Unbridged Guest Wifi on a secondary router

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
bqq100
DD-WRT Novice


Joined: 10 Jan 2016
Posts: 14

PostPosted: Sun May 27, 2018 21:39    Post subject: Unbridged Guest Wifi on a secondary router Reply with quote
For my home network I have my main router with WAN access in my living room, a managed switch in a utility room, and another router in the basement (no WAN connection). Both routers are connected to the switch, and all 3 devices have devices connected to them.

For my main wifi, I have both routers broadcasting to get the most amount of coverage

I am in the process of trying to setup an unbridged guest wifi network and I would like to broadcast from both routers as well.

The main wifi is working fine, but the secondary has no route to the internet.

Anyone have any tips on getting this setup? I think I need to setup tagging for the guest VLAN on both the basement router and managed switch to route to my primary router, but I don't know what to setup on my primary router.
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Sun May 27, 2018 22:04    Post subject: Reply with quote
Is the secondary router connected LAN to LAN, or WAN to LAN wrt the primary router?
bqq100
DD-WRT Novice


Joined: 10 Jan 2016
Posts: 14

PostPosted: Mon May 28, 2018 0:40    Post subject: Reply with quote
eibgrad wrote:
Is the secondary router connected LAN to LAN, or WAN to LAN wrt the primary router?


LAN to LAN through the managed switch.

Primary <== Cat 6 ==> Switch <== Cat 6 ==> Secondary
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Mon May 28, 2018 0:49    Post subject: Reply with quote
In a LAN to LAN configuration, you route and NAT the guest network over the private network, then deny those guests the ability to specify any destination IPs on the private network.

Code:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
iptables -I FORWARD -i br1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT


I'm assuming, of course, you assigned the guests to bridge br1, as usually recommended in the wikis. If they are unbridged, then specify the AP/VAP network interface instead.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3795
Location: Netherlands

PostPosted: Mon May 28, 2018 10:19    Post subject: Reply with quote
Just to be sure, your secondary router should be set up llike this: https://wiki.dd-wrt.com/wiki/index.php/Wireless_Access_Point

Attached my notes for setting up a Guest wifi (VAP), in your case the last chapter VAP on a WAP is what you have to look at (@Eibgrad already pointed you in that same direction)

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
bqq100
DD-WRT Novice


Joined: 10 Jan 2016
Posts: 14

PostPosted: Tue May 29, 2018 2:35    Post subject: Reply with quote
eibgrad wrote:
In a LAN to LAN configuration, you route and NAT the guest network over the private network, then deny those guests the ability to specify any destination IPs on the private network.

Code:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
iptables -I FORWARD -i br1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT


I'm assuming, of course, you assigned the guests to bridge br1, as usually recommended in the wikis. If they are unbridged, then specify the AP/VAP network interface instead.


No, I had not bridged the 2.4/5GHZ VAPs. I was following the instructions in this wiki:
https://wiki.dd-wrt.com/wiki/index.php/Guest_WiFi_+_abuse_control_for_beginners

After setting up br1 (which does make a lot more sense!) and using your firewall rules, it works like a charm!

Thanks for the help!
Mozzy77
DD-WRT Novice


Joined: 30 May 2019
Posts: 21

PostPosted: Thu May 30, 2019 14:15    Post subject: Reply with quote
Hi, as I am trying to achieve the same as bqq100, that's why I am posting in this tread. I followed the instructions in this thread but cannot seem to get it to work.

My setup is as follows:
• two R7000s connected LAN-LAN
• both devices are running the DD-WRT v3.0-r37015M kongac 09/23/18 firmware.
• the primary R7000 (1st floor) functions as a router, WAN-port is connected to modem.
• the secondary R7000 (3rd floor) functions as access point.

The goal is to run two separate wireless networks on each router:
• Private wireless network (wl0 & wl1), two different SSIDs
• Guest wireless network (wl0.1 & wl1.1), two different SSIDs, traffic is routed through a VPN

I have this running nicely on the primary router:
• IP of router is 192.168.178.1
• DHCP is ON: 19.168.178.100 to 19.168.178.150
• VPN setup in the Open VPN Client: https://www.privateinternetaccess.com/helpdesk/guides/routers/dd-wrt-3/dd-wrt-openvpn-setup-2 step 13 and further.
• Guest networks setup as described here: https://medium.com/@libertylocked/dd-wrt-tricks-dedicated-wireless-virtual-access-point-for-openvpn-the-easy-way-6399fca14916 (no kill switch yet)
Interface wl0.1: IP 10.0.10.1/255.255.255.0
Interface wl1.1: IP 10.0.20.1/255.255.255.0
• With Policy based Routing (Open VPN Client) wl0.1/wl1.1 traffic is routed through the VPN:
10.0.10.128/25
10.0.20.128/25

I would like to do the same thing for the secondary R7000. Following the instructions in this thread, I cannot get internet access via wl0.1 and wl1.1 on the secondary R7000.
• IP of device is 192.168.178.2
• DHCP is OFF
• Private network on wl0/wl1 is working as expected.
• I have no VPN setup on the secundary R7000 (lets first get internet connection on wl0.1 and wl1.1)
• Guest networks setup as:
○ Interface wl0.1: IP 10.0.30.1/255.255.255.0
○ Interface wl1.1: IP 10.0.40.1/255.255.255.0

To keep it simple I only experimented with the wl0.1 interface.
Adding the Firewall rules (as described in this thread) and rebooting the device, it does not give internet connection on wl0.1:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr) 
iptables -I FORWARD -i wl0.1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT

Also using the rules from this page (https://wiki.dd-wrt.com/wiki/index.php/Guest_Network#Guest_Access_to_a_Network_Device) does also not yield internet connection:
iptables -I FORWARD -i wl0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j REJECT
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`

What am I missing here?
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Thu May 30, 2019 14:57    Post subject: Reply with quote
Mozzy77 wrote:
Hi, as I am trying to achieve the same as bqq100, that's why I am posting in this tread. I followed the instructions in this thread but cannot seem to get it to work.

My setup is as follows:
• two R7000s connected LAN-LAN
• both devices are running the DD-WRT v3.0-r37015M kongac 09/23/18 firmware.
• the primary R7000 (1st floor) functions as a router, WAN-port is connected to modem.
• the secondary R7000 (3rd floor) functions as access point.

The goal is to run two separate wireless networks on each router:
• Private wireless network (wl0 & wl1), two different SSIDs
• Guest wireless network (wl0.1 & wl1.1), two different SSIDs, traffic is routed through a VPN

I have this running nicely on the primary router:
• IP of router is 192.168.178.1
• DHCP is ON: 19.168.178.100 to 19.168.178.150
• VPN setup in the Open VPN Client: https://www.privateinternetaccess.com/helpdesk/guides/routers/dd-wrt-3/dd-wrt-openvpn-setup-2 step 13 and further.
• Guest networks setup as described here: https://medium.com/@libertylocked/dd-wrt-tricks-dedicated-wireless-virtual-access-point-for-openvpn-the-easy-way-6399fca14916 (no kill switch yet)
Interface wl0.1: IP 10.0.10.1/255.255.255.0
Interface wl1.1: IP 10.0.20.1/255.255.255.0
• With Policy based Routing (Open VPN Client) wl0.1/wl1.1 traffic is routed through the VPN:
10.0.10.128/25
10.0.20.128/25

I would like to do the same thing for the secondary R7000. Following the instructions in this thread, I cannot get internet access via wl0.1 and wl1.1 on the secondary R7000.
• IP of device is 192.168.178.2
• DHCP is OFF
• Private network on wl0/wl1 is working as expected.
• I have no VPN setup on the secundary R7000 (lets first get internet connection on wl0.1 and wl1.1)
• Guest networks setup as:
○ Interface wl0.1: IP 10.0.30.1/255.255.255.0
○ Interface wl1.1: IP 10.0.40.1/255.255.255.0

To keep it simple I only experimented with the wl0.1 interface.
Adding the Firewall rules (as described in this thread) and rebooting the device, it does not give internet connection on wl0.1:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr) 
iptables -I FORWARD -i wl0.1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT

Also using the rules from this page (https://wiki.dd-wrt.com/wiki/index.php/Guest_Network#Guest_Access_to_a_Network_Device) does also not yield internet connection:
iptables -I FORWARD -i wl0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j REJECT
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`

What am I missing here?


Make sure the guests on each wireless network interface (wl0.1 and wl1.1) have been assigned a default gateway that points to the WAP (10.0.30.1 and 10.0.40.1, respectively), and make sure the WAP has a default gateway on the LAN side that points to the primary router.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
Mozzy77
DD-WRT Novice


Joined: 30 May 2019
Posts: 21

PostPosted: Thu May 30, 2019 19:22    Post subject: Reply with quote
Thanks for the quick reply.

In Basis Setup on the secundary R7000 I have added the IP of the primary R7000 as Gateway and Local DNA.
And it WORKS!

Firewall rules:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
iptables -I FORWARD -i wl0.1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT
iptables -I FORWARD -i wl1.1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT

For the VPN I have setup the Open VPN client on the secundary R7000, the same way as on the primary R7000, but now with the Policy based Routing :
10.0.30.128/25
10.0.40.128/25

Adding these two subnets to the Policy based Routing of the primary R7000 did not route these subnets through the VPN.

Thanks for helping me out!
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 5136
Location: Akershus, Norway

PostPosted: Thu May 30, 2019 19:52    Post subject: Reply with quote
Mozzy77 wrote:
For the VPN I have setup the Open VPN client on the secundary R7000, the same way as on the primary R7000, but now with the Policy based Routing :
10.0.30.128/25
10.0.40.128/25

Adding these two subnets to the Policy based Routing of the primary R7000 did not route these subnets through the VPN.


Because you have turned on NAT, These packets will no longer have these sources addresses when they reach the primary router.

Instead of NAT on the secondary router, you can add static routes on the primary:

10.0.30.0/24 gateway 192.168.178.2
10.0.40.0/24 gateway 192.168.178.2
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum