[colorbars]

Firmware: DD-WRT v3.0-r51937 std (03/05/23) on Netgear R7800 running as a router.


What I'm trying to do is create a virtual WLAN that is identical to the regular WLAN (same DHCP server, same LAN IP space, etc) except that clients connected to the new virtual WLAN would only be allowed to connect to one specific port on one specific local IP address. I tried setting up a bridge as described in https://forum.dd-wrt.com/wiki/index.php/Guest_WiFi_%2B_abuse_control_for_beginners and https://forum.dd-wrt.com/wiki/index.php/Guest_Network but it wouldn't even allow me to connect to the new network and that wasn't really what I was trying to do anyway.


So I went back to what I originally tried that doesn't work either. In the Administration/Commands page I added these to the Firewall as a test:

#Allow the specific IP I want to connect to
iptables -A INPUT -i wlan0.1 -d 192.168.0.2 -j ACCEPT

#Reject everything else
iptables -A INPUT -i wlan0.1 -d 0.0.0.0/0 -j REJECT

And it still allowed everything whether it was connecting to 192.168.0.2 or not. (There's also the issue that apparently the --dport xx parameter isn't supported, but one thing at a time.) Ideas/suggestions?

[ho1Aetoo]

In short not possible, and in the linked articles there is nothing about same IP and same subnet and same dhcp as the main lan.

[colorbars]

[ho1Aetoo]

Traffic in the same subnet is switched and not routed.
If you want full control over the VAP then the VAP must use a different subnet.

[colorbars]

I can live with using a different subnet. So how would you (or anyone else who'd like to chime in) suggest I do what I'm trying to do?

[egc]

First start with setting up a Guest Virtual Access Point (VAP)

I attach my personal notes how I do it.

After you are done and have checked it is working,we can discuss the iptables rules
For some examples see: https://wiki.dd-wrt.com/wiki/index.php/Iptables

[colorbars]

Guest VAP is working.

[egc]

Enable Net Isolation and the Guest WLAN can only have internet acces but not local LAN access.
check if that is the case

If you want that your guest WLAN can connect to one IP address on your local LAN then use something like:

[colorbars]

When the VAP is in unbridged it won't connect to anything, either on the internet or on the LAN, either with or without the

[ho1Aetoo]

Then you have not configured your VAP properly.
And I have no idea how to help you if 3 instructions are not enough.

[colorbars]

I got it. AP isolation had to be disabled. Then I put

[ho1Aetoo]

[colorbars]

Let's just look at --dport for now.

The command

[egc]

See https://wiki.dd-wrt.com/wiki/index.php/Iptables_command

[ho1Aetoo]

as a hint the protocoll "-p" is missing