Posted: Sun Feb 10, 2019 22:44 Post subject: Multiple Guest Accounts With DNSMasq DHCP Server?
I'd like to have a guest VAP on both the 2.4 and 5 GHz radios. My Archer C7 (DD-WRT v3.0-r38535 std (01/31/19)) is running as a WAP and switch for a Roku and Ooma VOIP box, to which I lose connectivity when I replicate my 2.4 VAP setup for the 5GHz radio. Network isolation doesn't work on the VAP's either when I do this. To add the second VAP (ath1.1)
In DNSMasq I add the second interface (ath1.1 below):
And in my firewall I add the second iptables line:
Code:
iptables -I FORWARD -i ath0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -I FORWARD -i ath1.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
And the 2.4 and 5 GHz VAP's are unbridged, with AP and Net isolation enabled. My WAN connection type is disabled, and the WAN port is assigned to the switch, and the Advanced Router operating mode is "Router". Security on the VAPs is WPA2 AES (just like the WAPs).
Am I trying to do something that doesn't work and never will? Anyone get this working that can tell me what I'm doing wrong? Thank you for any help! _________________ Linksys EA8500
Linksys EA6350v3
Edgerouter X
Do you also have ath0.1 IP as 10.10.12.1 and subnet mask 255.255.255.0 in its unbridged wireless settings
and the
ath1.1 IP 10.10.13.1 with netmask as 255.255.255.0 ??????
and you rebooted router?
that should work but I have never had a Archer C7 so don't know.....
EDIT:
don't know why you want 2 separate guest networks anyways ...
...if you want both radios for guest then leave both VAPs as bridged and in 'Networking' create br1 the network then assign ath0.1 & ath1.1 to it.
On the WAP still have to it put in Additional DNSMASq options same IP & netmask as br1 in 'Networking'
Be sure interface=br1...and so on
Yes. I had ath[0.1 or 1.1] set up as 10.10.[12 or 13].1, unbridged, with 255.255.255.0 net mask in wireless settings. Might not have been a reboot in the mix [I think there was, but not sure], but I did save and then apply all settings and run the firewall commands explicitly before saving them to the firewall. I'll try again with a reboot and report back. Might be this weekend before I have time to mess around with it again.
You know, I never thought enough to realize I don't need two guest networks. I was thinking I needed to go the route I did, to utilize the network isolation check box instead of the "old" bridged network and lots of firewall rules approach to guest networks, but with two radios, yeah, cool - that makes a lot of sense. I'll experiment with that too this weekend [my kids have banned me from "fixing" the internet during the week when they have homework requiring it].
Thanks for the ideas mrjcd - I'm slowly learning enough to be dangerous! I couldn't have set up my last guest network without your help last time I hit the wall! _________________ Linksys EA8500
Linksys EA6350v3
Edgerouter X
Posting a long past due update that I did get this to work on my Atheros Archer C7 running as a WAP (both radios providing a guest VAP), but I've given up getting the same setup to work on a Broadcom Archer C9 running as a WAP. I just can't figure out how to get a guest VAP on both wl0.1 and wl1.1.
ath0.1 and ath1.1 are assigned to br1; br1 IP is set to 10.23.42.1 on the C7 (and wl0.1 and wl1.1 to br1 and br1 IP to different subnet on the C9).
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
Anyone know anything special about Broadcom units to get this to work? _________________ Linksys EA8500
Linksys EA6350v3
Edgerouter X
Joined: 18 Mar 2014 Posts: 12885 Location: Netherlands
Posted: Mon May 06, 2019 10:21 Post subject:
Attached my notes for a broadcom device using the "modern" method without creating a separate br1, although that works the same.
Maybe they are useful
There are references in my notes which could also be useful.
You might have the VAP problem, see the workarounds, just start with one VAP.
On first sight your settings and firewall rules look OK.
The last chapter is for a VAP on a WAP (love that alliteration)