@mrjcd - I was reading through some of the posts linked above and came across one of your posts about config of 2 guest LANs, but in a config without the WAN port configured. In it you mention not using multiple DHCPs (nor using bridging)and setting up DNSMasq and IPTables. Do you think this approach could work in my case?
@mrjcd - I was reading through some of the posts linked above and came across one of your posts about config of 2 guest LANs, but in a config without the WAN port configured. In it you mention not using multiple DHCPs (nor using bridging)and setting up DNSMasq and IPTables. Do you think this approach could work in my case?
Robnw
Yea you could not use the multiple DHCPd server and just input the correct interface + IP & DHCP range in Additional DNSMasq Option but I don't think that is the problem ...hmm I dunno.
This is the old way of doing things but firewall rules should be same -
http://www.dd-wrt.com/wiki/index.php/Separate_LAN_and_WLAN
Don't use firewall rules for a WAP
Doing this you probably better off leaving both VAPs bridged in wireless settings and go back to a br1 setup as described but don't use multiple DHCpd.
Builds of last year or so auto input needed firewall for unbridged VAP and using 'net isolation' works great so if try using both (unbridged + added rules) it will probably run into itself
Might try 1 VAP at a time see how it works ....
r30880 still didn't work for you???
EDIT: Base firewall for br 1 to work for WAN enabled router
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
Last edited by mrjcd on Fri Mar 24, 2017 1:01; edited 1 time in total
Thanks. I haven't tried r30880 yet. Was hoping to find a good 2-4 hours without others using it in case something goes wrong with the upgrade.
I suspect the problem is specific to the 5GHZ radio and not the 2nd VAP. I removed both VAPs and other related setup info, then set up just the 5GHZ VAP using unbridged, WPA2, and the one additional DHCP server and still couldn't connect.
I've gone back to just the one 2.4GHZ VAP (unbridged) and it seems to be working fine.
That's what I would try first ... it would be good info to know if that works
'cause 31571 otherwise works well for me, do you know if I loose anything downgrading to 30880?
Also, am I correct that I should NOT restore my backed up 31571 config once I've done the downgrade to 30880?
Robnw
Shouldn't matter usually --- but in your case I would want to start from scratch.
I don't know that router and its quirks -- they all seem to have something that differs from another
If twas mine, I would install the 30880 over what I had just to see what happens.
If that wasn't good I'd then reset and create a couple VAPs to test.
This is of course easy if this router is not being used by others or is not the main.
If you have alot that would be a pain to reconf then delete everything that has to do with the VAPs, bridges, added DHCP
... do a reboot and then save a good nvrambak.bin
There are things done in networking that don't always go away when disabling...although not as bad as some broadcom devices
... best course of action would be reset it. If you don't and something doesn't seem quite right you will always have
that little itch eating at you
I may have told you wrong about firewall for a br1 setup on these newer builds.
Haven't tinkered with this much in a while but this looks good now if you want both guest networks on same subnet.
I'm using r31722 on a WNDR3700v4 to setup ath0.1 & ath1.1 assigned to br1.
All is good and net isolation works good to prevent access to any other devices on main subnet.
But br1 does have access to its router. Prevent this by adding firewall rules:
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset
That's all you need and its good to go.
NOTE: this build / this router some things don't work as expected.
Some settings in the 'Networking' page will disappear when you click the 'Save' button.
Notably one is the input for IP & subnet mask. You have to click 'Apply Settings' to get it to
stick....think I remember the multiple DHCP at bottom doing same thing ...but it works when you get it to take
do a reboot when all is configured and its all good
If not using MAC clone go to the MAC clone page and click enable. There will be hex numbers already there.
Take last two numbers of WAN and put as the last two numbers for wireless. Now minus one (-1) from that number and use in the last place for the WAN MAC.
Basically what these two shows we are moving the WAN to the wireless and doing a -1 on what is in as WAN.
Hey... Backup your settings first. I have no ideal if this will fix your router. It works for mine but they are a whole lot of difference.
Good luck
No, wasn't using MAC Clone. Thought it was only for the WAN connection.
Heading for dinner. Will look at this in a couple of hours.
Thank you again for the suggestion.
Yea --- well MACs have been a problem for a while. Seems to affect some routers more so than others.
I use WAN MAC clone on my main router and hardly ever causes a problem unless I do a reset and I don't pay much attention to the others.
tatsuya opened a ticket about this a while back
http://svn.dd-wrt.com/ticket/5603