Wired guest network on a AP

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
david0000
DD-WRT Novice


Joined: 17 Jun 2019
Posts: 10

PostPosted: Mon Jun 17, 2019 14:38    Post subject: Wired guest network on a AP Reply with quote
Hi all,

I have 2 broadcom routers (e900 and R7000) with dd-wrt. The e900 is in a separate building as an AP, servicing wireless clients and a couple of wired connections to a NAS and a Pi.

I'd like to configure the wired connection to the Pi to be isolated from the rest of the network but have internet access via the R7000

Is this possible ?

I confess this is somewhat beyond my current skill level but would like to learn who to set it up.

Thanks in advance for your help.

Best

David
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Mon Jun 17, 2019 18:38    Post subject: Reply with quote
How is the AP (e900) in the other building connected to the primary router (R7000)? Wire? Wireless? I would assume as a repeater bridge, but I want to be sure.

Assuming it's repeater bridge, if you want a separate network on the AP for certain devices, and assuming the e900's wireless adapter supports it, you can create an additional VAP for those purposes, then route that VAP over the private/primary network. The AP would need the following firewall rules to gain internet access, and prevent clients of the VAP from gaining access to resources on the private/primary network.

Code:
# nat guest network over the private network
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)

# deny guests access to resources on private network (internet access only)
iptables -I FORWARD -i br1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -j REJECT


In the above, I assume you will add the VAP to a new bridge (br1). It's considered good practice. But if you don't for some reason, then you could just reference the new VAP's network interface name (e.g., wl0.1) rather than br1.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
david0000
DD-WRT Novice


Joined: 17 Jun 2019
Posts: 10

PostPosted: Mon Jun 24, 2019 13:12    Post subject: Reply with quote
eibgrad wrote:
How is the AP (e900) in the other building connected to the primary router (R7000)? Wire? Wireless? I would assume as a repeater bridge, but I want to be sure.


Sorry, I thought I'd replied but for some reason it didn't post.

The e900 is connected via wired Cat5 to the R7000.

When you talk about VAP (Virtual Access point?) is this implemented using the VLAN tab found in the dd-wrt set ups on both routers ?

Thanks in advance.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Mon Jun 24, 2019 19:41    Post subject: Reply with quote
david0000 wrote:
When you talk about VAP (Virtual Access point?) is this implemented using the VLAN tab found in the dd-wrt set ups on both routers ?


No. VLANs are strictly related to wired connections. I'm talking about adding a VAP (virtual AP), which can be done in the Wireless->Basic Settings->Virtual Interfaces section of the router.

If you need *both* wired and wireless support, then you can add both a new vlan (e.g., vlan3) and VAP, then assign them to a new bridge (e.g., br1). But not all dd-wrt compatible routers support VLAN reconfiguration, since VLANs are hardware dependent.

Frankly, this discussion of VAPs and VLANs may be premature since the description of your configuration wasn't totally clear. When you said, for example…

"The e900 is in a separate building as an AP, servicing wireless clients and a couple of wired connections to a NAS and a Pi."

… I wasn't sure if the NAS and Pi where wired to the AP (e900), or you just meant they were on the primary router (R7000) and accessible from the AP. This is a case where it might help if you provided a diagram (hand-drawn is fine), because sometimes the choice of words and phrasing can lead to misinterpretation.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
david0000
DD-WRT Novice


Joined: 17 Jun 2019
Posts: 10

PostPosted: Thu Jul 04, 2019 16:02    Post subject: Reply with quote
eibgrad wrote:
"The e900 is in a separate building as an AP, servicing wireless clients and a couple of wired connections to a NAS and a Pi."

… I wasn't sure if the NAS and Pi where wired to the AP (e900), or you just meant they were on the primary router (R7000) and accessible from the AP. This is a case where it might help if you provided a diagram (hand-drawn is fine), because sometimes the choice of words and phrasing can lead to misinterpretation.


The Pi and NAS are directly wired to the e900. Other clients (eg a chromebook) also connect via Wifi e900 for internet access.

The idea is to separate the wired Pi and a guest wifi on the e900 from the rest of the network but still access the internet.

I do have a diagram and will try and pop it up somewhere to display here.

I've had a go this afternoon setting up a guest wifi on the e900 but no success so far Smile

Sorry again for the slow reply - I'm not getting the email notifications.
david0000
DD-WRT Novice


Joined: 17 Jun 2019
Posts: 10

PostPosted: Thu Jul 04, 2019 16:05    Post subject: Reply with quote


^^ How's that ?
david0000
DD-WRT Novice


Joined: 17 Jun 2019
Posts: 10

PostPosted: Tue Jul 23, 2019 15:14    Post subject: Reply with quote
Any thoughts, or suggestions ?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3988
Location: Netherlands

PostPosted: Tue Jul 23, 2019 17:19    Post subject: Reply with quote
I would start by making a VAP and put that on a bridge i.e. Br1.

See here: https://flashrouters.zendesk.com/hc/en-us/articles/115000967873-How-To-Setup-a-DD-WRT-Guest-Wireless-Network-On-Your-FlashRouter

Next step is to create a vlan for the wired port and put that vlan on the Bridge you created.


VAP's often need workarounds to get going, from my notes:
Quote:
From approximately mid 2018 VAP's on Broadcom units are problematic, you cannot connect or do not get an IP address. There are workarounds :
1) When VAP is not working at boot; workaround startup command Administrationn/Commands, Save as Startup:
sleep 10; stopservice nas; stopservice wlconf; startservice wlconf; startservice nas;
2) Alternative way to get VAP working: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=317181
3) An other user reports the following workaround (save as startup):
sleep 4; stopservice cron; stopservice wlconf; wlconf eth1 up; wlconf eth2 up; startservice cron;
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=319412
4)This one is from @Redhawk (guaranteed to work Wink ):
sleep 20; stopservice nas; wlconf eth1 down; wlconf eth2 down; wlconf eth1 up; wlconf eth2 up; startservice nas


But as the media player is on a different subnet you will not have DLNA access and can only reach your media player by IP address from the other subnet

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 5173
Location: Akershus, Norway

PostPosted: Tue Jul 23, 2019 18:45    Post subject: Reply with quote
There is a switch in your drawing. Is this a Smart switch/Managed Switch with VLAN support?
david0000
DD-WRT Novice


Joined: 17 Jun 2019
Posts: 10

PostPosted: Tue Jul 23, 2019 20:39    Post subject: Reply with quote
Per Yngve Berg wrote:
There is a switch in your drawing. Is this a Smart switch/Managed Switch with VLAN support?


I will check but I don't think so.
david0000
DD-WRT Novice


Joined: 17 Jun 2019
Posts: 10

PostPosted: Tue Jul 23, 2019 20:42    Post subject: Reply with quote
egc, thank you I shall have a read.
david0000
DD-WRT Novice


Joined: 17 Jun 2019
Posts: 10

PostPosted: Wed Jul 24, 2019 8:27    Post subject: Reply with quote
Per Yngve Berg wrote:
There is a switch in your drawing. Is this a Smart switch/Managed Switch with VLAN support?


To confirm, it's a Gigabit 'unmanaged' switch.
david0000
DD-WRT Novice


Joined: 17 Jun 2019
Posts: 10

PostPosted: Wed Jul 24, 2019 15:39    Post subject: Reply with quote
egc, a quick question. In that guide they suggest a guest network IP of 192.168.12.1

I'm using a 172.16.16.x range. I guess that I should use something like 172.16.32.1 if it's based on a subnet of the main ip range ?

To check, I expect I'll then need to add firewall rules to stops the guest network accessing the 'office' ip range, As suggested by eibgrad in their post?
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 4784
Location: Texas

PostPosted: Wed Jul 24, 2019 16:06    Post subject: Reply with quote
Hey David,
I ain't egc but just passing thru --

any private IP network should be fine to use as br1 as long as not exact same as main LAN network or another seperate network like br2

and yea eibgrad FW rules should block br1 from any main LAN resources and also that roueter itself.
david0000
DD-WRT Novice


Joined: 17 Jun 2019
Posts: 10

PostPosted: Wed Jul 24, 2019 16:15    Post subject: Reply with quote
mrjcd wrote:
Hey David,
I ain't egc but just passing thru --

any private IP network should be fine to use as br1 as long as not exact same as main LAN network or another seperate network like br2

and yea eibgrad FW rules should block br1 from any main LAN resources and also that roueter itself.


Thanks - I wondered if it needed to be a 172.16 subnet in order to access the default gateway of 172.16.16.1

I'm very much a newby and still getting my head around the subject Smile
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum