HEllo first all sorry about the big screenshots, I'll try to do better next time. It was just that this went to the backburner for a while. When I have time Ill fix on teh weekend.
I would like to know if I block wifi devices in the "startup" command does that really affect the functioning of my router?
HEllo first all sorry about the big screenshots, I'll try to do better next time. It was just that this went to the backburner for a while. When I have time Ill fix on teh weekend.
I would like to know if I block wifi devices in the "startup" command does that really affect the functioning of my router?
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 1 set ports "6"
swconfig dev switch0 vlan 3 set ports "1 6t"
swconfig dev switch0 vlan 4 set ports "2 6t"
swconfig dev switch0 vlan 5 set ports "3 6t"
swconfig dev switch0 vlan 6 set ports "4 6t"
swconfig dev switch0 set apply
vconfig add eth1 3
ifconfig eth1.3 192.168.10.1 netmask 255.255.255.0
vconfig add eth1 4
ifconfig eth1.4 192.168.20.1 netmask 255.255.255.0
vconfig add eth1 5
ifconfig eth1.5 192.168.30.1 netmask 255.255.255.0
vconfig add eth1 6
ifconfig eth1.6 192.168.40.1 netmask 255.255.255.0
iptables -I FORWARD -m mac --mac-source (device I want to block from net) -o `get_wanface` -m state --state NEW -j
I am no expert as the last few previous posts will tell you, but i think you may have your wires crossed, the "iptables -I FORWARD -m mac --mac-source (device I want to block from net) -o `get_wanface` -m state --state NEW -j" is a firewall command and you would save as firewall not startup tab. You would also need to add the mac address in to the command by the looks of it.
Ok I removed, all the iptables rules from the startup that block devices from the internet. On reboot of the router I just do not want my printer connecting to the internet.
I thought adding these rules to startup would help.
Joined: 16 Nov 2015 Posts: 6440 Location: UK, London, just across the river..
Posted: Wed Dec 23, 2020 8:40 Post subject:
although this is not the correct place to discuss this,
here is the correct line to isolate device from internet
iptables -I FORWARD -i br0 -o $(nvram get wan_iface) -p tcp -s 192.168.1.100 -j DROP
add this rule to firewall script click save
192.168.1.100 - change this to printer ip
br0 - change this to the interface where printer belongs, for example it could be on your vlan you created...
P.S. student13 please if you post in this thread stick to the subject do not hijack the thread with different questions, post/open a new thread instead...10q _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Last edited by Alozaros on Mon Dec 28, 2020 8:42; edited 1 time in total
However if in the event of a power outage will it (the firewall rule) lapse just enough to let the printer update (thus rendering my refilled cartridges invalid?). Which is why I was wondering if putting rules in startup was necessary in the first place.
IF it is, ill put the above posters rule into startup .
PS above poster thanks !
Edit : I added the startup rule but KEPT the firewall rule from Per Yvnge Berg.
Any help would be great.
I have read the articles here and such but would like more guidance on this if possible.
Did you make progress with this?
I'm looking at doing the same, but with OPNsense. My plan is to create a VLAN for the 'Guest' wifi and then add this as an interface in OPNsense. I imagine you will be able to do the same in pfSense. In OPNsense it's Interfaces --> Other Types --> VLAN
By doing this I think you can then use the built in captive portal.
My trouble at the moment is that I can't seem to separate my Guest VAP to a VLAN.
Based on the previous thread posts I used the following code in Admin --> Commands --> startup:
Code:
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 vlan 4 set ports "1 6t"
swconfig dev switch0 set apply
vconfig add eth1 4
brctl addif br1 eth1.4
ifconfig eth1.4 down
ifconfig eth1.4 up
But, it actually crashed not only my DD-WRT AP, but my OPNsense router also went down. Does the above startup commands look ok to you? It may well be that the issue is not with DD-WRT and the code is fine, but I can't think of a way to verify than to ask someone who knows, so I apologise for asking.
You want a tagged trunk between dd-wrt and OPNsense, correct?
I have a second NIC in my OPNsense with subnet 192.168.200.1 --> WAN access.
192.168.200.1 definitely has WAN access, I have tested this. The captive portal setup works perfectly if I plug it into my WAN port when correctly setup as an AP. Internet works fine, everything works ok.
If I plug in the cable to physical port 4, then my default 2 + 5 ghz networks are still getting WAN access. This is what I want to stop - I want only the guest network to have WAN access, when 192.168.200.1 interface is plugged into physical port 4.
I would like to achieve:
Guest VAP --> Physical switch port 4 only --> 192.168.200.1 interface
Really struggling to get my head round it, is the following correct:
Code:
swconfig dev switch0 set enable_vlan 1
swconfig dev switch0 set enable_vlan 10
swconfig dev switch0 vlan 1 set ports "1 2 6"
swconfig dev switch0 vlan 10 set ports "1 6t"
swconfig dev switch0 set apply
vconfig add eth1 10
ifconfig eth1.10 192.168.200.2 netmask 255.255.255.0
With VAP settings:
- wlan1.1
- Bridged
- AP isolation checked
- NET isolation checked
- IP = 192.168.200.3/24
With bridge br1 created and assigned:
- Eth 10
- wlan 1.1
The DHCP server must hand out 192.168.200.1 as gateway to clients. Do you run the DHCP server on OPNsense?
Yes, I have a DHCPv4 server on OPNsense, all DHCP, DNS etc is handled there.
192.168.200.1 appears/is configiured as a gateway in OPNsense and has access to the WAN. It works, as I've plugged a laptop into the NIC port to test the gateway is working and that an IP is issued.
The part i can't seem to understand/get to work, is bringing the VAP and an isolated ethernet port together so that it communicates directly to OPNsense to get DHCP leases on its own, independent private network.
I kep trying to assign the third element to br1 --> eth1.1 (VLAN) but DD-WRT crashes.
