Joined: 24 Feb 2008 Posts: 105 Location: Winnipeg Canada
Posted: Sat Dec 05, 2020 19:15 Post subject: Kongac 39960M Guest network no go
I have a Netgear R7000 [DD-WRT v3.0-r39960M kongac (06/08/19)] as a WAP connected via a wired connection to an Asus router running Merlin firmware. I have tried several times to get the guest network on the R7000 running. I have followed the instructions here
Although those instructions mention/show "Masquerade/NAT" setting but there is no such setting in my build.
I also used WPA2/AES and of course a separate DHCP server configuration.
The result either I could not connect to the VAP or if I did I could not get an IP address. I did see a post indicating similar problems and one person's solution was to upgrade to r41664 (12/06/19).
Yes the newer build is an option, or even the latest Kong build from July 2019. If you need the file let me know. _________________ R7000 Nighthawk - DD-WRT v3.0-r50308
R7000 Nighthawk - DD-WRT v3.0-r50308
~~~~~~~~~~Dismantled for learning opportunities~~~~~~~~~~
WRT54Gv2
WRT54Gv8.2
~~~~~~~~~~Other Settings~~~~~~~~~
https://nextdns.io/?from=2d3sq39x https://pi-hole.net/ https://github.com/DNSCrypt/dnscrypt-proxy
Joined: 24 Feb 2008 Posts: 105 Location: Winnipeg Canada
Posted: Sat Dec 05, 2020 19:44 Post subject:
So is the Kongac build age the issue here? I do not want to go through the process of reconfiguring this router after doing the upgrade and find I am no better off. I need stable wifi wise so any recommendation on what build to use?
The other issue is Kongac has of course ceased updating dd-wrt builds. Just wondering if I am better off switching to another build on this router other than Kongac? Just using it for Wifi and would like to get an isolated Guest network on it.
I have a Netgear R6250 running 40270M Kong build using a guest virtual interface. The Netgear R6250 traffic passes through Netgear R8000 which uses the latest BS current release, 44863.
My virtual access point works well. Any guest there is on my network cannot see any other device on my network and they have access to the internet.
Joined: 24 Feb 2008 Posts: 105 Location: Winnipeg Canada
Posted: Sat Dec 05, 2020 22:15 Post subject:
Abboo wrote:
I have a Netgear R6250 running 40270M Kong build using a guest virtual interface. The Netgear R6250 traffic passes through Netgear R8000 which uses the latest BS current release, 44863.
My virtual access point works well. Any guest there is on my network cannot see any other device on my network and they have access to the internet.
Ya so perhaps this build has the missing Masquerade/NAT settings and is in part the reason why my older build here does not work with a Guest_Vap
Posted: Sat Dec 05, 2020 22:23 Post subject: Re: Kongac 39960M Guest network no go
fedup wrote:
I have a Netgear R7000 [DD-WRT v3.0-r39960M kongac (06/08/19)] as a WAP connected via a wired connection to an Asus router running Merlin firmware. I have tried several times to get the guest network on the R7000 running. I have followed the instructions here
Although those instructions mention/show "Masquerade/NAT" setting but there is no such setting in my build.
I also used WPA2/AES and of course a separate DHCP server configuration.
The result either I could not connect to the VAP or if I did I could not get an IP address. I did see a post indicating similar problems and one person's solution was to upgrade to r41664 (12/06/19).
Suggestions and recommendations welcome.
Were you able to figure out the unbridged configuration from the links you posted? I have a bridge configured for my guest wifi, both the wl0.1 and wl1.1 interfaces under the Setup>Networking tab. Did you configure a valid gateway/subnet mask for the virtual access points? _________________ R7000 Nighthawk - DD-WRT v3.0-r50308
R7000 Nighthawk - DD-WRT v3.0-r50308
~~~~~~~~~~Dismantled for learning opportunities~~~~~~~~~~
WRT54Gv2
WRT54Gv8.2
~~~~~~~~~~Other Settings~~~~~~~~~
https://nextdns.io/?from=2d3sq39x https://pi-hole.net/ https://github.com/DNSCrypt/dnscrypt-proxy
Joined: 24 Feb 2008 Posts: 105 Location: Winnipeg Canada
Posted: Sat Dec 05, 2020 23:48 Post subject: Re: Kongac 39960M Guest network no go
HalfBit wrote:
Were you able to figure out the unbridged configuration from the links you posted? I have a bridge configured for my guest wifi, both the wl0.1 and wl1.1 interfaces under the Setup>Networking tab. Did you configure a valid gateway/subnet mask for the virtual access points?
I tried creating a bridge br1 assigned it to the wireless_vap virtual network. I had assigned an IP address 192.168.10.0 and 255.255.255.0 subnet for the VAP.
I do not remember anywhere I had to specify the gateway for the new VAP.
Joined: 24 Feb 2008 Posts: 105 Location: Winnipeg Canada
Posted: Sun Dec 06, 2020 2:12 Post subject:
I must be missing a key step here. I reset back to default settings in r39960m and then upgraded to DD-WRT v3.0-r40270M (07/11/19) and reset settings back to default. Reconfigured the router as a WAP per "[edit]Normal Version (Same Subnet)" on
I then configured the VAP as follows. Note no new bridges was defined in dd-wrt is that what is missing because I can authenticate with the password assigned to the VAP but no IP is assigned and I of course can not ping anything.
I am no expert and had followed instructions which I cannot place my hands on now but under services, services, additional dnsmasq options I have:
interface=wl0.1
dhcp-option=wl0.1,3,192.168.5.1
dhcp-range=wl0.1,192.168.5.100,192.168.5.200,255.255.255.0,12h
Last edited by Abboo on Sun Dec 06, 2020 3:37; edited 1 time in total
Also under Administration, commands, firewall:
iptables -I FORWARD -i wl0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
I believe you must save firewall
Just a novice making a suggestion. This is what works for me.
Joined: 24 Feb 2008 Posts: 105 Location: Winnipeg Canada
Posted: Sun Dec 06, 2020 4:07 Post subject:
Abboo wrote:
Also under Administration, commands, firewall:
iptables -I FORWARD -i wl0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
I believe you must save firewall
Just a novice making a suggestion. This is what works for me.
Ok this is what I needed to do. I now have access to the internet. Your other post was already being handled with the DHCPD that I already had set up.
Joined: 24 Feb 2008 Posts: 105 Location: Winnipeg Canada
Posted: Mon Dec 07, 2020 14:58 Post subject:
I do not know whether it is Kongac v3.0-r40270M (07/11/19) or whether its these VAPS or the firewall IPTABLES commands but the router wifi became useless on two iOS devices here. YouTube would not work the iOS devices would loose connectivity even to the non VAP connections.
I have removed both VAPs and the firewall code since the 40270m code was just flashed to this router. I need to see what was causing the loss of wifi connectivity here. If it is stable without the VAP I may try adding 1 in. I did have 2 VAPs in a 2.4Ghz and 5Ghz.
I had this in the firewall section of dd-wrt:
Code:
iptables -I FORWARD -i wl0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -I FORWARD -i wl1.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
Last edited by fedup on Mon Dec 07, 2020 15:07; edited 1 time in total
In short, disable WAN, give the WAP an IP address in the primary subnet outside DHCP scope, connect LAN<>LAN, disable DHCP and set Gateway and Local DNS to primary router.
For making a VAP on a WAP see the last paragraph of my attached notes, also take note of the VAP workaround.
There are more ways to do it, this is just my way
Note: Do not use Net isolation (it does not work on a WAP see my notes) also probably don not use Forced DNS redirection , actually when setting an optional DNS target like you did (8.8.8.8 ) you are doing a forced DNS redirection to 8.8.8.8, setting Forced DNS redirection is of no use (and might even block DNS)