Block Guest Wifi access to certain static routes

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
strwbrrysam
DD-WRT Novice


Joined: 16 Apr 2021
Posts: 29

PostPosted: Sat May 08, 2021 20:33    Post subject: Block Guest Wifi access to certain static routes Reply with quote
Hey everyone Smile Hope you're all doing OK.

So I have a R6400v2 on Firmware: DD-WRT v3.0-r44715
It is set up to be an OpenVPN Client.

The question I have is not really anything to do with OpenVPN I don't think, but rather firewall and routing.

At the moment, the setup is as follows:

Code:
[b]Server-side[/b]
Router LAN: 10.1.11.1 /// 10.1.11.0/24
VPN Server Box: 10.1.11.222
VPN Server Instance Listening on: 10.19.97.1 /// 10.19.97.0/24

[b]Client Side (My current router)[/b]
Router LAN: 10.3.11.1 /// 10.3.11.0/24 (Normal Wifi, Wired Devices use this DHCP Pool)
VPN Client IP: 10.19.97.2 (not static)
"1811 Guest" Network Subnet: 192.168.192.0/24


For value added, I have the following Additional Config for my DD-WRT OpenVPN Client

Code:
#Routes
# SERVER DOESNT NEED ROUTES BACK TO ITSELF
route 10.19.98.0 255.255.255.0
route 10.19.99.0 255.255.255.0
route 10.14.43.0 255.255.255.0
# Server-side LAN Route
route 10.1.11.0 255.255.255.0
#HK Routes
route 10.1.12.0 255.255.255.0
route 10.1.13.0 255.255.255.0
#UK Routes
route 10.2.11.0 255.255.255.0
route 10.2.12.0 255.255.255.0
#AU Routes
route 10.3.12.0 255.255.255.0
connect-retry 10 max

^^^^^^^I have this stuff because my OpenVPN Server is not configured to redirect-gateway by default. And for some reason unless the server pushes redirect-gateway by default, pushed routes and pushed DNS does not work for me. This is also a choice I made to dummy-proof the client config because there is little chance I will be expanding the network anytime soon.

Having manually configured routes forces DD-WRT to automatically create static routes for me in the routing table. For some reason Pushed routes do not do this.


As you can imagine, everything is fine about the VPN setup. My computer (10.3.11.119) can ping server-side machines (10.1.11.56) and vice versa perfectly.

But I want to be able to stop my 1811 Guests Wifi network from accessing ALL VPN resources/routes (Please see attached images for routing table)

I'm not sure how to start approaching this. Any help would be greatly appreciated Smile Thank you <3
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Sun May 09, 2021 8:52    Post subject: Reply with quote
Any particular reason why you are stuck on 44715?

There have been security fixes to OpenVPN on the latest release 46446

What you can try is to simply block access to the VPN interface for all traffic coming from the guest interface e.g.:
Code:
iptables -I FORWARD -i wl0.1 -o tun1 -j REJECT

Assuming that wl0.1 is the interface of the guest wifi and tun1 is the interface of the OVPN client.
Test from CLI and if it works then add to Administration/Commands Save firewall

Furthermore your Gateway and Local DNS seem wrong, for normal gateway mode leave both at its default 0.0.0.0

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
strwbrrysam
DD-WRT Novice


Joined: 16 Apr 2021
Posts: 29

PostPosted: Sun May 09, 2021 9:59    Post subject: Reply Reply with quote
Hey there! Thanks for the reply again.

Quote:
Any particular reason why you are stuck on 44715?

Not really, I just haven't had time to update yet. People are using the internet.

Quote:
iptables -I FORWARD -i wl0.1 -o tun1 -j REJECT

Thanks for this, I'll give it a go and report back later in the evening and let you know how it works. I think I understand what this is doing a little better now though, sometimes you just need to ask a question and have a pro give you an example before you get it Wink

Quote:
Furthermore your Gateway and Local DNS seem wrong, for normal gateway mode leave both at its default 0.0.0.0


I think this was an old habit from when I was very young learning to set up my own network devices (my family doesn't know much about this stuff)
I remember back in the day with the old TP link orLinksys routers they would already input the router IP itself as DNS and gateway.

Also if you do ipconfig on windows cmd prompt it says that too.

I understand now that those fields on DD-WRT is supposed to be for if you have a different dedicated device for DNS/gateway but I guess I just never thought about it because... well.. the internet still works. But thanks for pointing that out!

But... another quick question...
What does Masquerade/NAT actually do on my 1811 Guests Virtual AP? (see pic)

Many guides say to enable this for internet access but for some reason I tried both Enable and Disable my internet still works. Now I know this isn't really important as long as it works but I just want to know what it is doing behind the scenes to learn more and try to understand more about networking Smile

I know Masquerade/NAT just means "one to many" as in you have multiple IPs behind a single device but I don't understand what it is doing in the context of the Virtual AP and setting up a guest network...How would you explain it?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12835
Location: Netherlands

PostPosted: Sun May 09, 2021 10:15    Post subject: Reply with quote
Normal traffic is NATtEd out via the WAN interface.
Most firmwares just NAT all local traffic out via the WAN, DDWRT however only NAT's its own local subnet out.

So by default other subnets are not NATted via the WAN interface and so you will not have internet access from other subnets like the guest subnet.
This button does exactly that so with this enabled you will have internet access (via the WAN).

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
strwbrrysam
DD-WRT Novice


Joined: 16 Apr 2021
Posts: 29

PostPosted: Sun May 09, 2021 11:55    Post subject: ooooo Reply with quote
Thanks for explaining!

It looks like there are a a fair bit of settings that just refuse to apply properly unless the router is rebooted.

I think two days ago when I first set up the VAP guest network it was enabled, then the internet was working etc.

But then out of curiosity I decided to disable it because I wanted to see what it does but I did not reboot. It made me think that maybe the option was broken because it did nothing.

But I just tried it again with a reboot in between and yup my internet dies if its Disabled Smile

I didn't think it would matter for something so small, but oh well! The more you know.

Also,
Code:
iptables -I FORWARD -i wl0.1 -o tun1 -j REJECT


worked beautifully, thank you for that. Though I just quickly applied it while my GF was gaming and she yelled Twisted Evil at me for breaking the wifi Lol Shocked

I think I need a break from all this networking stuff! Took me almost 2 weeks to finally settle on a clean OpenVPN server setup on an Ubuntu Box that does exactly what I need it to. It's a nice feeling knowing you did it all yourself, yknow? I love being able to ping any computer from anywhere, theres just so many uses for this site-to-site VPN stuff Smile

Thanks again!
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum