HOW TO: Guest WiFi + abuse control for beginners

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Atheros WiSOC based Hardware
Goto page Previous  1, 2, 3, 4, 5, 6, 7
Author Message
herzberger
DD-WRT Novice


Joined: 18 Apr 2016
Posts: 4

PostPosted: Thu Sep 15, 2016 20:47    Post subject: Reply with quote
I have a R7000 that is connected to a DSL modem/router device that is running a DHCP server (I can not change that...). Are there any hints how to get a guest VAP working in this situation?

I run 9/9/16 30600M kongmv at the moment and the most I got was a connectable guest wifi with a dhcp client address but no internet connection.

Is there a build that definately works in my situation for someone else, so I could exclude that it is this buildt that makes trouble and I can focus on the config?
Sponsor
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 5361
Location: Texas

PostPosted: Thu Sep 15, 2016 22:01    Post subject: Reply with quote
herzberger wrote:
I have a R7000 that is connected to a DSL modem/router device that is running a DHCP server (I can not change that...). Are there any hints how to get a guest VAP working in this situation?

I run 9/9/16 30600M kongmv at the moment and the most I got was a connectable guest wifi with a dhcp client address but no internet connection.

Is there a build that definately works in my situation for someone else, so I could exclude that it is this buildt that makes trouble and I can focus on the config?

r7000 don't really belong in this forum but if you will tell us what you have done so far we may get you going.

WAN is disabled, yes?
advanced routing is in router mode, yes?
did you make a bridge, NO? .. ok that's fine.
did you input the guest network under the wireless settings??
did you use multiple DHCP server in networking?... don't use that for this.

need info how you made the guest network
screenshots are good also
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 5361
Location: Texas

PostPosted: Thu Sep 15, 2016 23:49    Post subject: Reply with quote
See if this will help -
Assuming you have your router setup properly as a WAP (wireless access point).
This should work fine on newer builds of this year.
Due to changes made in iptables/firewall the old 'create br1' method is not the best option.
Although br1 method still works on most it is difficult to isolate your guest network using iptables.
The now built-in 'net isolation' feature takes care of restriction between networks.
There are only a few changes needed for guests to work on a WAP.

Broadcom & Atheroes should be -



Set IP address & subnet in wireless settings. this is using the WNDR3700v4
Use Net Isolation. 'Apply Settings'

DO NOT use Multiple DHCP Server - DO NOT do anything in NETWORKING

In Services/Services Additional DNSMasq Options

Should leave other DNSMasq functions disabled.
Here is actual text - change network to match what you put in wireless and adjust DHCP range to suit your needs.
Beaware of all commas & periods and no spaces
Code:
interface=ath0.1
dhcp-option=ath0.1,3,192.168.7.1
dhcp-range=ath0.1,192.168.7.2,192.168.7.60,255.255.255.0,12h


To gain internet access you must put this in 'Saved as Firewall'
Code:
iptables -I FORWARD -i ath0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`

-----
Here on the E2500 You observant type will see that nothing is changed but the interface.
ath0.1 / wl0.1 which are both obviously on the 2.4 radio. Changing the interface in DNSMasq options & firewall
should work fine on whatever you want your guests to be on...e.g. wl1.1


Code:
interface=wl0.1
dhcp-option=wl0.1,3,192.168.10.1
dhcp-range=wl0.1,192.168.10.2,192.168.10.30,255.255.255.0,12h

Code:
iptables -I FORWARD -i wl0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`

Edit:
WNDR3700v4 is using build 30082 (07/01/16)
E2500v1 using build k3.x 30605 (09/09/16) --- K3.x and above should work fine with this method.
herzberger
DD-WRT Novice


Joined: 18 Apr 2016
Posts: 4

PostPosted: Fri Sep 16, 2016 8:12    Post subject: Reply with quote
Thank you mrjcd for your quick reply, you we're a great help.

You're right I was trying to set up another DHCPd for the VAP. Without it and with your DNSmasq entry + firewall it works like a charm now.

Maybe we should make an explicit tutorial for this scenario: No WAN, Router mode, new builds, so people (like me) know they don't have to struggle with br1 things and additional DHCPds.
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 5361
Location: Texas

PostPosted: Fri Sep 16, 2016 11:42    Post subject: Reply with quote
herzberger wrote:
You're right I was trying to set up another DHCPd for the VAP. Without it and with your DNSmasq entry + firewall it works like a charm now.

Glad you got it going.


herzberger wrote:
Maybe we should make an explicit tutorial for this scenario: No WAN, Router mode, new builds, so people (like me) know they don't have to struggle with br1 things and additional DHCPds.

Mile-Lile is welcome to use whatever I post and maybe incorperated it in original (or make new)
all cleaned up nice neat and have it re-stickied in forums.


Note if you also use 'AP Isolation' and are unable to reach websites you may need to
enable and use 'Forced DNS Redirection'. Any valid DNS will work.
This was actually one problem between the old br1 method and 'AP Isolation'.
If it occurs it can be easily resolved Smile
Slovak
DD-WRT Novice


Joined: 20 Jan 2015
Posts: 1

PostPosted: Thu Feb 16, 2017 20:08    Post subject: Reply with quote
mrjcd wrote:
See if this will help -
Assuming you have your router setup properly as a WAP (wireless access point).
This should work fine on newer builds of this year.
Due to changes made in iptables/firewall the old 'create br1' method is not the best option.
Although br1 method still works on most it is difficult to isolate your guest network using iptables.
The now built-in 'net isolation' feature takes care of restriction between networks.
There are only a few changes needed for guests to work on a WAP.

Thank you for the updated methodology. So much simpler! I set up WAP per wiki on my Linksys E1200v2 with the DD-WRT v3.0-r31277 mega firmware.

Spent way too many hours following outdated wikis and blog posts messing with the Network settings, DHCP, bridging, etc. Just about gave up.

The only difference in my setup was that I only needed a guest WAP (not one connected to LAN). Now I effectively have a 5-port switch with a guest wifi that's completely separate from the LAN. Instead of ath0.1 I substituted eth1 in DNSMasq Options and the firewall entries. Works like a charm.
ralfy
DD-WRT Novice


Joined: 01 Sep 2013
Posts: 1

PostPosted: Sun Feb 19, 2017 22:34    Post subject: Reply with quote
Hello,

I have at home a TP-LINK WDR3600 which I used with the stock firmware until I bought an Ubiquiti ERLite-3 router today and thought of converting the WDR3600 to an access point using DD-WRT.

This works successfully for the private wi-fi network but I can't seem to be able to setup a guest wi-fi network in any way.

My current setup is:
1. internet -> eth0 on erlite-3
2. eth1 erlite-3 -> port 1 in switch of WDR3600

eth1 set to 192.168.0.1/24 on erlite
eth1.2 (vlan) set to 172.16.0.1/24 on erlite

I also have 2 DHCP servers set to those subnets on the erlite.

On the DD-WRT I have 4 wi-fi networks, 2 for the private network on 2.4GHz (ath0) and 5GHz (ath1), and 2 guest networks on 2.GHz (ath0.1) and 5GHz (ath1.1).

I tried following the steps by mrjcd but the clients of the guest network don't get any IP assigned from the DHCP server which is on the VLAN, or if I set a static ip on the client I also cannot access the internet or ping anything.

What I think I'm missing is assigning somehow the guest wi-fi network to the VLAN id 2 which was set on the erlite router but don't really know how to do that.

Any help would be appreciated.
Thanks!
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 5361
Location: Texas

PostPosted: Mon Feb 20, 2017 1:08    Post subject: Reply with quote
ralfy wrote:
Hello,

I have at home a TP-LINK WDR3600 which I used with the stock firmware until I bought an Ubiquiti ERLite-3 router today and thought of converting the WDR3600 to an access point using DD-WRT.

This works successfully for the private wi-fi network but I can't seem to be able to setup a guest wi-fi network in any way.

My current setup is:
1. internet -> eth0 on erlite-3
2. eth1 erlite-3 -> port 1 in switch of WDR3600

eth1 set to 192.168.0.1/24 on erlite
eth1.2 (vlan) set to 172.16.0.1/24 on erlite

I also have 2 DHCP servers set to those subnets on the erlite.

On the DD-WRT I have 4 wi-fi networks, 2 for the private network on 2.4GHz (ath0) and 5GHz (ath1), and 2 guest networks on 2.GHz (ath0.1) and 5GHz (ath1.1).

I tried following the steps by mrjcd but the clients of the guest network don't get any IP assigned from the DHCP server which is on the VLAN, or if I set a static ip on the client I also cannot access the internet or ping anything.

What I think I'm missing is assigning somehow the guest wi-fi network to the VLAN id 2 which was set on the erlite router but don't really know how to do that.

Any help would be appreciated.
Thanks!

The guide for guest on a WAP has nothing to do with VLANs. All guest networks made on a WAP as I described are independent of any other network-- they are standalone networks doing their own DHCP.
If you want your guests on the atheros dd-wrt router to be on same subnet as other then you will have to setup VLANs on it.... You should google your router model + swconfig + VLAN
Lennard
DD-WRT Novice


Joined: 19 Jul 2017
Posts: 17

PostPosted: Sun Jul 22, 2018 14:22    Post subject: Set up Guest-wifi on a Linksys EA6400 WAP (Broadcom) Reply with quote
Thanks for this how-to, it worked perfectly on my TP-Link. However I wanted to set this op on my Linksys EA6400 that I use as a Wireless Access Point (WAP) It took me many hours to get it working, I'll tell you how:

First I set it up as Wireless Access Point as described here: https://wiki.dd-wrt.com/wiki/index.php/Wireless_Access_Point#Introduction
Then I followed the guide above: https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1047143#1047143

After that I needed to change a few things that were mentioned in either of these tutorials, but through trial and error I found they were preventing my clients to connect to the Guest-wifi:

Setup --> Basic setup:
- Use DNSMasq for DHCP => enable (other options here remain disabled as described in the WAP tutorial).
Setup --> Advanced Routing:
- Dynamic routing => Disable (Operating mode is Router).

This way I was finally able to 'normally' connect to the wifi, but no internet access. I soon discovered it was a DNS related issue, because when I manually set the DNS Server on a client, it was able to load webpages.
Finally on this page https://wiki.dd-wrt.com/wiki/index.php/DNSMasq_as_DHCP_server I found the right setting for my Additional DNSMasq options to choose a DNS server like this:

Code:
dhcp-option=6,x.x.x.x,y.y.y.y

(no spaces).

So my full Additional DNSMasq options are as follows (later to be changed to OpenDNS addresses):

Code:
interface=wl0.1
dhcp-option=wl0.1,3,192.168.9.1
dhcp-option=6,8.8.8.8,8.8.4.4
dhcp-range=wl0.1,192.168.9.2,192.168.9.60,255.255.255.0,12h


But I don't understand how the "Use DNSMasq for DHCP" option enabled in Basic Setup and the "Dynamic Routing" set to Disable allow me to connect the clients to the wifi. Like I said on my TP-Link the clients connect after following the guides.
And the most important question: Do these settings impact security? e.g. Is the guest-wifi separate from my private-wifi? Can clients use their own DNS server, or are the servers I specify (x.x.x.x and y.y.y.y) forced?

As far as possible, I'll try to answer these questions myself, but I'm a noob and don't have the knowledge to fully test everything. If anyone has some thoughts on this it would be appreciated!
HasLo
DD-WRT Novice


Joined: 31 Oct 2017
Posts: 26

PostPosted: Tue Oct 02, 2018 5:46    Post subject: no internet access for Guest wifi (net isolate) WDR3600 Reply with quote
Dear all, I want to request for help, and sorry for my English.

Problem: No internet access for Guest Wifi

Just bought 2 unit of refurbish TL-WDR3600, one with version 1.1 and another version 1.5

Install Firmware: DD-WRT v3.0-r37012 std (09/21/1Cool
Factory default reset before try to set the unit.
Both is pure router wlan, and for the internet connection is get via cable from another WAN-Gateway router TL-Archer C7.

I want to set Home wifi and Guest wifi for both of WDR3600,
The condition:
Guest wifi criteria:
1. (must not) do not have any access to LAN,
2. Guest just have internet access only
3. The Guest IP and gateway IP will be at 192.168.0.xxx
4. The Home wifi, LAN IP and gateway IP will be at 192.168.213.xxx

I already try the instruction from this thread and another thread, try few days already to search and tried several method to find the solution for Guest internet access.

Working:
the br0 (IP 192.168.213.xxx) and br1 (IP 192.168.0.xxx).
DHCP for Guest is working, the wifi Guest IP is connected at 192.168.0.xxx.
The Guest can not access my private LAN

Alas...

NOT working:
the Guest can not access the internet Sad

Please help, already 5 nights tinkering, and no solution for the Guest internet access.
HasLo
DD-WRT Novice


Joined: 31 Oct 2017
Posts: 26

PostPosted: Thu Oct 04, 2018 0:55    Post subject: Re: no internet access for Guest wifi (net isolate) WDR3600 Reply with quote
Should I create a new thread for this question, or is enough to ask for help in here ?
Please...


HasLo wrote:
Dear all, I want to request for help, and sorry for my English.

Problem: No internet access for Guest Wifi

Just bought 2 unit of refurbish TL-WDR3600, one with version 1.1 and another version 1.5

Install Firmware: DD-WRT v3.0-r37012 std (09/21/1Cool
Factory default reset before try to set the unit.
Both is pure router wlan, and for the internet connection is get via cable from another WAN-Gateway router TL-Archer C7.

I want to set Home wifi and Guest wifi for both of WDR3600,
The condition:
Guest wifi criteria:
1. (must not) do not have any access to LAN,
2. Guest just have internet access only
3. The Guest IP and gateway IP will be at 192.168.0.xxx
4. The Home wifi, LAN IP and gateway IP will be at 192.168.213.xxx

I already try the instruction from this thread and another thread, try few days already to search and tried several method to find the solution for Guest internet access.

Working:
the br0 (IP 192.168.213.xxx) and br1 (IP 192.168.0.xxx).
DHCP for Guest is working, the wifi Guest IP is connected at 192.168.0.xxx.
The Guest can not access my private LAN

Alas...

NOT working:
the Guest can not access the internet Sad

Please help, already 5 nights tinkering, and no solution for the Guest internet access.
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 5361
Location: Texas

PostPosted: Mon May 06, 2019 2:43    Post subject: Reply with quote
I know this is a years old post but several pages are linked to it and there is new people always coming along and
just goofin around and to see if this still worked ok on the WAP ---
This is only for a guest network on a correctly setup WAP. There are plenty of other how-to articles for a guest network on a regular gateway (WAN enabled) router.
I set this up on a WNDR3700v4 (dd-wrt r39715) that I usually have radios disabled becase I only use it as a switch.
But turning on its radios makes it a legitimate WAP

I just used the 192.192.192.192/27 network which means after the br1 has its IP that only leaves 29 for clients but anyways I think you get the picture with that ---
Code:
Network:   192.192.192.192/27 (255.255.255.224)   
Broadcast: 192.192.192.223
HostMin:   192.192.192.193     
HostMax:   192.192.192.222       
Hosts/Net: 30


I did not originally have dnsmasq enabled but you must have it enabled for this and everything associated with it 'disabled'.
For both radios to be on the same (guest) network use the br1 method. You leave VAPs as their default when created as 'bridged'.
On ../Networking.asp page in 'Bridging' section create br1. You will probably also have to 'Save' & Apply Settings'
'Assign to Bridge' br1 to both VAPs you created. 'Save'


Likely near bottom of same page you will find 'Network Configuration br1'. This is where you input its IP and subnetmask.
Also enable 'Net Isolation' if you want this network isolated from main network .... we'll actually do more with that in the firewall section but all this works just like I am showing because it has been tested.


On page ../Diagnostics.asp put in 'Commands' box---
Code:
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
click the 'Save Firewall'


On page ../Services.asp and in Additional Dnsmasq Options --
Code:
interface=br1
dhcp-option=br1,3,192.192.192.193
dhcp-range=br1,192.192.192.194,192.192.192.222,255.255.255.224,12h


bottom of page 'Save' & 'Apply Settings' and you should be good. It was all well for me but you may need a reboot if something isn't working as expected
I know this works like a charm on this router but I can't verify units I don't have.
NOTES:Security on the VAPs I am using WPA / WPA2 Personal / CCMP-128 (AES).
On page ..Routing.asp Operating Mode is set as 'Router'.
Also this is important if you want all to work well with your WAP and it to keep correct time.
main setup page ..index.asp its IP of course should be one within main networks range with subnetmask same as main router.
Gateway should be set to main router's IP
Local DNS should also be set to main router's IP if you use local DNS.
Unless you use 'Forced DNS Redirection' on the br1 network all clients will use same DNS set on your main router.
I have unbound enabled on my main router so its networks and the network we just created on this WAP ...... everything uses unbound.
###
EDIT:
You should really use a network within the private range. Sometimes when I'm thinking my brain is not helping me.
The 192.192.192.192 network is in the public IP range .... oh well, it works but please don't use that Rolling Eyes
bthoven
DD-WRT Novice


Joined: 23 Sep 2019
Posts: 20

PostPosted: Sat Oct 12, 2019 5:50    Post subject: works for Archer C9v1 Reply with quote
mrjcd wrote:
See if this will help -
Assuming you have your router setup properly as a WAP (wireless access point).
This should work fine on newer builds of this year.
Due to changes made in iptables/firewall the old 'create br1' method is not the best option.
Although br1 method still works on most it is difficult to isolate your guest network using iptables.
The now built-in 'net isolation' feature takes care of restriction between networks.
There are only a few changes needed for guests to work on a WAP.

Broadcom & Atheroes should be -



Set IP address & subnet in wireless settings. this is using the WNDR3700v4
Use Net Isolation. 'Apply Settings'

DO NOT use Multiple DHCP Server - DO NOT do anything in NETWORKING

In Services/Services Additional DNSMasq Options

Should leave other DNSMasq functions disabled.
Here is actual text - change network to match what you put in wireless and adjust DHCP range to suit your needs.
Beaware of all commas & periods and no spaces
Code:
interface=ath0.1
dhcp-option=ath0.1,3,192.168.7.1
dhcp-range=ath0.1,192.168.7.2,192.168.7.60,255.255.255.0,12h


To gain internet access you must put this in 'Saved as Firewall'
Code:
iptables -I FORWARD -i ath0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`

-----
Here on the E2500 You observant type will see that nothing is changed but the interface.
ath0.1 / wl0.1 which are both obviously on the 2.4 radio. Changing the interface in DNSMasq options & firewall
should work fine on whatever you want your guests to be on...e.g. wl1.1


Code:
interface=wl0.1
dhcp-option=wl0.1,3,192.168.10.1
dhcp-range=wl0.1,192.168.10.2,192.168.10.30,255.255.255.0,12h

Code:
iptables -I FORWARD -i wl0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`

Edit:
WNDR3700v4 is using build 30082 (07/01/16)
E2500v1 using build k3.x 30605 (09/09/16) --- K3.x and above should work fine with this method.


Just to confirm this method works perfectly on my Tplink Archer C9v1 dd-wrt v3.0-r41027; after trying, unsuccessfully, several ways using VLAN approach. Thanks a lot for this excellent guide.

I have one question. As now my main private network, guest, and iot subnets are fully isolated, if I wish to allow hosts on my main network to access any hosts in guest and iot network, how to achieve it? Sample commands would be great.
baxtex
DD-WRT User


Joined: 30 Dec 2014
Posts: 78

PostPosted: Fri Jul 17, 2020 14:46    Post subject: Reply with quote
mrjcd wrote:
See if this will help -
Assuming you have your router setup properly as a WAP (wireless access point).
This should work fine on newer builds of this year.
Due to changes made in iptables/firewall the old 'create br1' method is not the best option.
Although br1 method still works on most it is difficult to isolate your guest network using iptables.
The now built-in 'net isolation' feature takes care of restriction between networks.
There are only a few changes needed for guests to work on a WAP.

Broadcom & Atheroes should be -



Set IP address & subnet in wireless settings. this is using the WNDR3700v4
Use Net Isolation. 'Apply Settings'

DO NOT use Multiple DHCP Server - DO NOT do anything in NETWORKING

In Services/Services Additional DNSMasq Options

Should leave other DNSMasq functions disabled.
Here is actual text - change network to match what you put in wireless and adjust DHCP range to suit your needs.
Beaware of all commas & periods and no spaces
Code:
interface=ath0.1
dhcp-option=ath0.1,3,192.168.7.1
dhcp-range=ath0.1,192.168.7.2,192.168.7.60,255.255.255.0,12h


To gain internet access you must put this in 'Saved as Firewall'
Code:
iptables -I FORWARD -i ath0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`

-----
Here on the E2500 You observant type will see that nothing is changed but the interface.
ath0.1 / wl0.1 which are both obviously on the 2.4 radio. Changing the interface in DNSMasq options & firewall
should work fine on whatever you want your guests to be on...e.g. wl1.1


Code:
interface=wl0.1
dhcp-option=wl0.1,3,192.168.10.1
dhcp-range=wl0.1,192.168.10.2,192.168.10.30,255.255.255.0,12h

Code:
iptables -I FORWARD -i wl0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`

Edit:
WNDR3700v4 is using build 30082 (07/01/16)
E2500v1 using build k3.x 30605 (09/09/16) --- K3.x and above should work fine with this method.


I use these exact settings on a DDWRT version from last month but internet does not work.Connecting to wifi is fine but there is no internet whatsoever on the VAP.
Goto page Previous  1, 2, 3, 4, 5, 6, 7 Display posts from previous:    Page 7 of 7
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum