Isolate traffic from wireless extender on second subnet?

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
veekay
DD-WRT User


Joined: 09 Mar 2009
Posts: 77

PostPosted: Wed Dec 29, 2021 19:19    Post subject: Isolate traffic from wireless extender on second subnet? Reply with quote
I am running a Linksys WRT1900 and wanted to add another device to host a ton of IoT devices. I have a spare Tenda router that I have setup as a repeater. I am only given the option of WISP or Client+AP. I figured WISP would be best as I am running out of IP addresses (part of the reason for doing this).

I am wanting a way to block the Tenda from accessing the local network hosted by the Linksys.

Linksys is running 0.x and Tenda is 10.x if that helps for any rules.

Is it possible to have the Linksys filter all of the traffic since the Tenda seems to lack any kind of way to isolate (that I can see)?

Ideally I'd like to be able to access both networks from the Linksys side (and internet) and the Tenda should only be able to access it's own network (and internet).

Help?

Edit - just realized the Tenda can run Tomato, but seems to lack a dedicated repeater mode.
Sponsor
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 1407

PostPosted: Wed Dec 29, 2021 22:14    Post subject: Reply with quote
What I would do is set up dd-wrt to have a regular wireless network, and then add a vap see (https://wiki.dd-wrt.com/wiki/index.php/Guest_WiFi_%2B_abuse_control_for_beginners) but there are other refs like: http://www.alexlaird.com/2013/03/dd-wrt-guest-wireless/


Then setup the vap network to host all of your IOT and whatnot... then it can control through iptables what access things have and if you want access one way or another...

P.S. It sounds like you are either only depending on dhcp (which you can increase) If you do shorter leases you can effectively gain more... otherwise change your netmask to be like 255.255.0.0 (meaning that you are opening up from ~255 ip addresses per network to ~65536 addresses)
veekay
DD-WRT User


Joined: 09 Mar 2009
Posts: 77

PostPosted: Wed Dec 29, 2021 23:23    Post subject: Reply with quote
Wildlion wrote:
What I would do is set up dd-wrt to have a regular wireless network, and then add a vap


I have considered that, but wasn't sure how much of an impact that would have on the main wireless network.

You are correct about the DHCP setting - never really needed more before, but with so many smart lights and switches things are getting out of control - Part of why I wanted them to all run on their own device.

I have 2 WRT1900's and one WRT1200 so I could also do something to bridge those instead of the Tenda.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Thu Dec 30, 2021 8:28    Post subject: Reply with quote
If you set them on a DDWRT router than that router can be isolated with IP tables rules from the rest of the network
_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
veekay
DD-WRT User


Joined: 09 Mar 2009
Posts: 77

PostPosted: Thu Dec 30, 2021 10:35    Post subject: Reply with quote
egc wrote:
If you set them on a DDWRT router than that router can be isolated with IP tables rules from the rest of the network


I've never really understood the whole IP tables thing. Would the rules be used on the main router or whatever router I want isolated?
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Thu Dec 30, 2021 10:47    Post subject: Reply with quote
No those rules are set on the new secondary router.

You simply block traffic to the main routers subnet:
Code:
iptables -I FORWARD -i br0 -d $(nvram get wan_ipaddr)/$(nvram get wan_netmask) -m state --state NEW -j REJECT


https://wiki.dd-wrt.com/wiki/index.php/Iptables_command

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
veekay
DD-WRT User


Joined: 09 Mar 2009
Posts: 77

PostPosted: Fri Dec 31, 2021 22:42    Post subject: Reply with quote
Seems the guest network guide wasn't made for the current version - ended up totally screwing up my whole network trying to follow the steps. Thank goodness the wired part still worked.
Wildlion
DD-WRT Guru


Joined: 24 May 2016
Posts: 1407

PostPosted: Sat Jan 01, 2022 1:35    Post subject: Reply with quote
What did you do wrong? It really is not that hard, just dd-wrt has some quirks.
veekay
DD-WRT User


Joined: 09 Mar 2009
Posts: 77

PostPosted: Sat Jan 01, 2022 1:47    Post subject: Reply with quote
Wildlion wrote:
What did you do wrong? It really is not that hard, just dd-wrt has some quirks.


No telling. Tried the second one and some of the steps didn't match. I think when trying to setup the DHCP for the guest is when things went screwy.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Sat Jan 01, 2022 3:46    Post subject: Re: Isolate traffic from wireless extender on second subnet? Reply with quote
veekay wrote:
Edit - just realized the Tenda can run Tomato, but seems to lack a dedicated repeater mode.


Not a big deal to implement. You simply configure the AP for wireless ethernet bridge mode, then create a VAP and bridge it to LAN0/br0.

But I only mention it for completeness. Given your requirements, a bridge configuration isn't recommended anyway. As others have suggested, you need a routed configuration.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
veekay
DD-WRT User


Joined: 09 Mar 2009
Posts: 77

PostPosted: Sat Jan 01, 2022 8:10    Post subject: Reply with quote
It seems first thing is getting the vap working correctly. I actually recall trying to do this on my router at work and it took many attempts before it actually worked correctly. All goes downhill when trying to get the multiple dhcp to work I believe.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12834
Location: Netherlands

PostPosted: Sat Jan 01, 2022 9:31    Post subject: Reply with quote
On recent builds that should not be a problem.

What build are you running?

Attached my personal notes how I do it, but I only did this on Atheros and Broadcom routers never on Marvell so I cannot guarantee it is working in your case

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


Last edited by egc on Sat Jan 01, 2022 16:36; edited 2 times in total
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Sat Jan 01, 2022 16:28    Post subject: Reply with quote
One more resource: My notes on setting up a VAP are the third post at https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1217070?start=3
_________________
2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14125
Location: Texas, USA

PostPosted: Sat Jan 01, 2022 19:00    Post subject: Reply with quote
Better link to @SurprisedItWorks' post. OP is always start=0; format for link is using the actual topic number with &start= Wink

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=326543&start=2

The whole topic:

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=326543

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
veekay
DD-WRT User


Joined: 09 Mar 2009
Posts: 77

PostPosted: Sat Jan 01, 2022 19:01    Post subject: Reply with quote
Thank you everyone - hopefully I'll get this going. I plan to test on a router that isn't powering the whole house this time.

Build is 47581 currently

One more quick question - doing things this way, will I still be able to access the clients on the VAP or will they be isolated from my direction as well?
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum