Posted: Thu Jun 06, 2019 5:22 Post subject: "Tunnel" guest network from WAP to Router to WAN
I have 2 Netgear R6700 routers running Kong firmware.
Both routers are configured as gateways (as recommended) with router A acting as a router connecting to the WAN and router B connected over Ethernet to router A and acting as a WAP to extend my wireless range.
Both routers have 2 guest networks (wl0.0 and wl1.0) bridged as br1 on the respective Router.
On Router A, enabling Masquerade/NAT and Net Isolation allows the guest network to connect to the WAN (Internet), appropriately isolated from the main LAN (br0).
How do I create a similar situation for Router B so that the bridged guest networks (br1 for Router B) on that router can "tunnel" through to Router A either to bridge with the guest network on Router A (br1 for Router A) or failing that to tunnel through to the WAN as a separate guest network isolated both from the main LAN and from the guest network on Router A.
Right now, I can connect wirelessly to the guest networks on Router B but they (understandably) have no Internet access.
2. You add firewall rules to prevent access by guests to resources on that primary network (they only have internet access).
iptables -I FORWARD -i br1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -j REJECT
While VLANs is theoretically possible (so that all guest APs/VAPs share the same logical ethernet/IP network), on dd-wrt, it's usually not practical. The easiest solution is just to maintain separate guest networks.
Thanks! This works great,
I saw an alternative version of the second iptables rule limiting the reject to new packets, specifically:
iptables -I FORWARD -i br1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j DROP
Is that better/worse/equivalent to rejecting all such packets?
What makes sense all depends on the circumstances.
Without the consideration of state, *all* attempts by guests to communicate w/ the primary network are thwarted. But suppose you wanted clients on the primary network to be able to initiate connections to guests, or perhaps even port forward from the WAN of the primary router to those guests. Now you have a problem. Those guests can't reply due to the firewall rule! But if you add state (as in NEW), you still prevent guests from initiating connections to the primary network, but clients on the primary network can still initiate connections to guests, and you can still port forward to those guests, because the firewall doesn't prevent replies which are in the ESTABLISHED state.
When you have a guest network, things like having clients on the primary network initiate connections or port forwarding to those guests is generally not expected, so using a rule without state is sufficient. The lack of state also means that if by chance some guest gets a connection established before the firewall comes up (there's usually a small window of opportunity), you can eventually kill that connection. OTOH, if you use state NEW under such circumstances, since the connection is already ESTABLISHED, they can continue to use it, even after the firewall comes up.
So in general, NOT using state is preferred when you have a blanket need to prevent something, while using STATE is usually for those situations where you need to make some exceptions, as I described above.
Thanks for taking the time to explain -- truly helpful!!!