egc,
The 'Masquerade / NAT' option is NOT available in Unbridged VAP if unit is in router mode as is in gateway mode...not that it really makes a nevermind. I tried all ways yesterday with NO worky.
NOTE: the Multiple/DHCP Server on networking page did work now ok but still could never get internet.
I'll try afterlater with the E1200v2 & E2500 to see what happens
Joined: 08 May 2018 Posts: 14217 Location: Texas, USA
Posted: Tue Nov 16, 2021 16:54 Post subject:
This is probably one of those "must do steps in correct order" situations so that when you switch to router mode, it works... or don't bother switching to router mode? _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Linksys E1200 v2
DD-WRT v3.0-r47644 mega (11/15/21)
Linux 4.4.292 #12548 Mon Nov 15 07:38:15 +07 2021 mips
'dd-wrt.v24-47644_NEWD-2_K3.x_mega-nv64k.bin'
worky just fine --
silly 'wirelees packet info' shows 0 but I done speedtest & other browsing
Linksys E1200 v2
DD-WRT v3.0-r47644 mega (11/15/21)
Linux 4.4.292 #12548 Mon Nov 15 07:38:15 +07 2021 mips
'dd-wrt.v24-47644_NEWD-2_K3.x_mega-nv64k.bin'
worky just fine --
silly 'wirelees packet info' shows 0 but I done speedtest & other browsing
Gave it another try today and applied the settins above... and YES I can connect to the guest network now !
Thanks for the good instructions.
Is the setting for the firewall "iptables -t nat -I POSTROUTING -o br0 -j SNAT --to 'nvram get lan_ipaddr' secure enough so that guests connected to the VAP cannot see or access my private network ?
And how do I set QOS so that the VAP gets less bandwith (download speed) than my private network ?
To answer your question, no this has nothing to do with keeping guests of your regular network
See my earlier posts with links to how to setup a VAP on a WAP and the necessary firewall rules to isolate that as the GUI option "Net isolation" does not work on a WAP
Heck probably nobody seems to read that seeing we have all these threads claiming it is not working
Here the text, of course substitute wl0.1 with your own VAP:
Quote:
VAP on WAP
If you place the unbridged VAP on a wireless access point (a secondary router with a disabled WAN, no DHCP and on the same subnet as a the primary router) then you have to add the following rule to the firewall in order to get internet access from the VAP.
In the web-interface of the router: Administration/Commands save Firewall:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
Net Isolation does not work on a WAP so just keep it disabled and add the following line to the firewall:
iptables -I FORWARD -i wl0.1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT
For isolating the WAP itself from the guest network:
iptables -I INPUT -i wl0.1 -m state --state NEW -j REJECT
iptables -I INPUT -i wl0.1 -p udp -m multiport --dports 53,67 -j ACCEPT
(note: not all firmwares have the multiport directive)