2nd Guest Network problem - can't connect

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Goto page Previous  1, 2, 3  Next
Author Message
Robnw
DD-WRT Novice


Joined: 22 Mar 2017
Posts: 39

PostPosted: Thu Mar 23, 2017 17:51    Post subject: Reply with quote
@mrjcd - I was reading through some of the posts linked above and came across one of your posts about config of 2 guest LANs, but in a config without the WAN port configured. In it you mention not using multiple DHCPs (nor using bridging)and setting up DNSMasq and IPTables. Do you think this approach could work in my case?

Robnw
Sponsor
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Fri Mar 24, 2017 0:54    Post subject: Reply with quote
Robnw wrote:
@mrjcd - I was reading through some of the posts linked above and came across one of your posts about config of 2 guest LANs, but in a config without the WAN port configured. In it you mention not using multiple DHCPs (nor using bridging)and setting up DNSMasq and IPTables. Do you think this approach could work in my case?

Robnw


Yea you could not use the multiple DHCPd server and just input the correct interface + IP & DHCP range in Additional DNSMasq Option but I don't think that is the problem ...hmm I dunno.

This is the old way of doing things but firewall rules should be same -
http://www.dd-wrt.com/wiki/index.php/Separate_LAN_and_WLAN
Don't use firewall rules for a WAP
Doing this you probably better off leaving both VAPs bridged in wireless settings and go back to a br1 setup as described but don't use multiple DHCpd.

Builds of last year or so auto input needed firewall for unbridged VAP and using 'net isolation' works great so if try using both (unbridged + added rules) it will probably run into itself Smile
Might try 1 VAP at a time see how it works ....

r30880 still didn't work for you???

EDIT: Base firewall for br 1 to work for WAN enabled router
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu


Last edited by mrjcd on Fri Mar 24, 2017 1:01; edited 1 time in total
Robnw
DD-WRT Novice


Joined: 22 Mar 2017
Posts: 39

PostPosted: Fri Mar 24, 2017 1:01    Post subject: Reply with quote
Thanks. I haven't tried r30880 yet. Was hoping to find a good 2-4 hours without others using it in case something goes wrong with the upgrade.

I suspect the problem is specific to the 5GHZ radio and not the 2nd VAP. I removed both VAPs and other related setup info, then set up just the 5GHZ VAP using unbridged, WPA2, and the one additional DHCP server and still couldn't connect.

I've gone back to just the one 2.4GHZ VAP (unbridged) and it seems to be working fine.

I'll give the R30880 a try in the next few days.

Robnw
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Fri Mar 24, 2017 1:03    Post subject: Reply with quote
Robnw wrote:
I'll give the R30880 a try in the next few days.

That's what I would try first ... it would be good info to know if that works Laughing
Robnw
DD-WRT Novice


Joined: 22 Mar 2017
Posts: 39

PostPosted: Fri Mar 24, 2017 15:50    Post subject: Reply with quote
mrjcd wrote:
Robnw wrote:
I'll give the R30880 a try in the next few days.

That's what I would try first ... it would be good info to know if that works Laughing


'cause 31571 otherwise works well for me, do you know if I loose anything downgrading to 30880?

Also, am I correct that I should NOT restore my backed up 31571 config once I've done the downgrade to 30880?

Robnw
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Fri Mar 24, 2017 16:07    Post subject: Reply with quote
Robnw wrote:
mrjcd wrote:
Robnw wrote:
I'll give the R30880 a try in the next few days.

That's what I would try first ... it would be good info to know if that works Laughing


'cause 31571 otherwise works well for me, do you know if I loose anything downgrading to 30880?

Also, am I correct that I should NOT restore my backed up 31571 config once I've done the downgrade to 30880?

Robnw

Shouldn't matter usually --- but in your case I would want to start from scratch.
I don't know that router and its quirks -- they all seem to have something that differs from another
If twas mine, I would install the 30880 over what I had just to see what happens.
If that wasn't good I'd then reset and create a couple VAPs to test.
This is of course easy if this router is not being used by others or is not the main.
If you have alot that would be a pain to reconf then delete everything that has to do with the VAPs, bridges, added DHCP
... do a reboot and then save a good nvrambak.bin

There are things done in networking that don't always go away when disabling...although not as bad as some broadcom devices
... best course of action would be reset it. If you don't and something doesn't seem quite right you will always have
that little itch eating at you Wink
Robnw
DD-WRT Novice


Joined: 22 Mar 2017
Posts: 39

PostPosted: Fri Mar 24, 2017 17:28    Post subject: Reply with quote
Thank you @mrjcd.

Robnw
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Sun Mar 26, 2017 0:26    Post subject: Reply with quote
I may have told you wrong about firewall for a br1 setup on these newer builds.
Haven't tinkered with this much in a while but this looks good now if you want both guest networks on same subnet.

I'm using r31722 on a WNDR3700v4 to setup ath0.1 & ath1.1 assigned to br1.
All is good and net isolation works good to prevent access to any other devices on main subnet.
But br1 does have access to its router. Prevent this by adding firewall rules:
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset

That's all you need and its good to go.
NOTE: this build / this router some things don't work as expected.
Some settings in the 'Networking' page will disappear when you click the 'Save' button.
Notably one is the input for IP & subnet mask. You have to click 'Apply Settings' to get it to
stick....think I remember the multiple DHCP at bottom doing same thing ...but it works when you get it to take Smile
do a reboot when all is configured and its all good

maybe it'll work on your C7
Robnw
DD-WRT Novice


Joined: 22 Mar 2017
Posts: 39

PostPosted: Sun Mar 26, 2017 0:29    Post subject: Reply with quote
Thanks again. Once I can connect to the VAP 5G Radio, I'll give this a try.

Robnw
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Sun Mar 26, 2017 0:32    Post subject: Reply with quote
Robnw wrote:
Thanks again. Once I can connect to the VAP 5G Radio, I'll give this a try.

Robnw

Don't think I ever ask if all MAC addresses are unique.
ath0
ath0.1
ath1
ath1.1
should all have different MACs
This has been a problem at times -----
Robnw
DD-WRT Novice


Joined: 22 Mar 2017
Posts: 39

PostPosted: Sun Mar 26, 2017 0:46    Post subject: Reply with quote
mrjcd wrote:
Robnw wrote:
Thanks again. Once I can connect to the VAP 5G Radio, I'll give this a try.

Robnw

Don't think I ever ask if all MAC addresses are unique.
ath0
ath0.1
ath1
ath1.1
should all have different MACs
This has been a problem at times -----


Not all different. As far as I know, all are the same. How do I set each to be different?

Robnw
Robnw
DD-WRT Novice


Joined: 22 Mar 2017
Posts: 39

PostPosted: Sun Mar 26, 2017 0:47    Post subject: Reply with quote
<edit>

OK - I see under Status/Wireless that ath0 and ath0.1 use the same MAC. ath1 has a different mac address.

But how to set this?

Robnw
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Sun Mar 26, 2017 1:06    Post subject: Reply with quote
I assume you are not using MAC clone?

Some of these things have recently changed.
If you are using MAC clone look at this see if might help
http://mrjcd.com/junk/dd-wrt/WNDR3700v4/r31611-MACs.html

If not using MAC clone go to the MAC clone page and click enable. There will be hex numbers already there.
Take last two numbers of WAN and put as the last two numbers for wireless. Now minus one (-1) from that number and use in the last place for the WAN MAC.

Basically what these two shows we are moving the WAN to the wireless and doing a -1 on what is in as WAN.

Hey... Backup your settings first. I have no ideal if this will fix your router. It works for mine but they are a whole lot of difference.
Good luck
Robnw
DD-WRT Novice


Joined: 22 Mar 2017
Posts: 39

PostPosted: Sun Mar 26, 2017 1:12    Post subject: Reply with quote
No, wasn't using MAC Clone. Thought it was only for the WAN connection.

Heading for dinner. Will look at this in a couple of hours.

Thank you again for the suggestion.
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Sun Mar 26, 2017 1:20    Post subject: Reply with quote
Robnw wrote:
No, wasn't using MAC Clone. Thought it was only for the WAN connection.

Heading for dinner. Will look at this in a couple of hours.

Thank you again for the suggestion.

Yea --- well MACs have been a problem for a while. Seems to affect some routers more so than others.
I use WAN MAC clone on my main router and hardly ever causes a problem unless I do a reset and I don't pay much attention to the others.
tatsuya opened a ticket about this a while back
http://svn.dd-wrt.com/ticket/5603
Goto page Previous  1, 2, 3  Next Display posts from previous:    Page 2 of 3
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum