That "DNSMasq method" makes me wonder if the process of a WAP configuration is counter-intuitive and should be done in a specific order so that disabling the WAN is the last step.
If Wireless Mode isn't being changed from AP, WAN should be changed/Apply'd first.
mafkikker wrote:
Reset the router, and created a new guest network with the dnsmasq option. No Firewall settings in administration/commands.
If the router is not used as a gateway (like an AP, thus WAN and DHCP are disabled, but the same subnet as the primary gateway router), firewall rules are needed for client access restrictions and internet access.
Joined: 08 May 2018 Posts: 14244 Location: Texas, USA
Posted: Mon Nov 15, 2021 3:08 Post subject:
jwh7 wrote:
kernel-panic69 wrote:
That "DNSMasq method" makes me wonder if the process of a WAP configuration is counter-intuitive and should be done in a specific order so that disabling the WAN is the last step.
If Wireless Mode isn't being changed from AP, WAN should be changed/Apply'd first.
Which breaks the normal process of adding a VAP, hence my reasoning.
EDIT: I was under the impression that the multiple dhcp server configs were not present after disabling the WAN. I will pull out my E4200s when I get a chance to check unbridged and bridged VAP when configured as a WAP at some point. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Last edited by kernel-panic69 on Mon Nov 15, 2021 23:20; edited 1 time in total
I saved these commands in "administration/firewall/save firewall"
iptables -I FORWARD -i wl0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j REJECT
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
iptables -I FORWARD -i wl0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j REJECT
iptables -I INPUT -i wl0.1 -m state --state NEW -j REJECT
iptables -I INPUT -i wl0.1 -p udp -m multiport --dports 53,67 -j ACCEPT
Maybe you are running over yourself just a bit
NO need to make this so difficult
From what I understand this is a WAN disabled....WAP (Wireless Access Point) with a guest network
Get rid of your last 3 lines in the firewall & reboot
This is all you need for guest on WAP ---
Code:
iptables -I FORWARD -i wl0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
1. NO access to main subnet
2. gives guest network access to internet
in the 1st rule I have always used -j DROP although -j REJECT is ok also. -j DROP = just get dead connection and waits for whatever is trying to access it gets a timeout.
-j REJECT = immediate reject of connection. Most like this because it shows a rejection in less than a second...
...the problem I have with that is---> a REJECT command
also tells whomever there is something there because it is rejecting connections from this subnet.
---
EDIT: just a bit more...
The above is for a correctly configured WAP unit.
router mode ... NOT in Gateway mode
[quote="mrjcd"]
Maybe you are running over yourself just a bit
NO need to make this so difficult
From what I understand this is a WAN disabled....WAP (Wireless Access Point) with a guest network
Get rid of your last 3 lines in the firewall & reboot
This is all you need for guest on WAP ---
Code:
iptables -I FORWARD -i wl0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
1. NO access to main subnet
2. gives guest network access to internet
in the 1st rule I have always used -j DROP although -j REJECT is ok also. -j DROP = just get dead connection and waits for whatever is trying to access it gets a timeout.
-j REJECT = immediate reject of connection. Most like this because it shows a rejection in less than a second...
...the problem I have with that is---> a REJECT command
also tells whomever there is something there because it is rejecting connections from this subnet.
Deleted the three lines.
This in my firewall entry now
iptables -I FORWARD -i wl0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
---
mrjcd wrote:
EDIT: just a bit more...
The above is for a correctly configured WAP unit.
router mode ... NOT in Gateway mode
Changed from gateway to router mode...
Client connected to guest network, gets ip-address .... no internet
To simplify this whole mess YOU should have created a simple VAP.
If that is good then add more until you get what you want.
There are many things that can cause VAP not to get IP address.
BEST guess is the stupid Broadcom VAP problem...that is why you need the workaround.
BCM units did NOT always have this problem with DD-WRT 🙄
Joined: 08 May 2018 Posts: 14244 Location: Texas, USA
Posted: Mon Nov 15, 2021 16:53 Post subject:
Someone introduced non-applicable information into the discussion. And I must've misread it. So the multiple dhcpd server is available to configure with WAN disabled, correct? I don't know why we went on the tangent of DNSMasq method... as it likely does not apply here. Only thing that could be causing issue is not picking up DNS servers or gateway information. And I could've sworn NET and AP isolation were fixed... _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Client connected to guest network, gets ip-address .... no internet
from previous page--
Code:
This is the dnsmasq entry :
interface=wl0.1
dhcp-option=wl0.1,3,192.168.10.1
dhcp-option=6,192.168.178.1,84.116.46.22,84.116.46.23
dhcp-range=wl0.1,192.168.10.100,192.168.10.200,255.255.255.0,12h
Joined: 08 May 2018 Posts: 14244 Location: Texas, USA
Posted: Mon Nov 15, 2021 17:05 Post subject:
Seems like you want to rely on not using the multiple dhcpd server function in the webUI on the networking page. Is it because it is broken? @egc has shown that he successfully set it up using it. Device-specific bug? Or too much confusing information... _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Alright then
I be damn but you, mafkikker are correct.
see ---> https://mrjcd.com/junk/dd-wrt/r43028/ Need to see the 'ReadMe.html' in that directory before anything else
Alright then
I be damn but you, mafkikker are correct.
see ---> https://mrjcd.com/junk/dd-wrt/r43028/ Need to see the 'ReadMe.html' in that directory before anything else
I was starting to wonder if I was seeing everything clearly. But fortunately I am.
Older firmware is the solution.....
I was starting to wonder if I was seeing everything clearly. But fortunately I am.
Older firmware is the solution.....
yeahuh, for now I reckon
Let us know iffin you get setup what you wanted.
I might try it more on some other BCM units I have if find the time....the RTN12-D1 is a bit cranky bitch anyways
