The GUI has the Net Isolation option (as described in my notes) which when enabled isolate the VAP from the main network.
It is possible to work with iptables to allow traffic from main (the whole main or only certain clients) to VAP but not the other way around.
All combinations are possible
Ok, got things working so easily with your guide. Pretty sure the problem is most places have you setup the new network under the bridged settings when it is already setup that way when it is created.
Isolation is working, just have to get the rules going so the main can access the vap. Seems to not be as simple as
Ok, getting closer, but having an issue since one of the routers is a secondary. I followed the VAP on WAP instructions, but cannot get everything correct.
Code:
Suggested name - internet works, net isolation doesn't work - iptables -I FORWARD -i wl1.1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT
My actual shown device name - ip address, no internet - iptables -I FORWARD -i wlan1.1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT
Essentially, it doesn't seem to like me using wlan1.1, but using wl1.1 doesn't seem to add the rules.
Currently, I am setting this up on a WRT1900ACSV2 (DHCP disabled, set as DHCP Forwarder) that is used as the downstairs router. Main router is a WRT1900AC (DHCP enabled). Hardwired between the two.
Joined: 18 Mar 2014 Posts: 12873 Location: Netherlands
Posted: Sun Jan 09, 2022 10:00 Post subject:
veekay wrote:
egc wrote:
I lost track how you set up in the end.
Please describe your current setup
Currently, I am setting this up on a WRT1900ACSV2 (DHCP disabled, set as DHCP Forwarder) that is used as the downstairs router. Main router is a WRT1900AC (DHCP enabled). Hardwired between the two.
VAP enabled on the router is wlan1.1
If the VAP is on the main router and you want to access the VAP from main subnet but not the other way around than disable Net isolation and try with the following iptables rules:
Joined: 18 Mar 2014 Posts: 12873 Location: Netherlands
Posted: Sun Jan 09, 2022 11:09 Post subject:
The rules I posted are for isolating a VAP on the main router.
If you want to isolate a VAP on a WAP then these rules should do it, if not you should check your setup:
In the web-interface of the router (the WAP): Administration/Commands save Firewall:
Code:
#Always necessary (alternatively set static route on main router):
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
#Replace with the appropriate interface e.g. wl0.1, wlan0.1 etc:
GUEST_IF="wlan1.1"
#Net Isolation does not work on a WAP so just keep it disabled and add the following line to the firewall:
iptables -I FORWARD -i $GUEST_IF -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT
Same thing as with all other attempts, when connecting to the VAP all I get is an ip address without internet access. No other rules are in place except what you posted.
Is it normal for the source and destination to still have 0.0.0.0/0 in all of the rules?
Also just to verify, if the rules box is empty, does that mean all rules are deleted or has everything I have been adding during these tests been put into the iptables? Reading through that iptables link I see mention of --flush -F [chain], so do I need to run that command for each of the 5 chains?
While wan is disabled, I do have all 5 ports populated on my router. Could the internet issue come down to something related to that? I tried switching the connection from the wan port to the lan, but the same thing.
On the Switch Config page I have 0 1 2. 0 has nothing checked. 1 has 1-4 and 2 has wan checked.
Edit - to make things even more strange - I took another router running stock firmware and flashed dd-wrt. Setup the vap and everything worked perfectly right away. Reset the ACSv2 I have been using and started over. All is fine until the firewall rules where I still get the same results. Reset again, flashed the firmware again, all the same. I'm out of ideas on this.
So, finally have it working. After seeing this work on every other router I tested, I went through to see what was different. The only thing I saw was that I didn't setup wireless security when testing, just kept the VAP open. Disabled security on my 1900 and boom, everything worked. After that I turned WPA back on and it still worked. No idea why that would matter, but whatever.
So now I'm running
Code:
#Always necessary (alternatively set static route on main router):
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
#Replace with the appropriate interface e.g. wl0.1, wlan0.1 etc:
GUEST_IF="wlan1.1"
#Net Isolation does not work on a WAP so just keep it disabled and add the following line to the firewall:
iptables -I FORWARD -i $GUEST_IF -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT