[SOLVED] Guest Wifi on APs ...

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Author Message
rnio
DD-WRT User


Joined: 21 Apr 2012
Posts: 94

PostPosted: Mon Oct 23, 2017 4:43    Post subject: [SOLVED] Guest Wifi on APs ... Reply with quote
Hi There,

this is a little too difficult for me to figure out:

I have 3 x R7000 (one MAIN / 2 x client APs) all of them are HARDWIRED to the MAIN ... which connects on the WAN side to my MODEM.

I used this tutorial to get all my APs talking to the MAIN without a problem allowing me to roam and hop from one router to the next transparently:

https://www.dd-wrt.com/wiki/index.php/Wireless_Access_Point

Once I got everything running ... I wanted to ADD a GUEST-WiFi ... I started using this KONG tutorial (very simple ... for ONE router):

http://tips.desipro.de/2013/12/06/guest-wifi-setup-dd-wrt/

The GUEST Wifi works great on the MAIN router ... but when I try to set it up on the client APs I run into a problem:

The clients get an IP / DNS server etc. ... they can PING within the Guest WiFi ... however I do NOT get access to the WAN side of my main router?!

Please see attached the setting on one of the APs ... what is missing compared to the settings on the MAIN router is:

Code:
Masquerade / NAT [b]Enable[/b]  Disable


Any clues ... what to check / adjust ... to get this working?



p1.png
 Description:
 Filesize:  36.13 KB
 Viewed:  2610 Time(s)

p1.png




Last edited by rnio on Tue Oct 24, 2017 5:01; edited 1 time in total
Sponsor
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 5399
Location: Texas

PostPosted: Mon Oct 23, 2017 5:25    Post subject: Reply with quote
Can't use multiple DHCP server on da wap.
See if this will help you ::::::: >
https://secure.dd-wrt.com/forum/viewtopic.php?t=277811&start=90&sid=49fa689cc15beda3b82478657805fdcf

good luck -


as a side note Google works ok..... that's how I found it......even though I remembered writing about it... didn't have a clue where it had gone off to.
Google can be your friend Cool
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 7477
Location: Netherlands

PostPosted: Mon Oct 23, 2017 11:06    Post subject: Reply with quote
When using a different subnet for a VAP on a WAP (i.e. unbridged) I think you also have to do the natting yourself to get internet acces by adding this to the firewall:
Code:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`


Not sure though have to ask a real expert Smile

_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
WireGuard Documents & Guides:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397
OpenVPN Documents & Guides: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398
IPSET: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327261
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
jhnmtrx
DD-WRT Novice


Joined: 23 Oct 2017
Posts: 1

PostPosted: Mon Oct 23, 2017 11:23    Post subject: Reply with quote
Read this:

https://pedrett.org/dd-wrt-gaestenetzwerk/
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 5399
Location: Texas

PostPosted: Mon Oct 23, 2017 11:36    Post subject: Reply with quote
egc wrote:
When using a different subnet for a VAP on a WAP (i.e. unbridged) I think you also have to do the natting yourself to get internet acces by adding this to the firewall:
Code:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`


Not sure though have to ask a real expert Smile


I'm no expert but that's all I use on my WAP which also has VLAN.
Probably shouldn't use Net Isolation on the VLAN & WAP....at least turn it off to see what you have.
Might be better to isolate with other rules.
I don't use it on mine but I only have 2 ports config in the 192.168.1.0 strictly used as a switch for debricking my screwups.
Net Isolation does not always work as you might expect on a WAP or when used if br1,br2, br.. also in the config
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 7477
Location: Netherlands

PostPosted: Mon Oct 23, 2017 11:38    Post subject: Reply with quote
Screwups you? Do not believe that Wink
_________________
Routers:Netgear R7800, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000 (converted WRT320N), WRT54GS v1.
WireGuard Documents & Guides:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327397
OpenVPN Documents & Guides: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327398
IPSET: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=327261
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 5399
Location: Texas

PostPosted: Mon Oct 23, 2017 11:41    Post subject: Reply with quote
egc wrote:
Screwups you? Do not believe that Wink
every day Razz
rnio
DD-WRT User


Joined: 21 Apr 2012
Posts: 94

PostPosted: Tue Oct 24, 2017 4:59    Post subject: Reply with quote
mrjcd wrote:
this will help you ::::::: >
https://secure.dd-wrt.com/forum/viewtopic.php?t=277811&start=90&sid=49fa689cc15beda3b82478657805fdcf


That was the missing piece Smile

Once the DNSMasc Options were configured (incl. the IMPORTANT firewall rule for NATTING) ... I got the Guest-WiFi clients connected to the internet:

Code:
interface=wl0.1
interface=wl1.1
dhcp-option=wl0.1,3,10.1.2.1
dhcp-option=wl1.1,3,10.1.5.1
dhcp-range=wl0.1,10.1.2.100,10.1.2.150,255.255.255.0,1h
dhcp-range=wl1.1,10.1.5.100,10.1.5.150,255.255.255.0,1h


Then with the additional firewall rules I made sure all the "Guest" will behave well Smile

Code:
iptables -I FORWARD -i wl0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -I FORWARD -i wl1.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`


At the end I think one could have setup a NEW bridge and configure that ... however this was more straight forward ... using many build-in options.

Many thanks to the volunteers, who make the DD-WRT community what it is!
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum