2.4 and 5 GHz SSIDs in separate subnets with only one on VPN

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
@m0eb@
DD-WRT User


Joined: 26 Dec 2015
Posts: 289

PostPosted: Thu Sep 13, 2018 5:14    Post subject: 2.4 and 5 GHz SSIDs in separate subnets with only one on VPN Reply with quote
I am trying isolate the 2.4GHz band on 192.168.1.x and 5GHz band on 192.168.2.x

Tried using the multiWLAN wiki - but the current dd-wrt does not allow me to set the IP address range when I configure as a new bridge (br1).

Any suggestions?

Purpose:
One subnet will be in OpenDNS with parental control.
Other subnet will be in VPN (anonymous)


Last edited by @m0eb@ on Sun Sep 16, 2018 12:22; edited 1 time in total
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12839
Location: Netherlands

PostPosted: Thu Sep 13, 2018 17:53    Post subject: Reply with quote
There are two ways to approach this, the modern way (not necessarily better), on the wireless interface tick "unbridged" after save and apply a box will open to fill in the IP address, head over to Setup/Networking and on the bottom add DHCP server with the interface you created (i.e. wl0 or wl0.1)

Alternatively on Setup/Networking, Create Bridge (add) i.e br1, save apply, then assign the interface you want to that bridge, on the Setup/Networking/Port Setup, fill in the IP address for br1 and on the bottom add a dhcp server for br1.

I must confess it is a long time ago that I read the wiki, so this is just my take

@mrjcd has made an excellent guide.

If you still have problems I will dig up my notes and @Kong's and @mrjcd's that should surely work Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
slice1900
DD-WRT User


Joined: 18 Feb 2013
Posts: 99

PostPosted: Thu Sep 13, 2018 19:23    Post subject: Reply with quote
If you want to isolate each on a separate network why are you creating a br1 bridge? The only bridge you should have is br0, which is your LAN. Assuming you want 2.4 GHz as part of br0 using 192.168.1.x then you would add the interface for 2.4 GHz to br0. The 5 GHz interface you would leave alone, and set its address to 192.168.2.x and add the additional DHCP as described.
@m0eb@
DD-WRT User


Joined: 26 Dec 2015
Posts: 289

PostPosted: Fri Sep 14, 2018 13:26    Post subject: Reply with quote
egc wrote:
There are two ways to approach this, the modern way (not necessarily better), on the wireless interface tick "unbridged" after save and apply a box will open to fill in the IP address, head over to Setup/Networking and on the bottom add DHCP server with the interface you created (i.e. wl0 or wl0.1)


That worked.Thanks.
Didn't realise it would be that simple. I was trying a long and circuitous route. Hehehehe.

egc wrote:
@mrjcd has made an excellent guide.

Can you forward the link? Extra information is always welcome

I am trying to configure the router so that 2.4 GHz is on OpenDNS with parental controls with a few IP addresses bypassed. 5 GHz on some good anonymizer/VPN.
@m0eb@
DD-WRT User


Joined: 26 Dec 2015
Posts: 289

PostPosted: Fri Sep 14, 2018 13:28    Post subject: Reply with quote
slice1900 wrote:
If you want to isolate each on a separate network why are you creating a br1 bridge? The only bridge you should have is br0, which is your LAN. Assuming you want 2.4 GHz as part of br0 using 192.168.1.x then you would add the interface for 2.4 GHz to br0. The 5 GHz interface you would leave alone, and set its address to 192.168.2.x and add the additional DHCP as described.


Right. That was me trying to extend my arm around the back of my head to catch my nose.
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Fri Sep 14, 2018 13:48    Post subject: Reply with quote
@m0eb@ wrote:
egc wrote:
@mrjcd has made an excellent guide.

Can you forward the link? Extra information is always welcome

I am trying to configure the router so that 2.4 GHz is on OpenDNS with parental controls with a few IP addresses bypassed. 5 GHz on some good anonymizer/VPN.

The br1 method works well but usually need to add firewall rules to isolate it from main.

Here is the general method for guest networks and will isolate without adding FW rules--
https://wiki.dd-wrt.com/wiki/index.php/Guest_WiFi_%2B_abuse_control_for_beginners

If you have setup as a WAP (wireless access point - WAN disabled)
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1047143#1047143

I assume you can separate the physical wireless interfaces the same way but most folks would never do that....
@m0eb@
DD-WRT User


Joined: 26 Dec 2015
Posts: 289

PostPosted: Sat Sep 15, 2018 3:12    Post subject: Reply with quote
mrjcd wrote:

Here is the general method for guest networks and will isolate without adding FW rules--
https://wiki.dd-wrt.com/wiki/index.php/Guest_WiFi_%2B_abuse_control_for_beginners


Thanks !
@m0eb@
DD-WRT User


Joined: 26 Dec 2015
Posts: 289

PostPosted: Sun Sep 16, 2018 4:53    Post subject: Reply with quote
mrjcd wrote:

The br1 method works well but usually need to add firewall rules to isolate it from main.


On second thoughts - using br1 seems to be the more preferred method for what I want to achieve. Please correct me if I see something wrong here...

br0:
1. DNS forced to OpenDNS via IP-Tables Firewall script:
Code:
iptables -t nat -I PREROUTING -i br0 -p tcp --dport 53 -j DNAT --to 208.67.222.220
iptables -t nat -I PREROUTING -i br0 -p udp --dport 53 -j DNAT --to 208.67.222.220

.....(still need to figure out how to put multiple DNS IP addresses instead of just one)

2. Isolation rules as per the Multi WLAN wiki to separate and isolate br0 and br1.

3. DDNS using DNS-o-MATIC to update OpenDNS with my ISP allocated dynamic IP address (external).

br1:
1. Open to the internet (There is no static DNS entry in the basic setup page). Firewall rules to accept all port 53 and 67 requests from br1
2. (Planned) put a VPN / Anonymizer here

Why I feel the br1 route is more preferred ...
As desired, I can allocate the LAN or any particular physical LAN connection, or any of my WiFi SSIDs to either br0 or to br1 and no further change required as the functionality of both br0 and br1 are tested. Now ... am I missing out something here? (I have a knack of doing this). Any expert's opinion will be of help here.
@m0eb@
DD-WRT User


Joined: 26 Dec 2015
Posts: 289

PostPosted: Sun Sep 16, 2018 12:20    Post subject: Part A Solved ... Part B Remains Reply with quote
The wiki "Separate LAN And WLAN" came to my rescue. Link: https://wiki.dd-wrt.com/wiki/index.php/Separate_LAN_and_WLAN
For someone not working with routers as a profession, it is important to first read this wiki - understand what applies in his particular situation - and then start the work

I have now moved the 2.4 GHz SSID to a second bridge and this is in OpenDNS while the 5 GHz SSID, LAN etc are in the original bridge without OpenDNS.

Next step: To configure VPN on br1 (all except the 2.4GHz SSID). I have configured TorGuard VPN using firewall startup script. The VPN is working fine (speed issues yet to be tested). However, I am unable to isolate the br1 to not use the VPN. I tried the following lines on the firewall...
Code:
iptables -I FORWARD -i br1 -o tun0 -m state --state NEW -j DROP
iptables -I FORWARD -i tun0 -o br1 -m state --state NEW -j DROP


These lines totally block the internet on br1. Can someone guide me with the correct lines to use on the firewall?
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Sun Sep 16, 2018 12:36    Post subject: Re: Part A Solved ... Part B Remains Reply with quote
@m0eb@ wrote:
The wiki "Separate LAN And WLAN" came to my rescue. Link: https://wiki.dd-wrt.com/wiki/index.php/Separate_LAN_and_WLAN
For someone not working with routers as a profession, it is important to first read this wiki - understand what applies in his particular situation - and then start the work

I have now moved the 2.4 GHz SSID to a second bridge and this is in OpenDNS while the 5 GHz SSID, LAN etc are in the original bridge without OpenDNS.

Next step: To configure VPN on br1 (all except the 2.4GHz SSID). I have configured TorGuard VPN using firewall startup script. The VPN is working fine (speed issues yet to be tested). However, I am unable to isolate the br1 to not use the VPN. I tried the following lines on the firewall...
Code:
iptables -I FORWARD -i br1 -o tun0 -m state --state NEW -j DROP
iptables -I FORWARD -i tun0 -o br1 -m state --state NEW -j DROP


These lines totally block the internet on br1. Can someone guide me with the correct lines to use on the firewall?

see if this'll work ---try:
Code:
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -o tun0 -m state --state NEW -j DROP

EDIT--
might need this in there also:
Code:
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Sun Sep 16, 2018 13:06    Post subject: Reply with quote
You need to implement "Policy Based Routing"

There is a PBR field in the GUI setup of the OpenVPN Client.
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Sun Sep 16, 2018 13:09    Post subject: Reply with quote
Per Yngve Berg wrote:
You need to implement "Policy Based Routing"

There is a PBR field in the GUI setup of the OpenVPN Client.

That would certainly be the simple way rather than making complete other network interfaces to bypass the VPN Razz
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Sun Sep 16, 2018 13:22    Post subject: Reply with quote
Here is a tutorial from before the PBR was added to the GUI.

https://wiki.dd-wrt.com/wiki/index.php/Policy_Based_Routing
@m0eb@
DD-WRT User


Joined: 26 Dec 2015
Posts: 289

PostPosted: Sun Sep 16, 2018 14:28    Post subject: Re: Part A Solved ... Part B Remains Reply with quote
mrjcd wrote:

see if this'll work ---try:
Code:
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -i br1 -o tun0 -m state --state NEW -j DROP

EDIT--
might need this in there also:
Code:
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP


First two lines were already there in my firewall. Added the second two lines.
Now - initially, I had internet on both br0 and br1. This was till the TorGuard settings took effect. After that - br0 showing VPN ... br1 lost internet.

Here's the total lines from my firewall:
Code:
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j DROP
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -o tun0 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -t nat -I PREROUTING -i br1 -p tcp --dport 53 -j DNAT --to 208.67.222.220
iptables -t nat -I PREROUTING -i br1 -p udp --dport 53 -j DNAT --to 208.67.222.220
@m0eb@
DD-WRT User


Joined: 26 Dec 2015
Posts: 289

PostPosted: Sun Sep 16, 2018 15:30    Post subject: Reply with quote
Per Yngve Berg wrote:
Here is a tutorial from before the PBR was added to the GUI.

https://wiki.dd-wrt.com/wiki/index.php/Policy_Based_Routing


I know many find this route easier. Perhaps due to familiarity, I find the firewall and script route easier. But yes - I need to overcome this and find other ways. Will read this wiki ... but first... "why should it not be possible via the firewall?" Somehow it feels so complete - just two lines of code necessary (maybe)
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum