Posted: Mon Feb 11, 2019 21:08 Post subject: Trouble isolating ath0.1 for iptables
This is all about wanting to set iptables rules for a subset of wireless devices on a dd-wrt router like a tp-link wdr3600 that's being used as an AP.
My main router is a dumb-but-fast one from comcast. I have all my wired machines running through it to take advantage of high speeds. I don't use its wireless at all, because I can't be sure it is secure. And there is no usable routing configuration available.
I'm trying to use the wdr3600 with dd-wrt for all my wireless devices, privileged and guest. I also want some of my guest devices to be reachable when a certain connection is initiated from the privileged side of my network.
An AP router by default in dd-wrt bridges everything into br0: ath0, ath0.1, vlan1, vlan2. A GUI setting and maybe some special hooks in dd-wrt make it possible to isolate ath0.1 as a guest when the router is used with NAT, but I don't think this covers my needs.
Iptables on dd-wrt can't address individual interfaces of a bridge (no physdev module?). Supposedly, I can unbridge ath0.1 in the gui. That does indeed show ath0.1 is no longer in br0. And I can configure a network address on the ath0.1 interface. But...
Signing on first to the ath0.1 SSID does not exhibit any traffic on ath0.1 in iptables (iptables counts and logs for -i ath0.1 show no traffic), even though ifconfig for ath0.1 shows some traffic. But the crazy thing is if I first sign on to the SSID of ath0 and then switch to the SSID of ath0.1, iptables does start to work for ath0.1 as expected until the next reboot or reconfig. Once iptables starts working, I'm able to make things work as I wish: separate address space, separate DHCP, isolation rules, privileged cross connection rules, etc. I'm sure I could set up a separate radio to do the isolation I want, but there are too many radios around here already.
But it isn't quite usable this way, having to address ath0 first. What is the missing step? What would make it unnecessary to hit ath0 first to get ath0.1 going? _________________ dd-wrt on Netgear wndr3700v4
Joined: 23 Jul 2017 Posts: 697 Location: Brisbane, Australia
Posted: Tue Feb 12, 2019 2:55 Post subject:
Post your iptables rules. Could be a problem with the order of your rules... remember only the first rule that tests true is acted upon, and you may be adding rules to the end instead of inserting them at the top.
Afterthought: after having written all the below, I am finding my scenario has worked correctly right away after the last two reboots, no need to address ath0 first. Is this going to be consistent or not?
There is one small unrelated problem: the firewall rules are not re-run after [Apply Settings] is done on the wireless config pages. That would be fine because iptables are not flushed. But my firewall rules include three echoes to configure proxy arp, and those settings disappear. I wonder if there are some other scenarios where those config settings are wiped out. I will work on some way not to need those. It would be easier if my main router could have routing rules.
I'd say no need to read further unless you're curious.
The device (currently a phone) is then able to access the internet but not the two routers or other devices on the routers (10.0.x.x), just as I prefer. Other devices can ping this device , and I assume could connect to it if it were listening.
So my only trouble seems to be that ath0.1 usually does not engage in iptables after a reboot/reload until after ath0 is first addressed. (afterthought: or maybe does usually engage?) _________________ dd-wrt on Netgear wndr3700v4
Joined: 16 Nov 2015 Posts: 2718 Location: UK, London, just across the river..
Posted: Tue Feb 12, 2019 10:28 Post subject:
i know its an off topic but to save my ass...i decided to cut the struggle with guest networks VAP... and use WAP witch of course, needs another router in DDWRT-WAP mode
the end line is.... it always works...!!! _________________ Atheros
TP-Link WR740Nv1 ------ DD-WRT 33772 BS WAP/Switch (wired)
TP-Link WR1043NDv2 ------DD-WRT 40009 BS (AP,PPPoE,NAT,AD Blocking,AP Isolation,Firewall,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2 ------DD-WRT 40672 BS (AP,NAT,AD Blocking,Firewall,Wi-Fi OFF,Local DNS,Forced DNS,DoT)
TP-Link WR1043NDv2.......... Gargoyle OS 1.11.0 (AP,NAT,QoS,Quotas)
Netgear R7800 ------------DD-WRT 40270M 4.9 Kong (AP,NAT,AD-Blocking,AP&Net Isolation,Firewall,Local DNS,Forced DNS,DNSCrypt v2 x2)
Netgear R7000 ---------DD-WRT 40270M Kong (AP,NAT,AD-Blocking,Firewall,Local DNS,Forced DNS,DoT)
Stubby for DNS over TLS I DNSCrypt v2 via Entware by mac913