Posted: Mon Feb 01, 2016 14:23 Post subject: Firewall and Guest network help
Hello,
I followed a thread in the forum to setup a unified Guest network on DD-WRT. (see below).
The problem I have is that the FIRST device that connects to my Guest network seems to work just fine, but then no other device is able to obtain an IP address. If I delete my firewall rules, it immediately starts to work.
Of course I want to turn the firewall rules back on and secure the Guest network as best as I can... Any ideas?
General Steps to setup my Unified Guest Network:
1. Create the two virtual interfaces. Enable AP Isolation and configure them as BRIDGED rather than UNBRIDGED. This the first place my config departs from Kong's instructions. When you enable Bridged mode, Net Isolation and NAT/Masquerade disappear which you want, because you don't want them enabled at the virtual interface level.
2. Create a new bridge interface and add the two new virtual interfaces to it. That should remove them from the default bridge as well, physically segmenting them off from the private LAN (we'll use iptables rules to prevent cross traffic later).
3. Down at the bottom of the Network configuration page, make sure Net Isolation is disabled and give your new bridge interface an IP address.
4. Create your DHCP server and make sure the interface used is the new BRIDGE interface, not one of the wireless virtual interfaces. This makes sure that both bands can use the one DHCP server.
5. Apply the firewall rules.
# Block any remaining traffic from guest LAN after all other rules have been checked
iptables -I INPUT 2 -i br1 -m state --state NEW -j DROP
# Allow any traffic from guest LAN not satisfying first 2 rules to be forwarded
iptables -I FORWARD 2 -i br1 -j ACCEPT
# Block traffic from being forwarded between private LAN and guest LAN
iptables -I FORWARD 2 -i br0 -o br1 -j DROP
iptables -I FORWARD 2 -i br1 -o br0 -j DROP
# Enable Internet and NAT for guest LAN, if sourced from guest LAN
iptables -t nat -A POSTROUTING -s 172.16.100.1/24 -o eth1 -j SNAT --to-source $(nvram get wan_ipaddr)
Just to follow on here.. Even my normal private WLAN will stop working at some point with those firewall rules in-place.
For example, I have been working from home all morning (5 hours now)... Suddenly my internet connectivity stops. I run some ping tests (ping 4.2.2.2) from both my wired and wireless computers and no traffic is routing past the WRT1900AC.
I "edit" and remove the firewall rules, click Save & Apply, and within 30 seconds everything is working once again perfectly.
Clearly I have a typo, or blatant error within those rules... But why it takes days/hours until my routing stops is a pure mystery at this point.
You are trying to replicate my setup obviously. I've been up for 65 days now. I have 3 guest devices that are on pretty much all the time and have added 4 or 5 over the last couple of weeks (as my daughters' friends come and go).
Can you output your firewall rules to a text file and attach it here? _________________ Routing:.......Asus RT-AX88U (Asuswrt-Merlin 384.14) Switching:....Netgear GS608_V3 & GS605_V4, TrendNet TEG-S82G & TEG-S50G
You are trying to replicate my setup obviously. I've been up for 65 days now. I have 3 guest devices that are on pretty much all the time and have added 4 or 5 over the last couple of weeks (as my daughters' friends come and go).
Can you output your firewall rules to a text file and attach it here?
I would love to! Just need a bit of schooling.. If I captured iptables -L would that do it?
That all looks correct. Can you also post output of iptables -vnL? Please attach as a text file with a fixed width font like Courier, that way it's readable. _________________ Routing:.......Asus RT-AX88U (Asuswrt-Merlin 384.14) Switching:....Netgear GS608_V3 & GS605_V4, TrendNet TEG-S82G & TEG-S50G
That all looks correct. Can you also post output of iptables -vnL? Please attach as a text file with a fixed width font like Courier, that way it's readable.
Unfortunately, I don't see anything that jumps out at me.
My suggestion at this point would be to reset your configuration to factory defaults and try configuring from scratch. _________________ Routing:.......Asus RT-AX88U (Asuswrt-Merlin 384.14) Switching:....Netgear GS608_V3 & GS605_V4, TrendNet TEG-S82G & TEG-S50G
So for anyone still watching this thread, here is the latest.
Today for now reason at all, the router stopped working again. This time, I happened to notice that the LAN stopped accepting all traffic. No pings, no telnet, no NOTHING. However, the Wireless interfaces worked!
So as I'm thinking the WRT1900ac was "locked up", it turns out all of my wireless devices were working just fine.
I used a wireless PC to reconfigure my router to go back to a much simplified Guest network setup, and so far so good.
Once I deleted the bridge for the guest networks, everything started working again.
I'm done troubleshooting the issue and will keep my simple setup...................for now.
#Force the use of local DNS Servers on br1
iptables -t nat -A PREROUTING -i br1 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br1 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
#Restrict br1 from accessing br0's subnet but pass traffic through br0 to the internet (for WAP's - WAN port disabled)
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
#Enable NAT for traffic being routed out br0 so that br1 has connectivity (for WAP's - WAN port disabled)
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
#Restrict br1 from accessing the router's local sockets (software running on the router)
iptables -I INPUT -i br1 -m state --state NEW -j DROP
#Allow br1 to access DHCP and DNS on the router
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
Yeah, my setup has been working fine for exactly 90 days. _________________ Routing:.......Asus RT-AX88U (Asuswrt-Merlin 384.14) Switching:....Netgear GS608_V3 & GS605_V4, TrendNet TEG-S82G & TEG-S50G