Posted: Mon Jan 22, 2018 20:37 Post subject: VAP with seprate IP no internet but see it in other router
Firmware: DD-WRT v3.0-r34311 std (12/29/17)
WiFi Device: ASUS AC3200
Connection: The ASUS is connected by the WAN port as an Access Point to the rest of the network
(The Setup->Basic Setup value for Connection Type is set to Automatic Configuration DHCP and the device has a static IP under the Router IP section of 1.2 and a Gateway of 1.1 which is a Juniper Router that manages internet access and DHCP addresses for non-guest devices).
WiFi: Physical WLAN users get 192.168.1.x
Guest WLAN users get 192.168.31.x
A route exists on the Juniper that points traffic for 31.x to the ASUS router
Thank you for the continued work on this firmware. It has been very useful the last few years we've been using it on a AC66u. Now we have a new set of devices and it's not working as desired.
I followed this excellent, simple, guide for deploying a VAP for a Guest network that provides a separate subnet to the guests, and keep them AP isolated.
Non-guest users work perfectly fine.
Guest have no Internet access.
Users connecting on the physical WLAN get an IP assigned (1.x) by a Juniper brand router that controls internet access. The ASUS passes the DHCP request nicely.
Users joining the virtual WLAN signal get an IP from the ASUS (31.x subnet) according to the instructions in the link noted above.
On the Juniper logs, I can clearly see the guest devices appearing in the log (192.168.31.49 for example). When they try to browse, I can see DNS requests to 208.67.222.222 from 192.168.31.49 have a RESP result. But the guest gets no web page.
I can successfully ping from another device on the non-guest network (1.x) to 31.2 (the Gateway for the guest network).
But if I try to Ping 8.8.8.8 from the guest device (31.49 for example), it has 100% loss. So it seems to be:
The ASUS receives request from 31.49 (for example(
The ASUS 31.2 passes that to itself through 1.2
That passes through to the Juniper at 1.1
The Juniper sends it to the web
The Juniper gets a reply
The Juniper sends it back to ASUS
The ASUS does NOT finish by providing the result back to the guest
Is there something in that Guide that is now incorrect / out of date to make this work? Do I need to do some manual adding of rules or commands? Various older posts talk about IP tables but they don't seem to apply to what the current firmware is supposed to be able to do. The tutorial listed above makes no mention of a need to do extra commands.
Any help would be appreciated, thanks folks.
Last edited by jhsd on Tue Jan 23, 2018 16:45; edited 3 times in total
I see what you mean by the WAN question there so I updated my original post to add more specifics about the way the WAN port is defined in the Basic settings and so on. So yes, the Juniper did already have a route in place pointing back to the 31.x subnet. In fact, I can Ping from any device in 1.x to the 31.x gateway address for the guest subnet.
So I tried those steps where it uses bridging, and sadly still have no throughput for the guest to internet side. However, I am going to try them yet again because it was late last night when I did it, and you know.. maybe I missed something from being burned out on this struggle all day.
JXM - The post you listed speaks about changing the WAN connection drop-down to Disabled and then checking a box that says "Assign Wan Port to Switch". I do not see that Switch check box option though. It could be it won't show up unless I change that WAN connection box to disabled, not sure. I can't do that right now because it will cut off users who are on the non-guest side. I'll have to wait another 5 hours for the place to close before I can take down the working non-guest side with tests like that.
Many thanks again for your suggestions. I'll let you know what comes from tests I can do now, and if no luck there, from the ones I have to wait for until tonight.
I wish the Wiki posts had dates and firmware version details right at the top in bold to help readers nail down if they have the most current tips and applicable version steps!
Interesting.. I'm drawing from the terminology I see on the router configuration pages themselves. So for example, here is a copy from the Wireless->Basic page showing the WiFi signal for the non-guest users and for the virtual.
Within it, you see below the Wireless mode is described as "AP" which I would think meant Access Point mode? No?
Bottom line, as now described, you simply have a plain ol' standard router configuration (which implies an AP in AP mode). And you've added a guest VAP off the existing AP. And it works except there's no internet access.
Changing the Wireless Mode to "Client" and clicking save wiped out the VAPs, and there was no option to create new ones. So that was of no value/function.
Restoring it to "AP" and setting the WAN port to Disabled and Checking the box for use WAN as Switch made no difference - guests still get no Internet.
Meanwhile the Wiki for the "old" method also fails. It is polluted with various side notes that say "but this doesn't apply anymore since firmware Dec 2015" and so on.
So I am back at square one again - no internet for guests. What the hell do people use to setup the configuration for a Guest WiFi on a separate IP that works? It clearly is not correct as written in any of the Wikis. We're talking having done full factory reset, apply the settings, reboot, test, and nothing works for the guests, only the non-guests. It was never this ridiculously hard with the ac66u.
Bottom line, as now described, you simply have a plain ol' standard router configuration (which implies an AP in AP mode). And you've added a guest VAP off the existing AP. And it works except there's no internet access.
Thank you for your reply JWH7. But that refers to a very old firmware. I am running Firmware: v3.0-r34311 std (12/29/17)
What gives you that idea? It is for builds "23020 and later"; I updated that wiki info last month, specifically for the "AP or no WAN" rules. It was tested it on 33771, using WNDR4000 and WNDR4500v2, both set up as 2.4GHz CB + 5GHz AP+VAP, worked fine. _________________ #NAT/SFE/CTF: limited speed w/ DD#Repeater issues#DD-WRT info: FAQ, Builds, Types, Modes, Changes, Demo#
OPNsense x64 5050e ITX|DD: DIR-810L, 2*EA6900@1GHz, R6300v1, RT-N66U@663, WNDR4000@533, E1500@353,
WRT54G{Lv1.1,Sv6}@250|FreshTomato: F7D8302@532|OpenWRT: F9K1119v1, RT-ACRH13, R6220, WNDR3700v4
I just tried updating to Firmware: DD-WRT v3.0-r34578 std (01/19/1
No difference. No guest can access the internet.
I pulled out the old ac66u, which runs a much older firmware, turned it on, and it works perfectly.
I duplicated the settings I see on the 66u on the 3200 (as closely as possible.. the new firmware has some extra features). Still no internet for guests.
I am not wasting another 10 hours on this. Something is completely wrong with the wiki instructions, or the firmware, or both. At a minimum, Guest VAPs will not work for AC3200 routers.
My description as posted is that the VAP guests are not assigned an IP in the same subnet.
My reply was in regard to eibgrad's reply that you're using an AP setup:
eibgrad wrote:
Bottom line, as now described, you simply have a plain ol' standard router configuration (which implies an AP in AP mode). And you've added a guest VAP off the existing AP. And it works except there's no internet access.
If that's the case, since what you're doing now isn't working, then I suggest to reset and follow the wiki's "New DNSMasq Method" and "VAP with no WAN" instructions, which work, at least on the last build I tested. _________________ #NAT/SFE/CTF: limited speed w/ DD#Repeater issues#DD-WRT info: FAQ, Builds, Types, Modes, Changes, Demo#
OPNsense x64 5050e ITX|DD: DIR-810L, 2*EA6900@1GHz, R6300v1, RT-N66U@663, WNDR4000@533, E1500@353,
WRT54G{Lv1.1,Sv6}@250|FreshTomato: F7D8302@532|OpenWRT: F9K1119v1, RT-ACRH13, R6220, WNDR3700v4
EbGrad - the device won't be going for drives in the country. This is a an office setting. I do consider myself very adept with networking - I've configured and maintain Juniper NS5gt's, SSG's, and SRX units with site to site tunnels, remote user VPNs, cisco switches and tons more. DD-WRT ? It is not properly documented. This incredible scatter of information where you have to comb through, line by line, to see if what you are reading even applies to your model, your version, this month/this year is obscenely inefficient and has caused all this trouble. Good, current, accurate documentation would make all the difference.
This thread, with a post by mrjcd created progress.
IN Administration -> Commands -> Firewall
iptables -I FORWARD -i wl0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr'
This enables the 2.4ghz WiFi signal.
The router has 3 channels (two 5ghz) so I also have a wl1.1 and a wl2.1 when I enable VAPS on those two other channels.
If I simply add this to the Services:
interface=wl0.1
dhcp-option=wl0.1,3,192.168.31.1
dhcp-range=wl0.1,192.168.31.4,192.168.31.62,255.255.255.0,1h
interface=wl1.1
dhcp-option=wl1.1,3,192.168.31.1
dhcp-range=wl1.1,192.168.31.65,192.168.31.126,255.255.255.0,1h
AND this to the Firewall
iptables -I FORWARD -i wl0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr'
iptables -I FORWARD -i wl1.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr'
Only the wl0.1 clients work for guest access. Clients connecting on 1.1 do get an IP address, but no internet.
I also then tried this Firewall rule to tell it to NAT/Forward ANY wireless VAPS using a wildcard but the exact same problem exists - only the first wl0.1 channel works.
iptables -I FORWARD -i wl+ -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr'
If I remove the wl0.1 entries the wl1.1 then works.
So it seems, with those settings, only one channel signal can be used. What Firewall setting is needed to make more than one channel/vap work ?
.....If I simply add this to the Services:
interface=wl0.1
dhcp-option=wl0.1,3,192.168.31.1
dhcp-range=wl0.1,192.168.31.4,192.168.31.62,255.255.255.0,1h
interface=wl1.1
dhcp-option=wl1.1,3,192.168.31.1
dhcp-range=wl1.1,192.168.31.65,192.168.31.126,255.255.255.0,1h.......
Well that will prolly drive DNSMasq completely mad
If you want multiple interfaces on same subnet you should do a bridge such as br1.
In wireless settings leave all as bridged and (unbridge them by) assigning 2 or more
interfaces to a single subnet via br1 or br2 in 'networking page' -- ex: wl0.1, wl1.1, etc.. to br1 and/or if you wanted
a 3rd subnet with two or more interfaces you would assign to br2 with its unique subnet.
My home network (EA8500) has only two subnets (excluding ovpn ser) ath0, ath1, & 3 LAN ports are main router subnet with
ath0.1, ath1.1, & 1 LAN port are all bridged to br1 in its own isolated network with internet. Isolated from main --- they communicate amongst themselves just fine since two chromecasts are on it with one TV on the wired port and many different wireless clients that I never have to worry about their traffic snooping on the main subnet.
Fairly easy once you get your head around it. This will help ===
https://www.dd-wrt.com/wiki/index.php/Multiple_WLANs
This is very old from back in the WRT54G days .. although looks like someone may have updated it recently. I have no ideal what may
have changed since I last looked at it but regardless you can get on the right track there.
Things to remember:
If using a WAN disabled device you cannot use 'multiple DHCP server' in 'Networking' page. Must be put in at 'DNSMasq Additional Options'.
Using multiple interfaces assigned to a bridge do not use net isolation --just trust me -- it will have a break on one of the interfaces
Pick and choose firewall rules from that page or get everything working to your needs and ask here if having trouble about a certain rule you believe not working.
Gonna mention this --- tried helping with a guest network a while back on a r7800 WAP and I don't believe he ever got it to work.
I realize you are broadcom but some units are 'just different'.
The mentioned setup works on all QCA or broadcom devices I use .... can't say 100% about yours.