VAP with seprate IP no internet but see it in other router

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
jhsd
DD-WRT Novice


Joined: 11 Feb 2014
Posts: 20

PostPosted: Mon Jan 22, 2018 20:37    Post subject: VAP with seprate IP no internet but see it in other router Reply with quote
Firmware: DD-WRT v3.0-r34311 std (12/29/17)
WiFi Device: ASUS AC3200
Connection: The ASUS is connected by the WAN port as an Access Point to the rest of the network
(The Setup->Basic Setup value for Connection Type is set to Automatic Configuration DHCP and the device has a static IP under the Router IP section of 1.2 and a Gateway of 1.1 which is a Juniper Router that manages internet access and DHCP addresses for non-guest devices).

WiFi: Physical WLAN users get 192.168.1.x
Guest WLAN users get 192.168.31.x
A route exists on the Juniper that points traffic for 31.x to the ASUS router

Thank you for the continued work on this firmware. It has been very useful the last few years we've been using it on a AC66u. Now we have a new set of devices and it's not working as desired.

I followed this excellent, simple, guide for deploying a VAP for a Guest network that provides a separate subnet to the guests, and keep them AP isolated.

https://www.dd-wrt.com/wiki/index.php/Guest_WiFi_%2B_abuse_control_for_beginners

Non-guest users work perfectly fine.
Guest have no Internet access.

Users connecting on the physical WLAN get an IP assigned (1.x) by a Juniper brand router that controls internet access. The ASUS passes the DHCP request nicely.

Users joining the virtual WLAN signal get an IP from the ASUS (31.x subnet) according to the instructions in the link noted above.

On the Juniper logs, I can clearly see the guest devices appearing in the log (192.168.31.49 for example). When they try to browse, I can see DNS requests to 208.67.222.222 from 192.168.31.49 have a RESP result. But the guest gets no web page.

I can successfully ping from another device on the non-guest network (1.x) to 31.2 (the Gateway for the guest network).

But if I try to Ping 8.8.8.8 from the guest device (31.49 for example), it has 100% loss. So it seems to be:

The ASUS receives request from 31.49 (for example(
The ASUS 31.2 passes that to itself through 1.2
That passes through to the Juniper at 1.1
The Juniper sends it to the web
The Juniper gets a reply
The Juniper sends it back to ASUS
The ASUS does NOT finish by providing the result back to the guest


Is there something in that Guide that is now incorrect / out of date to make this work? Do I need to do some manual adding of rules or commands? Various older posts talk about IP tables but they don't seem to apply to what the current firmware is supposed to be able to do. The tutorial listed above makes no mention of a need to do extra commands.

Any help would be appreciated, thanks folks.


Last edited by jhsd on Tue Jan 23, 2018 16:45; edited 3 times in total
Sponsor
jhsd
DD-WRT Novice


Joined: 11 Feb 2014
Posts: 20

PostPosted: Tue Jan 23, 2018 16:57    Post subject: Reply with quote
Thank you for your replies JXM and EIBRGAD.

I see what you mean by the WAN question there so I updated my original post to add more specifics about the way the WAN port is defined in the Basic settings and so on. So yes, the Juniper did already have a route in place pointing back to the 31.x subnet. In fact, I can Ping from any device in 1.x to the 31.x gateway address for the guest subnet.

After my original post I continued searching, and found a page very much like the one you listed Eibgrad.
https://flashrouters.zendesk.com/hc/en-us/articles/115000967873-How-To-Setup-a-DD-WRT-Guest-Wireless-Network-On-Your-FlashRouter

So I tried those steps where it uses bridging, and sadly still have no throughput for the guest to internet side. However, I am going to try them yet again because it was late last night when I did it, and you know.. maybe I missed something from being burned out on this struggle all day.

JXM - The post you listed speaks about changing the WAN connection drop-down to Disabled and then checking a box that says "Assign Wan Port to Switch". I do not see that Switch check box option though. It could be it won't show up unless I change that WAN connection box to disabled, not sure. I can't do that right now because it will cut off users who are on the non-guest side. I'll have to wait another 5 hours for the place to close before I can take down the working non-guest side with tests like that.

Many thanks again for your suggestions. I'll let you know what comes from tests I can do now, and if no luck there, from the ones I have to wait for until tonight.

I wish the Wiki posts had dates and firmware version details right at the top in bold to help readers nail down if they have the most current tips and applicable version steps!
jhsd
DD-WRT Novice


Joined: 11 Feb 2014
Posts: 20

PostPosted: Tue Jan 23, 2018 17:54    Post subject: Reply with quote
Interesting.. I'm drawing from the terminology I see on the router configuration pages themselves. So for example, here is a copy from the Wireless->Basic page showing the WiFi signal for the non-guest users and for the virtual.

Within it, you see below the Wireless mode is described as "AP" which I would think meant Access Point mode? No?



Wireless Physical Interface wl0 [5 GHz/802.11ac]

Physical Interface wl0 - SSID [OurWIFI]

Wireless Mode
AP

Wireless Network Mode
Mixed

Wireless Network Name (SSID)
OurWIFI

Wireless Channel
Auto

Channel Width
Wide HT40 (40 MHz)

Extension Channel
lower upper

Wireless SSID Broadcast
Enable Disable

Optimize Multicast Traffic
Enable

Explicit Beamforming
Disable

Implicit Beamforming
Disable

Airtime Fairness
Disable

Network Configuration
Bridged


Virtual Interfaces

Virtual Interfaces wl0.1 SSID [GUEST]

Wireless Network Name (SSID)
GUEST

Wireless SSID Broadcast
Enable

AP Isolation
Enable

Optimize Multicast Traffic
Disable

Network Configuration
Bridged
jwh7
DD-WRT Guru


Joined: 25 Oct 2013
Posts: 2670
Location: Indy

PostPosted: Tue Jan 23, 2018 18:42    Post subject: Reply with quote
eibgrad wrote:
Bottom line, as now described, you simply have a plain ol' standard router configuration (which implies an AP in AP mode). And you've added a guest VAP off the existing AP. And it works except there's no internet access.
Maybe this will help: https://www.dd-wrt.com/wiki/index.php/Guest_Network#VAP_with_no_WAN
_________________
# NAT/SFE/CTF: limited speed w/ DD # Repeater issues # DD-WRT info: FAQ, Builds, Types, Modes, Changes, Demo #
OPNsense x64 5050e ITX|DD: DIR-810L, 2*EA6900@1GHz, R6300v1, RT-N66U@663, WNDR4000@533, E1500@353,
WRT54G{Lv1.1,Sv6}@250
|FreshTomato: F7D8302@532|OpenWRT: F9K1119v1, RT-ACRH13, R6220, WNDR3700v4
jhsd
DD-WRT Novice


Joined: 11 Feb 2014
Posts: 20

PostPosted: Tue Jan 23, 2018 23:56    Post subject: Reply with quote
This is an absolutely infuriating nightmare.

Changing the Wireless Mode to "Client" and clicking save wiped out the VAPs, and there was no option to create new ones. So that was of no value/function.

Restoring it to "AP" and setting the WAN port to Disabled and Checking the box for use WAN as Switch made no difference - guests still get no Internet.

These instructions failed too:
https://stackoverflow.com/questions/31391724/dd-wrt-virtualap-with-guest-and-private-wifi-access-on-2nd-router
Clients couldn't even connect anymore. I don't think that post reflects anything correctly anymore. It speaks of IP tables and firewall commands to be done manually.

Meanwhile the Wiki for the "old" method also fails. It is polluted with various side notes that say "but this doesn't apply anymore since firmware Dec 2015" and so on.

So I am back at square one again - no internet for guests. What the hell do people use to setup the configuration for a Guest WiFi on a separate IP that works? It clearly is not correct as written in any of the Wikis. We're talking having done full factory reset, apply the settings, reboot, test, and nothing works for the guests, only the non-guests. It was never this ridiculously hard with the ac66u.

My setup is currently identical to this (including having AP isolation turned off right now):
https://flashrouters.zendesk.com/hc/en-us/articles/115000967873-How-To-Setup-a-DD-WRT-Guest-Wireless-Network-On-Your-FlashRouter
jhsd
DD-WRT Novice


Joined: 11 Feb 2014
Posts: 20

PostPosted: Wed Jan 24, 2018 0:02    Post subject: Reply with quote
jwh7 wrote:
eibgrad wrote:
Bottom line, as now described, you simply have a plain ol' standard router configuration (which implies an AP in AP mode). And you've added a guest VAP off the existing AP. And it works except there's no internet access.
Maybe this will help: https://www.dd-wrt.com/wiki/index.php/Guest_Network#VAP_with_no_WAN


Thank you for your reply JWH7. But that refers to a very old firmware. I am running Firmware: v3.0-r34311 std (12/29/17)
jwh7
DD-WRT Guru


Joined: 25 Oct 2013
Posts: 2670
Location: Indy

PostPosted: Wed Jan 24, 2018 0:35    Post subject: Reply with quote
jhsd wrote:
Thank you for your reply JWH7. But that refers to a very old firmware. I am running Firmware: v3.0-r34311 std (12/29/17)
What gives you that idea? It is for builds "23020 and later"; I updated that wiki info last month, specifically for the "AP or no WAN" rules. It was tested it on 33771, using WNDR4000 and WNDR4500v2, both set up as 2.4GHz CB + 5GHz AP+VAP, worked fine.
_________________
# NAT/SFE/CTF: limited speed w/ DD # Repeater issues # DD-WRT info: FAQ, Builds, Types, Modes, Changes, Demo #
OPNsense x64 5050e ITX|DD: DIR-810L, 2*EA6900@1GHz, R6300v1, RT-N66U@663, WNDR4000@533, E1500@353,
WRT54G{Lv1.1,Sv6}@250
|FreshTomato: F7D8302@532|OpenWRT: F9K1119v1, RT-ACRH13, R6220, WNDR3700v4
jhsd
DD-WRT Novice


Joined: 11 Feb 2014
Posts: 20

PostPosted: Wed Jan 24, 2018 0:59    Post subject: Reply with quote
The page says:

"If the router is not used as a gateway (like an AP, thus WAN and DHCP are disabled, but the same subnet as the primary gateway router."

My description as posted is that the VAP guests are not assigned an IP in the same subnet.
jhsd
DD-WRT Novice


Joined: 11 Feb 2014
Posts: 20

PostPosted: Wed Jan 24, 2018 19:48    Post subject: Reply with quote
I just tried updating to Firmware: DD-WRT v3.0-r34578 std (01/19/1Cool

No difference. No guest can access the internet.

I pulled out the old ac66u, which runs a much older firmware, turned it on, and it works perfectly.

I duplicated the settings I see on the 66u on the 3200 (as closely as possible.. the new firmware has some extra features). Still no internet for guests.

I am not wasting another 10 hours on this. Something is completely wrong with the wiki instructions, or the firmware, or both. At a minimum, Guest VAPs will not work for AC3200 routers.
jwh7
DD-WRT Guru


Joined: 25 Oct 2013
Posts: 2670
Location: Indy

PostPosted: Wed Jan 24, 2018 21:35    Post subject: Reply with quote
jhsd wrote:
My description as posted is that the VAP guests are not assigned an IP in the same subnet.
My reply was in regard to eibgrad's reply that you're using an AP setup:
eibgrad wrote:
Bottom line, as now described, you simply have a plain ol' standard router configuration (which implies an AP in AP mode). And you've added a guest VAP off the existing AP. And it works except there's no internet access.
If that's the case, since what you're doing now isn't working, then I suggest to reset and follow the wiki's "New DNSMasq Method" and "VAP with no WAN" instructions, which work, at least on the last build I tested.
_________________
# NAT/SFE/CTF: limited speed w/ DD # Repeater issues # DD-WRT info: FAQ, Builds, Types, Modes, Changes, Demo #
OPNsense x64 5050e ITX|DD: DIR-810L, 2*EA6900@1GHz, R6300v1, RT-N66U@663, WNDR4000@533, E1500@353,
WRT54G{Lv1.1,Sv6}@250
|FreshTomato: F7D8302@532|OpenWRT: F9K1119v1, RT-ACRH13, R6220, WNDR3700v4
jhsd
DD-WRT Novice


Joined: 11 Feb 2014
Posts: 20

PostPosted: Thu Jan 25, 2018 22:14    Post subject: Reply with quote
EbGrad - the device won't be going for drives in the country. This is a an office setting. I do consider myself very adept with networking - I've configured and maintain Juniper NS5gt's, SSG's, and SRX units with site to site tunnels, remote user VPNs, cisco switches and tons more. DD-WRT ? It is not properly documented. This incredible scatter of information where you have to comb through, line by line, to see if what you are reading even applies to your model, your version, this month/this year is obscenely inefficient and has caused all this trouble. Good, current, accurate documentation would make all the difference.


This thread, with a post by mrjcd created progress.

https://www.dd-wrt.com/phpBB2/viewtopic.php?p=1047143#1047143

In this post from Sept 15th 2016 are some screen shots for configuration pages, and some manual codes.

With only ONE antennae referenced for the manual configuration settings, the Guest Wifi WORKS.

IN Services -> Services -> Additional DNSMasq Options
interface=wl0.1
dhcp-option=wl0.1,3,192.168.31.1
dhcp-range=wl0.1,192.168.31.4,192.168.31.62,255.255.255.0,1h

IN Administration -> Commands -> Firewall
iptables -I FORWARD -i wl0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr'


This enables the 2.4ghz WiFi signal.
The router has 3 channels (two 5ghz) so I also have a wl1.1 and a wl2.1 when I enable VAPS on those two other channels.

If I simply add this to the Services:
interface=wl0.1
dhcp-option=wl0.1,3,192.168.31.1
dhcp-range=wl0.1,192.168.31.4,192.168.31.62,255.255.255.0,1h
interface=wl1.1
dhcp-option=wl1.1,3,192.168.31.1
dhcp-range=wl1.1,192.168.31.65,192.168.31.126,255.255.255.0,1h

AND this to the Firewall
iptables -I FORWARD -i wl0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr'
iptables -I FORWARD -i wl1.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr'

Only the wl0.1 clients work for guest access. Clients connecting on 1.1 do get an IP address, but no internet.

I also then tried this Firewall rule to tell it to NAT/Forward ANY wireless VAPS using a wildcard but the exact same problem exists - only the first wl0.1 channel works.

iptables -I FORWARD -i wl+ -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr'

If I remove the wl0.1 entries the wl1.1 then works.

So it seems, with those settings, only one channel signal can be used. What Firewall setting is needed to make more than one channel/vap work ?
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Fri Jan 26, 2018 1:12    Post subject: Reply with quote
jhsd wrote:
.....If I simply add this to the Services:
interface=wl0.1
dhcp-option=wl0.1,3,192.168.31.1
dhcp-range=wl0.1,192.168.31.4,192.168.31.62,255.255.255.0,1h
interface=wl1.1
dhcp-option=wl1.1,3,192.168.31.1
dhcp-range=wl1.1,192.168.31.65,192.168.31.126,255.255.255.0,1h.......
Well that will prolly drive DNSMasq completely mad Razz

If you want multiple interfaces on same subnet you should do a bridge such as br1.
In wireless settings leave all as bridged and (unbridge them by) assigning 2 or more
interfaces to a single subnet via br1 or br2 in 'networking page' -- ex: wl0.1, wl1.1, etc.. to br1 and/or if you wanted
a 3rd subnet with two or more interfaces you would assign to br2 with its unique subnet.

My home network (EA8500) has only two subnets (excluding ovpn ser) ath0, ath1, & 3 LAN ports are main router subnet with
ath0.1, ath1.1, & 1 LAN port are all bridged to br1 in its own isolated network with internet. Isolated from main --- they communicate amongst themselves just fine since two chromecasts are on it with one TV on the wired port and many different wireless clients that I never have to worry about their traffic snooping on the main subnet. Smile

Fairly easy once you get your head around it. This will help ===
https://www.dd-wrt.com/wiki/index.php/Multiple_WLANs
This is very old from back in the WRT54G days .. although looks like someone may have updated it recently. I have no ideal what may
have changed since I last looked at it but regardless you can get on the right track there.

Things to remember:

If using a WAN disabled device you cannot use 'multiple DHCP server' in 'Networking' page. Must be put in at 'DNSMasq Additional Options'.

Using multiple interfaces assigned to a bridge do not use net isolation --just trust me -- it will have a break on one of the interfaces

Pick and choose firewall rules from that page or get everything working to your needs and ask here if having trouble about a certain rule you believe not working.

Gonna mention this --- tried helping with a guest network a while back on a r7800 WAP and I don't believe he ever got it to work.
I realize you are broadcom but some units are 'just different'.
The mentioned setup works on all QCA or broadcom devices I use .... can't say 100% about yours.

Good luck -
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum