No Internet on VAP created with Trendnet TEW-812DRU router

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
oldsports
DD-WRT Novice


Joined: 11 Apr 2021
Posts: 10

PostPosted: Mon Apr 12, 2021 0:38    Post subject: No Internet on VAP created with Trendnet TEW-812DRU router Reply with quote
I am trying to create a guest VAP on a Trendnet TEW-812DRU v2 that is being using as a WAP. The set-up is that the WAP is connected to a VLAN (Netgear managed switch) which is connected to a router (running pfSense software) that manages the Internet service for the building. The VLAN goes to a small non-profit organization that is renting space from a place I volunteer at. We provide them with Internet access (via the VLAN) and their office equipment is connected to that VLAN. They are using the Trendnet as a WAP for their wireless needs; they would like to offer wireless access to visitors but they do not want visitors on the same network as their office equipment. I could set up a separate wireless router for the visitors, but I figured it would be neat if I could do it with their existing router.

Firmware build 23808 was on the router; I know it is old but I figured I would not change the firmware in case I needed to put things back (I made a configuration back-up). I found a Wiki detailing how to create multiple WLAN's (https://wiki.dd-wrt.com/wiki/index.php/Multiple_WLANs) which I followed to create the WLAN's. The office SSID is on the main WLAN (wl0) and the guest SSID is on the VAP (wl0.1). I set up the router on the bench at home, using my home network to mimic the office pfSense router and provide Internet service. I entered the following iptables commands into the Firewall, based on the access restrictions I wanted:

#Restrict br0 from accessing br1
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP

#Restrict br1 from accessing br0's subnet but pass traffic through br0 to the Internet
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP

#Enable NAT for traffic being routed out br0 so that br1 has connectivity
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`

#Restrict br1 from accessing the router's local sockets
iptables -I INPUT -i br1 -m state --state NEW -j DROP

#Allow br1 to access DNS on the router
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT

I tested the WLAN’s at every step as the Wiki instructed, and everything responded as expected until I entered the iptables commands. Once the commands were entered and the router was rebooted, I could connect to the office SSID and reach the Internet, but when I connected to the guest SSID I could not access the Internet (kept receiving a “No Internet” warning). Through trial and error, I figured out that the iptables command restricting br1 from accessing the router’s local sockets was causing the issue with Internet access. When I removed that command from the firewall, the guest WAP started working. It was restricted from accessing the office network, but I could enter the router’s address and access the GUI which is what I wanted to prevent. I figured I would work that out later, so I took the router to the office to install it.

I installed the router and ensured that all of the IP addresses in the configuration were changed to match the office set-up. I rebooted the router and tested the WLAN’s; the office WLAN worked as expected but the “No Internet” issue was back with the guest WLAN. I took the router back home, changed the appropriate IP addresses in the configuration to match my home set-up and started it up – and I was able to get Internet access with the guest VLAN.

Now I that I have two issues I thought I would stop and get some help. For the first issue (guest WLAN accessing the router’s GUI), I don’t know what to try. Is there another way to create the iptables entry that could work?

For the “No Internet” issue when the router is installed at the office, I am wondering if it could be a DNS issue. In the DNSMasq section, I have the entry “dhcp-option=br1,6,8.8.8.8,8.8.4.4” as I was anticipating using the Google DNS for the guest WLAN. However, I also entered the two iptables commands to allow the guest WLAN to access the DNS on the router which, I assume, overrides the DNSMasq entry. Could it be that the VLAN/pfSense router set-up at the office is preventing the guest VLAN from using its DNS? The office WLAN is accessing the Internet and I assumed that it was using the router’s DNS, but maybe that is not a good assumption. Should I remove the iptables commands? Should I use different commands? Other suggestions?

Thanks!
Sponsor
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Mon Apr 12, 2021 0:57    Post subject: Reply with quote
SurprisedItWorks wrote:
In GUI>Setup>Networking in the br1 section, is "Masquerade / NAT" enabled? You won't get internet without it.

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
oldsports
DD-WRT Novice


Joined: 11 Apr 2021
Posts: 10

PostPosted: Mon Apr 12, 2021 19:47    Post subject: Reply with quote
Yes, "Masquerade / NAT" is enabled. I can access the Internet on the guest WLAN when I install the WAP on my home network to test the set-up. When I take the WAP to the office where I want to install it I do not get Internet access on the guest WLAN.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Mon Apr 12, 2021 20:24    Post subject: Reply with quote
The only thing I can think of is what the office subnet is in relation to the VAP. You do have a dhcp server serving the clients on the VAP, correct? If so, if the two subnets are the same subnet (i.e. 192.168.1.x), then one needs to change to another subnet (i.e 192.168.5.x)...

Ok, is this being setup as a wired access point alone or? I think I am not confused, re-reading here.

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Mon Apr 12, 2021 20:33    Post subject: Reply with quote
Not sure if it is the root cause but you also have to allow router access for DHCP (port 67)

See examples of @eibgrad https://pastebin.com/r4u62P0B

When taking the router to the office you have to double check that the Local IP address, gateway and local DNS are set accordingly

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
oldsports
DD-WRT Novice


Joined: 11 Apr 2021
Posts: 10

PostPosted: Tue Apr 13, 2021 0:37    Post subject: Reply with quote
Thanks for the quick responses!

To clarify the questions about the set-up - the office WLAN is the Trendnet router's main 2.4GHz WLAN (wl0). The Trendnet router is set up as an AP (DHCP turned off) so the office WLAN gets its DHCP service from the main router (a computer running pfSense software). I created a 2.4GHz VAP (wl0.1) for the guest network and created a DHCP server for it on the Trendnet router. The main router's (and office WLAN) subnet is 192.168.1.x; I assigned 192.168.20.x to the guest WAP.

A suggestion was made to ensure that the Trendnet router had access to the main router DHCP. The office WLAN already has access because it is using the same subnet as the main router. I did not do this for the guest WLAN because I thought that setting up DHCP on the Trendnet router took care of this service so the guest WLAN did not need access to the main router DHCP. Do I still need to grant access to the main router DHCP in this case?

Finally, when I moved the Trendnet from my home bench to the office, I checked to make sure that I changed all of the IP addresses (Local IP, Gateway, Local DNS) to match the office network. I guess it is possible that I missed one, so I will double-check when I install it again.

Thanks!
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Tue Apr 13, 2021 8:21    Post subject: Reply with quote
Your main clients are getting DHCP and DNS from the primary router that is how a WAP works but your VAP is on its own subnet so it must have DHCP from the WAP (it gets DHCP from DNSMasq)

You can connect a VAP via a VLAN to the primary router but then you have to make sure that there is a bridge on that subnet which handouts the DHCP in that case you do not need DHCP from the WAP but this is a complicated setup which is not easily transferred.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
oldsports
DD-WRT Novice


Joined: 11 Apr 2021
Posts: 10

PostPosted: Tue Apr 13, 2021 15:09    Post subject: Reply with quote
Thanks - this confirms what I thought about DHCP. As mentioned, I set up DHCP for the VAP through DNSMasq and it works; devices that connect to the VAP receive IP addresses from the subnet I set up for the VAP.

The issue remains that devices connected to the VAP cannot reach the Internet when the VAP is installed in the office. At home on my bench, devices connected to the VAP can access the Internet; this is why I am thinking that the issue may be with the DNS set-up. My theory is that the two iptables commands I entered that allow the VAP to access the main router's DNS may not work in the office due to how the office's main router is set up. Similar to DHCP, I think I need to allow the VAP to get DNS service from DNSMasq. I will try this and report back.

Also, I still have the issue with the VAP being able to access the Trendnet router's GUI. The iptables command I used from the Wiki that is supposed to block the VAP from accessing it appears to break the VAP's Internet access. Any ideas on this one?

Thanks!
oldsports
DD-WRT Novice


Joined: 11 Apr 2021
Posts: 10

PostPosted: Wed Apr 14, 2021 17:20    Post subject: Reply with quote
I had a chance to work on the router at the office today.

First, I removed the two iptables commands from the firewall that are supposed to allow the VAP to access DNS on the router, rebooted the router and tested the VAP. Unfortunately, I was still unable to access the Internet on devices connected to the VAP.

Next, I checked the firewall rules on the main router running pfSense. The rules allow the main subnet of the Trendnet router to access the DNS port (53) but blocked the DNS port to all other subnets. After I changed the rule to allow all subnets to access the DNS port, I was able to access the Internet on the VAP.

I am still a bit confused as to how all of the rules (DNSMasq, Trendnet firewall, main router firewall) work together, but at least I have solved the Internet access issue for the guest network. I would love for someone to help me better understand how the rules work together.

I still have the issue with the guest network being able to access the Trendnet router's GUI. After I fixed the Internet issue, I re-entered the iptables command to restrict br1 from accessing the router's local sockets and I lost Internet access again. I do not understand the iptables command well enough to know why this happens. Rather than use that command, is there a way for me to block the VAP from accessing the router's IP address?
oldsports
DD-WRT Novice


Joined: 11 Apr 2021
Posts: 10

PostPosted: Sun Apr 18, 2021 23:56    Post subject: Reply with quote
I had some more time to test a few things out:

1. Since I removed the pfSense firewall DNS blocking rule and opened up the main router’s DNS port to all subnets, I figured that I no longer needed the DNSMasq entry (“dhcp-option=br1,6,8.8.8.8,8.8.4.4”) to provide DNS service. I removed the entry and rebooted the router, and the VAP still had Internet access.

2. I did a little iptables research on the Internet and found a command that blocked access to a specific IP address. I modified it to block the VAP’s bridge (br1) from accessing the Trendnet router’s IP address to stop devices connected to the VAP from accessing the GUI; here is the command: “iptables -I INPUT -i br1 -d XXX.XXX.XXX.XXX -j DROP” where XXX.XXX.XXX.XXX is the router’s IP address. There is probably a more elegant way to do this, but this command worked so I am leaving it for now. I still do not know why the command that the Wiki suggested (“iptables -I INPUT -i br1 -m state --state NEW -j DROP”) did not work for me.

3. I do not want to leave the main router’s DNS port wide open, so I did some research on the Internet and found a pfSense article that details how to route all DNS requests to the main router so they are resolved locally (https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html). I have not had a chance to try this yet, but if it does not work I will leave the port open until I find another way to secure it.

Thanks!
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum