2nd Guest Network problem - can't connect

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Goto page 1, 2, 3  Next
Author Message
Robnw
DD-WRT Novice


Joined: 22 Mar 2017
Posts: 39

PostPosted: Wed Mar 22, 2017 17:35    Post subject: 2nd Guest Network problem - can't connect Reply with quote
I've recently installed DD-WRT 31571 on my Archer C7 (fyi, I find this to be much nicer than the OEM FW and much easier to use than LEDE).

I've followed the instructions to set up two guest networks, one each on the 2.4 and 5 GHZ radios. I've set up each on their own bridge and turned on the DHCP server for each.

I can connect and use the 2.4GHZ radio but can't connect to the 5GHZ radio. I've tried multiple configurations including unabridged AP isolation but get the same result each time.

If anyone can point me in the right direction I'd be thankful.

I'll continue to look through the forums to see if I can resolve this.
Sponsor
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Wed Mar 22, 2017 18:13    Post subject: Reply with quote
Do you have both guest networks on different subnets?
Robnw
DD-WRT Novice


Joined: 22 Mar 2017
Posts: 39

PostPosted: Wed Mar 22, 2017 19:17    Post subject: Reply with quote
mrjcd wrote:
Do you have both guest networks on different subnets?


Yes - one's on 192.168.2.1/24 and the other's on .3.1/24. I can connect to and use the first one (which is on the 2.4 radio). I can't connect to the second one (which is on the 5 radio).
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Wed Mar 22, 2017 19:44    Post subject: Reply with quote
Robnw wrote:
mrjcd wrote:
Do you have both guest networks on different subnets?


Yes - one's on 192.168.2.1/24 and the other's on .3.1/24. I can connect to and use the first one (which is on the 2.4 radio). I can't connect to the second one (which is on the 5 radio).

Does it broadcast?
Tries connect but no IP address?
Just don't connect at all???
Robnw
DD-WRT Novice


Joined: 22 Mar 2017
Posts: 39

PostPosted: Wed Mar 22, 2017 19:52    Post subject: Reply with quote
Does it broadcast? - yes both do
Tries connect but no IP address? - tried connecting but won't connect at all (on the second one, the first connects just fine)
Just don't connect at all??? - correct
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Wed Mar 22, 2017 20:15    Post subject: Reply with quote
Rather than me asking a ton of questions why don't we just see what its doing.
telnet / ssh / or I reckon if you want can run from Adminstartion page - command tab
Run these one at a time and copy what they return.
Don't have to include any static DHCP leases from dnsmasq.conf
Code:
cat /tmp/dnsmasq.conf

Code:
iptables -t nat -L

Code:
iptables -vnL FORWARD
Robnw
DD-WRT Novice


Joined: 22 Mar 2017
Posts: 39

PostPosted: Wed Mar 22, 2017 22:55    Post subject: Reply with quote
Thank you for your help @mrjcd. Outputs below.

Edit: note that it's BR2 that's not working correctly. BR0 and BR1 seem to work fine. BR1 is the first guest network.

cat /tmp/dnsmasq.conf:

interface=br0,br1,br2
resolv-file=/tmp/resolv.dnsmasq
strict-order
domain=ReillyWood.net
dhcp-leasefile=/tmp/dnsmasq.leases
dhcp-lease-max=154
dhcp-option=br0,3,192.168.1.1
dhcp-option=br1,3,192.168.2.1
dhcp-option=br2,3,192.168.3.1
dhcp-authoritative
dhcp-range=br0,192.168.1.100,192.168.1.149,255.255.255.0,1440m
dhcp-range=br1,192.168.2.100,192.168.2.149,255.255.255.0,3600m
dhcp-range=br2,192.168.3.100,192.168.3.149,255.255.255.0,3600m
<static DHCPs removed>
stop-dns-rebind

iptables -t nat -L

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere S010698ded0fbe578.vn.shawcable.net tcp dpt:20499 to:192.168.1.8:32400
DNAT tcp -- anywhere S010698ded0fbe578.vn.shawcable.net tcp dpt:https to:192.168.1.9:443
DNAT tcp -- anywhere S010698ded0fbe578.vn.shawcable.net tcp dpt:50500 to:192.168.1.9:50500
DNAT tcp -- anywhere S010698ded0fbe578.vn.shawcable.net tcp dpt:24906 to:192.168.1.139:24906
DNAT udp -- anywhere S010698ded0fbe578.vn.shawcable.net udp dpt:24906 to:192.168.1.139:24906
DNAT udp -- anywhere S010698ded0fbe578.vn.shawcable.net udp dpt:58683 to:192.168.1.141:58683
DNAT udp -- anywhere anywhere udp dpt:domain to:208.67.222.222
DNAT tcp -- anywhere anywhere tcp dpt:domain to:208.67.222.222
DNAT udp -- anywhere anywhere udp dpt:domain to:208.67.222.222
DNAT tcp -- anywhere anywhere tcp dpt:domain to:208.67.222.222
DNAT udp -- anywhere anywhere udp dpt:domain to:64.59.150.137
DNAT tcp -- anywhere anywhere tcp dpt:domain to:64.59.150.137
DNAT udp -- anywhere anywhere udp dpt:domain to:64.59.150.137
DNAT tcp -- anywhere anywhere tcp dpt:domain to:64.59.150.137
DNAT icmp -- anywhere S010698ded0fbe578.vn.shawcable.net to:192.168.1.1
DNAT udp -- anywhere S010698ded0fbe578.vn.shawcable.net udp dpt:58683 to:192.168.1.141:58683
DNAT tcp -- anywhere S010698ded0fbe578.vn.shawcable.net tcp dpt:20499 to:192.168.1.8:32400
TRIGGER 0 -- anywhere S010698ded0fbe578.vn.shawcable.net TRIGGER type:dnat match:0 relate:0
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT 0 -- 192.168.1.0/24 anywhere to:50.68.230.104
SNAT 0 -- 192.168.2.0/24 anywhere to:50.68.230.104
SNAT 0 -- 192.168.3.0/24 anywhere to:50.68.230.104

iptables -vnL FORWARD

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
113 17981 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.8 tcp dpt:32400
34 1755 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.9 tcp dpt:443
16 864 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.9 tcp dpt:50500
33 1885 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.139 tcp dpt:24906
1851 96932 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.139 udp dpt:24906
69 9453 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.141 udp dpt:58683
829K 578M ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 DROP 0 -- ath1.1 * 0.0.0.0/0 192.168.1.0/24 state NEW
0 0 DROP 0 -- ath0.1 * 0.0.0.0/0 192.168.1.0/24 state NEW
0 0 ACCEPT 47 -- * eth0 192.168.1.0/24 0.0.0.0/0
0 0 ACCEPT tcp -- * eth0 192.168.1.0/24 0.0.0.0/0 tcp dpt:1723
158 19644 ACCEPT 0 -- br1 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- br2 * 0.0.0.0/0 0.0.0.0/0
11822 1999K lan2wan 0 -- * * 0.0.0.0/0 0.0.0.0/0
39 2948 ACCEPT 0 -- br0 br0 0.0.0.0/0 0.0.0.0/0
11760 1977K ACCEPT 0 -- br0 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- br1 eth0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- br2 eth0 0.0.0.0/0 0.0.0.0/0
0 0 TRIGGER 0 -- eth0 br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
23 18996 trigger_out 0 -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 DROP 0 -- br0 ath0.1 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 DROP 0 -- br0 ath1.1 0.0.0.0/0 0.0.0.0/0 state NEW
23 18996 ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Wed Mar 22, 2017 23:31    Post subject: Reply with quote
Might be a bit of tangle w/ath1.1 & br2 * br1 Rolling Eyes
I would highly recommend do away with the br1 & br2.
Best way to do it right would be reset router and start over.
If you got a ton of static leases setup and a backup nvram that don't have the guest networks you could start there.

If you don't want to reset then delete both added DHCP, save & apply.
Delete assigned bridges..save
Delete br1 & br2..save & apply setting
reboot router and follow ---
Set guest up using the unbridged section in wireless settings. It has all been working very well for a while now.
http://www.dd-wrt.com/wiki/index.php/Guest_WiFi_%2B_abuse_control_for_beginners
Pics on right side of that page are handy.

Net isolation works fine and will keep guest off main network plus they cannot access the router.
No need to add any firewall rules --- is done for you.

If you need to access a server / printer / or something on main LAN from guest network you can add rule for that ... just ask.
Robnw
DD-WRT Novice


Joined: 22 Mar 2017
Posts: 39

PostPosted: Wed Mar 22, 2017 23:38    Post subject: Reply with quote
Thank you again.

Your link is to the first method I tried. When it didn't work, I then tried the bridge method. My apologies for not mentioning that earlier.

With the unbridged method, I get similar but worse results. I can connect fine to ath0.1 but can't connect to ath1.1. Also, once I've got the 2nd DHCP set up for ath1.1, then my WAN won't connect. In both cases, I can see the two VAPs from my home laptop but can only connect to ath0.1.

Not that I think this is it, but can I confirm that when setting up my multiple DHCPs, I ONLY add for the VAPs and NOT for the AP?
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Wed Mar 22, 2017 23:47    Post subject: Reply with quote
Robnw wrote:
Thank you again.

Your link is to the first method I tried. When it didn't work, I then tried the bridge method. My apologies for not mentioning that earlier.

With the unbridged method, I get similar but worse results. I can connect fine to ath0.1 but can't connect to ath1.1. Also, once I've got the 2nd DHCP set up for ath1.1, then my WAN won't connect. In both cases, I can see the two VAPs from my home laptop but can only connect to ath0.1.

Not that I think this is it, but can I confirm that when setting up my multiple DHCPs, I ONLY add for the VAPs and NOT for the AP?

yea DHCP is setup for br0 which should cover everything.
You just add DHCP for the VAP.
I haven't use the Archer C7 so I am limited what else I can say. Must be something specific with it.
I assume you have done a proper 'erase nvram' / reset sometime recently???
You might try newest build 31722.
Did this conf work on any previous build?

31722 and many builds back guest network work fine for me. I run both ath0.1 & ath1.1 on the WNDR3700v4 & the EA8500.
Hope someone knows about the Archer C7 can tell you more.

EDIT: I just don't get your Chain FORWARD with eth0
Is eth0 the WAN on those routers???
Everything I have is either
vlan1 or eth0 = LAN
vlan2 or eth1 = WAN
oh well...


Last edited by mrjcd on Thu Mar 23, 2017 0:09; edited 1 time in total
Robnw
DD-WRT Novice


Joined: 22 Mar 2017
Posts: 39

PostPosted: Wed Mar 22, 2017 23:58    Post subject: Reply with quote
I did a "restore factory defaults" in between the unbridged and bridged attempts, does that count? Very Happy

I'll give the latest fw a try at some point and let you know what happens.

This is my first install of DD-WRT and first time setting up two guest networks.

In your multiple guest network setups, are you setting up one each on 2.4 and 5?

In any case, thank you for your help. It's greatly appreciated. If I find a solution I'll post it here.

For now, I'll shut down ath1.1 since it's not useful.
redhawk0
DD-WRT Guru


Joined: 04 Jan 2007
Posts: 11563
Location: Wherever the wind blows- North America

PostPosted: Thu Mar 23, 2017 1:19    Post subject: Reply with quote
Enable WMM support, turn on Protection mode and set up RTS/CTS on the Virtual side.


Its the only way I could get my AP to reliably work on the hotel network.

redhawk

_________________
The only stupid question....is the unasked one.
Robnw
DD-WRT Novice


Joined: 22 Mar 2017
Posts: 39

PostPosted: Thu Mar 23, 2017 3:22    Post subject: Reply with quote
Thanks redhawk0.

I gave this a try on ath1.1 and though there's a slight difference in the connecting, the net is that I still can't connect on this VAP.

FYI, the slight difference is that without these settings, when I try to connect from my (win10) laptop, I get a message similar to "can't connect" after about 5-10 seconds. With these settings in place on ath1.1, I get no such message, just stuck at "trying to connect".

Robnw
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Thu Mar 23, 2017 14:46    Post subject: Reply with quote
Is this an Archer c7 v1 or v1.1????
I think dd-wrt had problems w/ its 5GHz that may not all be fixed...I dunno

DD-WRT build r30880 both radio seem work fine for guest w/ Archer c7v2
see here > http://www.dd-wrt.com/phpBB2/viewtopic.php?p=1058754#1058754
Note: He is using as a WAP not a gateway
Robnw
DD-WRT Novice


Joined: 22 Mar 2017
Posts: 39

PostPosted: Thu Mar 23, 2017 15:14    Post subject: Reply with quote
mrjcd wrote:
Is this an Archer c7 v1 or v1.1????
I think dd-wrt had problems w/ its 5GHz that may not all be fixed...I dunno

DD-WRT build r30880 both radio seem work fine for guest w/ Archer c7v2
see here > http://www.dd-wrt.com/phpBB2/viewtopic.php?p=1058754#1058754
Note: He is using as a WAP not a gateway


v2. The 5GHZ works fine on it's own, it's just the VAP that's not working.

One thing I haven't tried yet (on top of the updated FW) is removing the 2.4GHZ VAP and just having the 5GHZ VAP. I'll give that a try today.

Robnw
Goto page 1, 2, 3  Next Display posts from previous:    Page 1 of 3
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum