Joined: 18 Mar 2014 Posts: 12839 Location: Netherlands
Posted: Thu Sep 13, 2018 17:53 Post subject:
There are two ways to approach this, the modern way (not necessarily better), on the wireless interface tick "unbridged" after save and apply a box will open to fill in the IP address, head over to Setup/Networking and on the bottom add DHCP server with the interface you created (i.e. wl0 or wl0.1)
Alternatively on Setup/Networking, Create Bridge (add) i.e br1, save apply, then assign the interface you want to that bridge, on the Setup/Networking/Port Setup, fill in the IP address for br1 and on the bottom add a dhcp server for br1.
I must confess it is a long time ago that I read the wiki, so this is just my take
If you want to isolate each on a separate network why are you creating a br1 bridge? The only bridge you should have is br0, which is your LAN. Assuming you want 2.4 GHz as part of br0 using 192.168.1.x then you would add the interface for 2.4 GHz to br0. The 5 GHz interface you would leave alone, and set its address to 192.168.2.x and add the additional DHCP as described.
There are two ways to approach this, the modern way (not necessarily better), on the wireless interface tick "unbridged" after save and apply a box will open to fill in the IP address, head over to Setup/Networking and on the bottom add DHCP server with the interface you created (i.e. wl0 or wl0.1)
That worked.Thanks.
Didn't realise it would be that simple. I was trying a long and circuitous route. Hehehehe.
egc wrote:
@mrjcd has made an excellent guide.
Can you forward the link? Extra information is always welcome
I am trying to configure the router so that 2.4 GHz is on OpenDNS with parental controls with a few IP addresses bypassed. 5 GHz on some good anonymizer/VPN.
If you want to isolate each on a separate network why are you creating a br1 bridge? The only bridge you should have is br0, which is your LAN. Assuming you want 2.4 GHz as part of br0 using 192.168.1.x then you would add the interface for 2.4 GHz to br0. The 5 GHz interface you would leave alone, and set its address to 192.168.2.x and add the additional DHCP as described.
Right. That was me trying to extend my arm around the back of my head to catch my nose.
Can you forward the link? Extra information is always welcome
I am trying to configure the router so that 2.4 GHz is on OpenDNS with parental controls with a few IP addresses bypassed. 5 GHz on some good anonymizer/VPN.
The br1 method works well but usually need to add firewall rules to isolate it from main.
.....(still need to figure out how to put multiple DNS IP addresses instead of just one)
2. Isolation rules as per the Multi WLAN wiki to separate and isolate br0 and br1.
3. DDNS using DNS-o-MATIC to update OpenDNS with my ISP allocated dynamic IP address (external).
br1:
1. Open to the internet (There is no static DNS entry in the basic setup page). Firewall rules to accept all port 53 and 67 requests from br1
2. (Planned) put a VPN / Anonymizer here
Why I feel the br1 route is more preferred ...
As desired, I can allocate the LAN or any particular physical LAN connection, or any of my WiFi SSIDs to either br0 or to br1 and no further change required as the functionality of both br0 and br1 are tested. Now ... am I missing out something here? (I have a knack of doing this). Any expert's opinion will be of help here.
Posted: Sun Sep 16, 2018 12:20 Post subject: Part A Solved ... Part B Remains
The wiki "Separate LAN And WLAN" came to my rescue. Link: https://wiki.dd-wrt.com/wiki/index.php/Separate_LAN_and_WLAN
For someone not working with routers as a profession, it is important to first read this wiki - understand what applies in his particular situation - and then start the work
I have now moved the 2.4 GHz SSID to a second bridge and this is in OpenDNS while the 5 GHz SSID, LAN etc are in the original bridge without OpenDNS.
Next step: To configure VPN on br1 (all except the 2.4GHz SSID). I have configured TorGuard VPN using firewall startup script. The VPN is working fine (speed issues yet to be tested). However, I am unable to isolate the br1 to not use the VPN. I tried the following lines on the firewall...
Code:
iptables -I FORWARD -i br1 -o tun0 -m state --state NEW -j DROP
iptables -I FORWARD -i tun0 -o br1 -m state --state NEW -j DROP
These lines totally block the internet on br1. Can someone guide me with the correct lines to use on the firewall?
Posted: Sun Sep 16, 2018 12:36 Post subject: Re: Part A Solved ... Part B Remains
@m0eb@ wrote:
The wiki "Separate LAN And WLAN" came to my rescue. Link: https://wiki.dd-wrt.com/wiki/index.php/Separate_LAN_and_WLAN
For someone not working with routers as a profession, it is important to first read this wiki - understand what applies in his particular situation - and then start the work
I have now moved the 2.4 GHz SSID to a second bridge and this is in OpenDNS while the 5 GHz SSID, LAN etc are in the original bridge without OpenDNS.
Next step: To configure VPN on br1 (all except the 2.4GHz SSID). I have configured TorGuard VPN using firewall startup script. The VPN is working fine (speed issues yet to be tested). However, I am unable to isolate the br1 to not use the VPN. I tried the following lines on the firewall...
Code:
iptables -I FORWARD -i br1 -o tun0 -m state --state NEW -j DROP
iptables -I FORWARD -i tun0 -o br1 -m state --state NEW -j DROP
These lines totally block the internet on br1. Can someone guide me with the correct lines to use on the firewall?
see if this'll work ---try:
Code:
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -o tun0 -m state --state NEW -j DROP
EDIT--
might need this in there also:
Code:
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
Posted: Sun Sep 16, 2018 14:28 Post subject: Re: Part A Solved ... Part B Remains
mrjcd wrote:
see if this'll work ---try:
Code:
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -o tun0 -m state --state NEW -j DROP
EDIT--
might need this in there also:
Code:
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
First two lines were already there in my firewall. Added the second two lines.
Now - initially, I had internet on both br0 and br1. This was till the TorGuard settings took effect. After that - br0 showing VPN ... br1 lost internet.
I know many find this route easier. Perhaps due to familiarity, I find the firewall and script route easier. But yes - I need to overcome this and find other ways. Will read this wiki ... but first... "why should it not be possible via the firewall?" Somehow it feels so complete - just two lines of code necessary (maybe)