Posted: Thu Sep 13, 2012 0:44 Post subject: Multiple WLANs - New Builds - How to???
I've just upgraded to dd-wrt.v24-19519_NEWD-2_K2.6_big-nv60k on my Linksys E4200. Previously I have had little problem setting up multiple guest networks but the setup has changed a bit now.
I found that on newer builds the create bridge section is slightly different than the Wiki guide (due to the wireless driver I think) which was written with an older build. This confused me at first but the process generally remains the same. I experienced problems until I corrected my firewall rules:
Setup the assignments as normal so the virtual wlan gets put onto br1. Here's what my bridging table looks like:
Bridge Name STP enabled Interfaces
br0 no vlan1 eth1 tap0
br1 yes wl0.1
br1 has STP on. Setup a DHCP range as stated in the Wiki guide.
Add them to your firewall table in that order. Here's what each do in order:
- Enable NAT on the WAN port to correct a bug in builds over 17000. (This is a must!)
- Allows br1 acccess to br0 with SPI firewall on
- Allows br1 to access DHCP
- Allows br1 to access DNS
Test that out to see if it works, if it does you can then isolate the two bridges completly so br1 is truely isolated from br0 and neither can access each other if that's what you require, slot these firewall rules in before the DHCP and DNS rules:
Code:
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
_________________ James
Main router:
Netgear R7000 overclocked to 1.2GHz - DD-WRT v3.0-r35965M kongac
IPv6 6in4 (HE.net), OpenVPN (with PBR and split tunnelling), Entware, dnsmasq with ipset
I found that on newer builds the create bridge section is slightly different than the Wiki guide (due to the wireless driver I think) which was written with an older build. This confused me at first but the process generally remains the same.
The create bridge section just lists br0 now but last time I checked (when it was first added while I was trying to get another bug fixed) those br0 settings are buggy because there are other settings that contend with them. Just pretend that br0 isn't there.
The only real change you should need to do is add that firewall command to enable NAT for all traffic going out the WAN port instead of just for traffic from br0. _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
I have used 17670 and 18730 in terms of newer builds, both Kong mod builds (as sadly the official DD-WRT builds are to big now for WNR3500L, but loving Kong builds so its all good) so if the create bridge table has changed since then I stand corrected
On build 14929 when I created a bridge it just listed bridge 1 on its own, on newer builds its a bit different as both bridge 0 and bridge 1 are listed in the create bridge section, so it made me think it wasn't possible to do it on newer builds initially as I thought it was a bug, but in the end the bridging table worked out the same.
In reality, it was actually additional firewall rules were needed to get it working for me on "newer" builds. The main one being the specific rule for the NAT WAN issue like you mentioned. For some reason I needed to add a few more than before. One being SPI firewall, which I don't remember having 14929 and it still worked. Mileage may vary from different setup I guess.
bridges.jpg
Description:
Bridges on newer builds
Filesize:
55.07 KB
Viewed:
13077 Time(s)
_________________ James
Main router:
Netgear R7000 overclocked to 1.2GHz - DD-WRT v3.0-r35965M kongac
IPv6 6in4 (HE.net), OpenVPN (with PBR and split tunnelling), Entware, dnsmasq with ipset
Has anyone been able to get this setup working with a WDS??
I followed the Multiple VLANs guide -- including the contested part about enabling the NAT for the WAN (sorry shmackitup -- that was in the guide), and can get the VAP working -- but it kills the WDS.
Posted: Sun Sep 16, 2012 23:45 Post subject: secure the guest network- allow access to wireless printer
This is my first post on this forum, so forgive me if I screw up with screenshots and code.
I am running DD-WRT v24-sp2 (04/07/12) big (SVN revision 18946M NEWD-2 K2.6 Eko) with OTRW, on my Linksys E4200 V1 router as a base.
DD-WRT v24-sp2 big (c) 2012 NewMedia-NET GmbH
Release: 04/07/12 (SVN revision: 18946)
Enhanced with OTRW
My goal is to secure the guest network and keep it isolated from my private network.
Except I would like my guests to be able to use my wireless HP Envy 100 D410 printer that is DHCP reserved.
Pinging 192.168.200.40 with 32 bytes of data:
Reply from 192.168.200.40: bytes=32 time=5ms TTL=254
Reply from 192.168.200.40: bytes=32 time=6ms TTL=254
Reply from 192.168.200.40: bytes=32 time=4ms TTL=254
Reply from 192.168.200.40: bytes=32 time=5ms TTL=254
Ping statistics for 192.168.200.40:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 4ms, Maximum = 6ms, Average = 5ms
tracert 192.168.200.40
Tracing route to HP-Envy-D410A [192.168.200.40]
over a maximum of 30 hops:
1 1 ms 1 ms 1 ms 172.16.1.254
2 4 ms 2 ms 2 ms HP-Envy-D410A [192.168.200.40]
Trace complete.
Is this setup supported, or am I missing something in the network settings, Vlans, etc.
Code:
Last edited by ColdFusion on Tue Sep 25, 2012 4:58; edited 1 time in total
@mbwd - Yes it works with WDS but WDS can be quite finicky. When WDS links go down you may have to reboot all the routers (maybe even multiple times) to get the links to come back up. You can use the WDS keepalive feature to automate it.
@ColdFusion - It looks like ICMP is getting through fine so the router firewall should be okay. If the printer is configurable then check if there's anything to allow printing from hosts in other subnets. You might be able to trick it by having the router NAT traffic going to the printer.
iptables -t nat -I POSTROUTING -o br0 -d 192.168.200.40 -j SNAT --to `nvram get lan_ipaddr` _________________ Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
The printer has no options for allowing printing from other subnets.
Could it be possible that I need to add bonjour, internet printing and UpNp in the iptables?
One thing to note, the printer port on my windows 7 laptop is using the Product Serial Number
CN0ADD21DW05KZ
I cant believe that nobody else wants this feature with a guest network setup.
