the guide posted by egc) but it simply doesn't work. I assume I'll have to use the terminal commands posted.
Did you reboot again after setting it up?

You could also try the new dnsmasq method (vs dhcpd):
https://www.dd-wrt.com/wiki/index.php/Guest_Network#New_DNSMasq_Method

_________________
# NAT/SFE/CTF: limited speed w/ DD # Repeater issues # DD-WRT info: FAQ, Builds, Types, Modes, Changes, Demo #
OPNsense x64 5050e ITX|DD: DIR-810L, 2*EA6900@1GHz, R6300v1, RT-N66U@663, WNDR4000@533, E1500@353,
WRT54G{Lv1.1,Sv6}@250
|FreshTomato: F7D8302@532|OpenWRT: F9K1119v1, RT-ACRH13, R6220, WNDR3700v4
A$h x
DD-WRT Novice


Joined: 22 Apr 2008
Posts: 24

PostPosted: Mon Feb 19, 2018 18:00    Post subject: Reply with quote
jwh7 wrote:
Did you reboot again after setting it up?

You could also try the new dnsmasq method (vs dhcpd):
https://www.dd-wrt.com/wiki/index.php/Guest_Network#New_DNSMasq_Method


Yes, rebooted, no luck. Tried both the DHCPd and DNSmasq method, no joy with either. I removed the DHCPd entry, rebooted, then tried the DNSmasq commands to ensure there was no conflicting commands in memory, but still no internet on the VAP. What is the issue?
jwh7
DD-WRT Guru


Joined: 25 Oct 2013
Posts: 2670
Location: Indy

PostPosted: Mon Feb 19, 2018 20:28    Post subject: Reply with quote
A$h x wrote:
Yes, rebooted, no luck. Tried both the DHCPd and DNSmasq method, no joy with either.
Was this working on a previous build? Recent builds have had various issues, and some only on certain routers. My guest VAP (dnsmasq+AP method) was still bcasting on my WNDR4000 and WNDR4500v2 CB+APs with 34929, but I didn't actually test connecting to them this time.

Check the new build threads and try an older build, like 33772.

_________________
# NAT/SFE/CTF: limited speed w/ DD # Repeater issues # DD-WRT info: FAQ, Builds, Types, Modes, Changes, Demo #
OPNsense x64 5050e ITX|DD: DIR-810L, 2*EA6900@1GHz, R6300v1, RT-N66U@663, WNDR4000@533, E1500@353,
WRT54G{Lv1.1,Sv6}@250
|FreshTomato: F7D8302@532|OpenWRT: F9K1119v1, RT-ACRH13, R6220, WNDR3700v4
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum