Posted: Sun May 27, 2018 21:39 Post subject: Unbridged Guest Wifi on a secondary router
For my home network I have my main router with WAN access in my living room, a managed switch in a utility room, and another router in the basement (no WAN connection). Both routers are connected to the switch, and all 3 devices have devices connected to them.
For my main wifi, I have both routers broadcasting to get the most amount of coverage
I am in the process of trying to setup an unbridged guest wifi network and I would like to broadcast from both routers as well.
The main wifi is working fine, but the secondary has no route to the internet.
Anyone have any tips on getting this setup? I think I need to setup tagging for the guest VLAN on both the basement router and managed switch to route to my primary router, but I don't know what to setup on my primary router.
In a LAN to LAN configuration, you route and NAT the guest network over the private network, then deny those guests the ability to specify any destination IPs on the private network.
Code:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
iptables -I FORWARD -i br1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT
I'm assuming, of course, you assigned the guests to bridge br1, as usually recommended in the wikis. If they are unbridged, then specify the AP/VAP network interface instead.
Hi, as I am trying to achieve the same as bqq100, that's why I am posting in this tread. I followed the instructions in this thread but cannot seem to get it to work.
My setup is as follows:
• two R7000s connected LAN-LAN
• both devices are running the DD-WRT v3.0-r37015M kongac 09/23/18 firmware.
• the primary R7000 (1st floor) functions as a router, WAN-port is connected to modem.
• the secondary R7000 (3rd floor) functions as access point.
The goal is to run two separate wireless networks on each router:
• Private wireless network (wl0 & wl1), two different SSIDs
• Guest wireless network (wl0.1 & wl1.1), two different SSIDs, traffic is routed through a VPN
I would like to do the same thing for the secondary R7000. Following the instructions in this thread, I cannot get internet access via wl0.1 and wl1.1 on the secondary R7000.
• IP of device is 192.168.178.2
• DHCP is OFF
• Private network on wl0/wl1 is working as expected.
• I have no VPN setup on the secundary R7000 (lets first get internet connection on wl0.1 and wl1.1)
• Guest networks setup as:
○ Interface wl0.1: IP 10.0.30.1/255.255.255.0
○ Interface wl1.1: IP 10.0.40.1/255.255.255.0
To keep it simple I only experimented with the wl0.1 interface.
Adding the Firewall rules (as described in this thread) and rebooting the device, it does not give internet connection on wl0.1:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
iptables -I FORWARD -i wl0.1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT
Also using the rules from this page (https://wiki.dd-wrt.com/wiki/index.php/Guest_Network#Guest_Access_to_a_Network_Device) does also not yield internet connection:
iptables -I FORWARD -i wl0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j REJECT
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
In Basis Setup on the secundary R7000 I have added the IP of the primary R7000 as Gateway and Local DNA.
And it WORKS!
Firewall rules:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
iptables -I FORWARD -i wl0.1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT
iptables -I FORWARD -i wl1.1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT
For the VPN I have setup the Open VPN client on the secundary R7000, the same way as on the primary R7000, but now with the Policy based Routing :
10.0.30.128/25
10.0.40.128/25
Adding these two subnets to the Policy based Routing of the primary R7000 did not route these subnets through the VPN.
Joined: 13 Aug 2013 Posts: 6866 Location: Romerike, Norway
Posted: Thu May 30, 2019 19:52 Post subject:
Mozzy77 wrote:
For the VPN I have setup the Open VPN client on the secundary R7000, the same way as on the primary R7000, but now with the Policy based Routing :
10.0.30.128/25
10.0.40.128/25
Adding these two subnets to the Policy based Routing of the primary R7000 did not route these subnets through the VPN.
Because you have turned on NAT, These packets will no longer have these sources addresses when they reach the primary router.
Instead of NAT on the secondary router, you can add static routes on the primary: