Author
Message
kalle_karlsson DD-WRT Novice Joined: 21 Jul 2010 Posts: 24
Posted: Mon Aug 13, 2018 15:16 Post subject: Guest Network - access restrictions
Hi!
I set up a guest network on a WRT3200 mainly following these guides:
https://flashrouters.zendesk.com/hc/en-us/articles/115000967873-How-To-Setup-a-DD-WRT-Guest-Wireless-Network-On-Your-FlashRouter
https://wiki.dd-wrt.com/wiki/index.php/Guest_Network
The WRT3200 is in AP mode behind an dsl modem/router.
The DHCP for the guest network provides the following ip's: 192.168.2.xxx
Everything works fine, but when logged in to the guest network, I still have access to my private ip´s (192.168.1.xxx).
The firewall rules are as follows:
Code:
#Allow guest bridge access to Internet
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#Block access between private and guest
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW-j DROP
#NAT to make Internet work
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
#Block torrent and p2p
iptables -I FORWARD -p tcp -s 192.168.2.0/24 -m connlimit --connlimit-above 50 -j DROP
iptables -I FORWARD -p ! tcp -s 192.168.2.0/24 -m connlimit --connlimit-above 25 -j DROP
#Block guest access to router services
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset
Almost the same configuration works alright on an old dd-wrt build on a WRT160NL, using DNSMasq.
Any ideas where my fault is?
/Karlsson
Back to top
Sponsor
kalle_karlsson DD-WRT Novice Joined: 21 Jul 2010 Posts: 24
Posted: Thu Aug 30, 2018 18:25 Post subject:
Anyone an idea?
/Karlsson
Back to top
AmesJainchill DD-WRT Novice Joined: 10 Aug 2017 Posts: 38 Location: MI, USA
Posted: Thu Aug 30, 2018 20:11 Post subject:
I did it according to these instructions on my WRT3200ACM running BS 33986.
https://wiki.dd-wrt.com/wiki/index.php/Guest_WiFi_%2B_abuse_control_for_beginners
I just followed the Instructions section. Didn't get in to the QoS section. Anything connected to my guest vap cannot connect to any devices on my private LAN/SSIDs (NAS, PCs, printers, etc.). Just able to hit the internet. The Net Isolation option seems to be the kicker here.
EDIT:
This seems to be important too...
"Net isolation works ONLY on an unbridged interface on newer builds, starting from build:
Broadcom 23020, Atheros 24759, Mediatek (Ralink) 25934"
Back to top
johnnyNobody999 DD-WRT Guru Joined: 10 Jan 2014 Posts: 504
Posted: Fri Aug 31, 2018 19:41 Post subject: WRT3200ACM WDA STATION
I was unable to set up a guest config on any WDS Station. The only thing that I could see being an issue is that the WDS Station doesn't have a checkbox for NAT. Guest config works fine on the router running as a WDS AP though.
Back to top