Posted: Tue Nov 30, 2021 21:45 Post subject: Guest Network can't access the Internet
Firmware: DD-WRT v3.0-r47665 giga (11/24/21)
Router: Asus RT-AC66U A1
I have setup a guest WiFi network. I can login to that network, and it is handing out IP addresses in the range I specified. However, connected devices cannot access the Internet.
There seem to be several sets of instructions for guest networks. I am using the DNSmasq instructions from the 1st part of: https://forum.dd-wrt.com/wiki/index.php/Guest_Network as they seem to be the most recent and understandable. The first paragraph there is very confusing to me, and I don't know if these instructions are meant to be suitable for a guest network that needs to connect to the Internet or not.
Can anyone see what I need to change to allow guests to see the Internet?
Right now, I am not going for maximum security -- just basic functionality.
Try nixing all of that, using multiple dhcp server on the networking tab. Those wikis need to be updated.
That's the previous thing I tried. Similar results. Question: When using either one of these methods, should I need firewall rules for the Guest network to reach the Internet, and if so, what are they?
there are some unneeded things that he has, but getting you up and working is the first thing.
Your screenshot shows unbridged, is that what you intend? If you quickly change that to bridged, do you have access?
I was warned off of those 2013 directions in a previous post as probably obsolete.
What exactly does bridged/unbridged mean in this context? Bridged to what?
I tried it, and if I select Bridged, it connects to the internet okay, but it isn't isolated from the main network at all. A guest gets an IP on the same subnet as everything else on the primary WiFi.
there are some unneeded things that he has, but getting you up and working is the first thing.
Your screenshot shows unbridged, is that what you intend? If you quickly change that to bridged, do you have access?
I was warned off of those 2013 directions in a previous post as probably obsolete.
What exactly does bridged/unbridged mean in this context? Bridged to what?
I tried it, and if I select Bridged, it connects to the internet okay, but it isn't isolated from the main network at all. A guest gets an IP on the same subnet as everything else on the primary WiFi.
yeah understand... but the actual principles still work... similar to what egc posted.
In this context bridged/unbridged means that you are connected to the rest of the network or not... So as you noticed when you have it bridged, it is connecting multiple "networks"/nics together (ie creating a bridge), so therefore you are sharing resources... In an unbridged connection, everything is separate, which means that you have to setup all of the connections/forwarding...
Bridging is much simplier to setup. Then I will get lazy and just setup IP tables rules to ensure that the networks do not talk/isolated...
This is accomplished by adding each VAP to its own bridge (ensuring that at the bottom of the page each bridge/network has its own dhcp server) and then add the iptables rule (plus some security):
Code:
#Prevent Wireless from talking to each other
iptables -I FORWARD -i br+ -o br+ -m state --state NEW -j DROP
Thank you @Wildlion and @egc. I have it working now.
I ended up using the 2013 Alex Laird instructions (very close to @egc 's document). The important things I did different seemed to be:
1) Religious application of the reboot button after changes, and
2) Used the VAP-Broadcom workaround below from @eibgrads in the Save As Startup section of the Administration/Commands tab:
Code:
{
# VAP fix-up
while ! pidof nas; do sleep 3; done; sleep 10
stopservice nas; stopservice wlconf; wlconf eth1 up; wlconf eth2 up; startservice nas
} >/dev/null &
Prior to those things, the 2013 Laird instructions gave a configuration where the Guest WiFi password wasn't recognized (separate thread on that subject).
And, to answer @kernel-panic69 , this is not being configured as an AP with WAN disabled.
[edit: Okay, it is *still* not working unless I configure the Guest Wireless as Bridged. I want Unbridged, but selecting that makes the WiFi password not be accepted.]
I'm going to declare victory. Lesson Learned: DO NOT put Virtual WiFi Interface into "Unbridged".
Even though it is now set as "Bridged", I am getting isolation through instructions from @Wildlion
Wildlion wrote:
Bridging is much simplier to setup. Then I will get lazy and just setup IP tables rules to ensure that the networks do not talk/isolated...
This is accomplished by adding each VAP to its own bridge (ensuring that at the bottom of the page each bridge/network has its own dhcp server) and then add the iptables rule (plus some security):
Code:
#Prevent Wireless from talking to each other
iptables -I FORWARD -i br+ -o br+ -m state --state NEW -j DROP
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Fri Dec 03, 2021 14:07 Post subject:
What you probably have done is create a bridge e.g. br1 and then put an unbridged wl.0.1 on that bridge.
But if you create a separate bridge (br1) then wl0.1 or an other VAP must be used bridged instead of unbridged because (drum rolls ....) it is bridged to br1.
Posted: Fri Jan 28, 2022 21:46 Post subject: Re: Guest Network can't access the Internet
HoverCar wrote:
Firmware: DD-WRT v3.0-r47665 giga (11/24/21)
Router: Asus RT-AC66U A1
I have setup a guest WiFi network. I can login to that network, and it is handing out IP addresses in the range I specified. However, connected devices cannot access the Internet.
There seem to be several sets of instructions for guest networks. I am using the DNSmasq instructions from the 1st part of: https://forum.dd-wrt.com/wiki/index.php/Guest_Network as they seem to be the most recent and understandable. The first paragraph there is very confusing to me, and I don't know if these instructions are meant to be suitable for a guest network that needs to connect to the Internet or not.
Can anyone see what I need to change to allow guests to see the Internet?
Right now, I am not going for maximum security -- just basic functionality.
Thank you.
I was able to get the guest network working from a youtube tutorial.
I too have an Asus RT-AC66U. It is running DD-WRT v3.0-r47874 giga (12/18/21). I too had problems with a guest network. I find that, when that network stops being able to connect, I have to edit the field that sets its password - even if I just click the field, remove a character, add back that same character, and then click 'apply' and then 'save'. I think we are dealing here with a long-standing bug. _________________ My router: Asus RT-AC66U
Operating systems on devices that I use with that router: GNU-Linux; Windows 10; Android 13
In my experience it is easier to do Guest networks as follows:
Wireless > Basic Settings > Virtual Interface > Add
name the SSID
AP Isolation = enable
Network configuration = bridged
Wireless GUI Access = disable
Save and APply
You can test the new SSID and verify all is working and then proceed to move the SSID onto an isolated network for propper security. Or stay like this for some basic client isolation.
Wireless > Wireless Security > Set your securty up on the new SSID
Save and Apply
Setup > Networking
Create bridge > Add > br3, STP=off
Save and Apply, refresh browser
Scroll all the way down
Set br3 gateway IP address
Masquerade NAT = enable
NET Isolation = enable
Save and Apply
Multiple DHCP server > Add
Select br3, configure pool
Save and Apply
Assign to bridge > Add
br3, w0.1
(repeat for w1.1 if you 2.4 and 5 GHz SSID for guest)
Save and Apply
You have the option to set you physical LAN port to vlan 3 and would also require you add that vlan to br3 (e.g. vlan3)
Setup > Switch Config
VLAN> Add 3
To change port 4 to VLAN3, uncheck VLAN 1 for port 4 and then check VLAN 3
Save and Apply
Assign VLAN 3 to bridge > Add
br3, vlan3
Save and Apply
That should be it. Then there is no extra config needed in my experience.
This is how it looks when configured:
Code:
Current Bridging Table
Bridge Name STP Interface
br0 no eth1 eth2 vlan1
br3 no vlan3 wl0.1 wl1.1
_________________ --------------------------------------------------
VLANs, port trunking, virtual SSID (Guest)
DNSmasq, NTP, syslog, nflow
Hub and spoke, multi-site, routed VPN (OpenVPN client), split tunnel
1 DNS zone per site, forward, reverse look-up across all sites
Asus RT-AC68U rev A2 DD-WRT v3.0-r48138 std (01/17/22)
Asus RT-AC68U rev C1 DD-WRT v3.0-r48138 std (01/17/22)
Asus RT-AC1900P DD-WRT v3.0-r48138 std (01/17/22)
Asus RT-AC1900P DD-WRT v3.0-r48138 std (01/17/22)
Netgear R7000 DD-WRT v3.0-r48138 std (01/17/22)
Linksys E2000 DD-WRT v3.0-r33492 mega (10/10/17)