Guest/Free WiFi setup - iptables

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Goto page 1, 2  Next
Author Message
RobaL
DD-WRT Novice


Joined: 08 Oct 2012
Posts: 6

PostPosted: Mon Oct 08, 2012 16:32    Post subject: Guest/Free WiFi setup - iptables Reply with quote
Hi,
I was following this guide in order to successfully setup a second wlan. I want this wlan to be free of use for guest and public people.

As I am not a professional on linux I'm not sure how to set up iptables the right way. I want that public wlan to be completely isolated from my private network and only accessing the internet.

My current configuration is:
Code:
# Enable NAT on the WAN port to correct a bug in builds over 17000
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`

# Allow br1 access to br0, the WAN, and any other subnets (required if SPI firewall is on)
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# Restrict br1 from accessing br0 (do not use on WAP's)
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP

# Restrict br0 from accessing br1
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP

# Restrict br1 from accessing the WAN port (no internet access!)
#iptables -I FORWARD -i br1 -o `get_wanface` -j DROP

# Restrict br1 from accessing the WAN subnet (still has internet, do not use on WAP's)
iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP

# Restrict br1 from accessing br0's subnet but pass traffic through br0 to the internet (for WAP's - WAN port disabled)
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP

# Enable NAT for traffic being routed out br0 so that br1 has connectivity (for WAP's - WAN port disabled)
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`

# Restrict br1 from accessing the router's local sockets (software running on the router)
iptables -I INPUT -i br1 -m state --state NEW -j DROP

# Allow br1 to access DHCP on the router
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT

# Allow br1 to access DNS on the router
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT


Is that OK?
Sponsor
netboy541
DD-WRT Novice


Joined: 03 Sep 2008
Posts: 39

PostPosted: Fri Oct 12, 2012 18:35    Post subject: Reply with quote
This is what I use


---


### FIREWALL COMMANDS FOR PUBLIC/PRIVATE SSIDS

#Allow br1 to access DHCP on the router
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT

#Allow br1 to access DNS on the router
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT

#Drop everything else on br1
iptables -I INPUT 4 -i br1 -j DROP

#Restrict br1 from accessing br0
iptables -I FORWARD 1 -i br1 -o br0 -j DROP

#Restrict br0 from accessing br1
iptables -I FORWARD 2 -i br0 -o br1 -j DROP

#Allow br1 to access http/https to internet
iptables -I FORWARD 3 -i br1 -p tcp -m multiport --dports 80,443 -j ACCEPT
iptables -I FORWARD 4 -i br1 -m state --state ESTABLISHED,RELATED -j ACCEPT

#Drop everything else on br1
iptables -I FORWARD 5 -i br1 -j DROP
jfish99
DD-WRT User


Joined: 25 Aug 2011
Posts: 97

PostPosted: Sun Oct 14, 2012 15:26    Post subject: Reply with quote
I use these rule, allows full internet access for the guess wifi but does not allow access to the private network and also limited bandwidth to 1mbit/sec

I have this setup on a secondary ddwrt router running the latest version and router is as a WAP

Firewall rules

Code:
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
TCA="tc class add dev br1"
TFA="tc filter add dev br1"
TQA="tc qdisc add dev br1"
SFQ="sfq perturb 10"
tc qdisc del dev br1 root
tc qdisc add dev br1 root handle 1: htb
tc class add dev br1 parent 1: classid 1:1 htb rate 1024kbit
$TQA parent 1:1 handle 10: $SFQ
$TFA parent 1:0 prio 2 protocol ip handle 10 fw flowid 1:1
iptables -t mangle -A POSTROUTING -d 192.168.100.0/24 -j MARK --set-mark 10
TCAU="tc class add dev imq0"
TFAU="tc filter add dev imq0"
TQAU="tc qdisc add dev imq0"
insmod imq
insmod ipt_IMQ
ip link set imq0 up
tc qdisc del dev imq0 root
tc qdisc add dev imq0 root handle 1: htb
tc class add dev imq0 parent 1: classid 1:1 htb rate 512kbit
$TQAU parent 1:1 handle 10: $SFQ
$TFAU parent 1:0 prio 2 protocol ip handle 10 fw flowid 1:1
iptables -t mangle -A PREROUTING -s 192.168.100.0/24 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -j IMQ --todev 0
RobaL
DD-WRT Novice


Joined: 08 Oct 2012
Posts: 6

PostPosted: Wed Oct 17, 2012 19:20    Post subject: Reply with quote
Thanks for your replies, I appreciate that!
zaklee
DD-WRT Novice


Joined: 04 Sep 2008
Posts: 19

PostPosted: Thu Oct 18, 2012 1:36    Post subject: Reply with quote
I'm trying to do something similar but in my case I have two devices. Here's what I posted earlier today:
________
I'm struggling to find the right solution here. What I'm trying to do is use a WRT54GL as a router and wireless access point such that the LAN ports have full access to our system but that the wireless interface has internet access only. The WRT54GL is running v24-sp2 build 12548M NEWD Eko and it's connected to a Linksys E3000 that is the gateway and DHCP server. The E3000 is running v24-sp2 voip build 16754. This gateway is 192.168.1.1

Following this tutorial (http://www.dd-wrt.com/wiki/index.php/Separate_LAN_and_WLAN)I created a virtual wireless interface and used the "Additional DNSMasq Options" to define the DHCP range as 192.168.50.100 to 192.168.50.150. All DHCP settings are off on the WRT54GL because the E3000 is handling that.

I can connect to the wireless interface with no problem but there is no internet access. When I look at the IP settings established by the DNSMasq/DHCP I see that the DNS server and Gateway are both 192.168.50.1 whereas they should be (I think) 192.168.1.1.

I'm guessing that I need to add another option to define the DNS and gateway. Or perhaps there's something I need to do with ip tables in the firewall settings? The SPI firewall is currently disabled.

If I could set up a simple hotspot using Sputnik, that would be fine. I just want to give visitors internet access without taking down my pants. But I can't figure out how to get Sputnik running on the WRT54GL. I think the problem there is that it doesn't recognize a WAN connection so I can't get to the SputnikNet Express setup screen as these instructions say I should http://docs.sputnik.com/spaces/docs/manuals/express/lessons/4054-Getting-Started-with-SputnikNet-Express

Appreciate any input.
bmupton
DD-WRT User


Joined: 16 Mar 2011
Posts: 111
Location: Saskatoon, SK, Canada

PostPosted: Tue Oct 30, 2012 13:54    Post subject: Reply with quote
jfish99 wrote:
I use these rule, allows full internet access for the guess wifi but does not allow access to the private network and also limited bandwidth to 1mbit/sec

I have this setup on a secondary ddwrt router running the latest version and router is as a WAP

Firewall rules

Code:
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
TCA="tc class add dev br1"
TFA="tc filter add dev br1"
TQA="tc qdisc add dev br1"
SFQ="sfq perturb 10"
tc qdisc del dev br1 root
tc qdisc add dev br1 root handle 1: htb
tc class add dev br1 parent 1: classid 1:1 htb rate 1024kbit
$TQA parent 1:1 handle 10: $SFQ
$TFA parent 1:0 prio 2 protocol ip handle 10 fw flowid 1:1
iptables -t mangle -A POSTROUTING -d 192.168.100.0/24 -j MARK --set-mark 10
TCAU="tc class add dev imq0"
TFAU="tc filter add dev imq0"
TQAU="tc qdisc add dev imq0"
insmod imq
insmod ipt_IMQ
ip link set imq0 up
tc qdisc del dev imq0 root
tc qdisc add dev imq0 root handle 1: htb
tc class add dev imq0 parent 1: classid 1:1 htb rate 512kbit
$TQAU parent 1:1 handle 10: $SFQ
$TFAU parent 1:0 prio 2 protocol ip handle 10 fw flowid 1:1
iptables -t mangle -A PREROUTING -s 192.168.100.0/24 -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -j IMQ --todev 0


I wish this worked for me.

My virtual access point running on my WAP absolutely refuses to get an IP from my main router.

I have an E3000 and an E2000 (versions in my sig) and I follow the Multiple WLAN guide for the main router (E3000) and I have a guest network running there. I followed the WAP guide to set up the E2000 as a WAP, and when I try and create the virtual access point there and assign it to br1 on that device, it will not connect.

My firewall contains the same rules as yours.

What other settings have you played with on your WAP? I've followed the wiki guide and set everything (even the optional settings that it recommends). Mine has just never worked.

The main wireless interface on the WAP works fine and connects fine to my main LAN, just the virtual interface on the WAP.
jfish99
DD-WRT User


Joined: 25 Aug 2011
Posts: 97

PostPosted: Tue Oct 30, 2012 13:59    Post subject: Reply with quote
see attached document, this is a guide on how to set it up on a router as a wap (where as the WAN port is assigned to the LAN)
bmupton
DD-WRT User


Joined: 16 Mar 2011
Posts: 111
Location: Saskatoon, SK, Canada

PostPosted: Tue Oct 30, 2012 15:12    Post subject: Reply with quote
I've tried that guide before with no luck, maybe I'll give it another whirl.

The thing is, I have two wireless networks on my main router, one being a VAP. The VAP on the WAP (too many acronyms!) has the same SSID and subnet as the VAP on my main access point...

Main has:
Main interface: 192.168.1.1 on br0
VAP Interface: 192.168.2.1 on br1

WAP has:
Main interface: 192.168.1.2 on br0
VAP interface: 192.168.2.2 on br1

According to your instructions, both my main VAP and my WAP's VAP have to run a DHCP server? Is there no way to use the main router's "multiple DHCP server" that I added for the main router's VAP to get IP's on the WAP's virtual access point instead?

Are the firewall rules on my main router set up for separating my virtual access point stepping on the WAPs ability to communicate with the main router? All that traffic, I suppose, would be coming in to the main router on br0 (since the WAP is connected via wire to the main router, and that switch is on br0). And if br1 and br0 on my main router aren't allowed to talk (as per the wiki guide on virtual access points and separation) then nothing can get through?

I'm grasping at straws here, I really don't understand how to get this working.
bmupton
DD-WRT User


Joined: 16 Mar 2011
Posts: 111
Location: Saskatoon, SK, Canada

PostPosted: Tue Oct 30, 2012 15:17    Post subject: Reply with quote
Also, in this:

Code:
interface=br1
dhcp-option=br1,3,192.168.100.1
dhcp-option=brq,6,192.168.1.1
dhcp-range=br1,192.168.100.100,192.168.100.150,255.255.255.0,24h


What is that dhcp-option=brq line?

Should that not be br1?
jfish99
DD-WRT User


Joined: 25 Aug 2011
Posts: 97

PostPosted: Tue Oct 30, 2012 15:18    Post subject: Reply with quote
from what your saying you have 2 VAP setup on 2 physical routers both as br1 and on the subnet 192.168.2.0/24 and you wish for them both to talk to each other - am I correct ?
jfish99
DD-WRT User


Joined: 25 Aug 2011
Posts: 97

PostPosted: Tue Oct 30, 2012 15:20    Post subject: Reply with quote
bmupton wrote:
Also, in this:

Code:
interface=br1
dhcp-option=br1,3,192.168.100.1
dhcp-option=brq,6,192.168.1.1
dhcp-range=br1,192.168.100.100,192.168.100.150,255.255.255.0,24h


What is that dhcp-option=brq line?

Should that not be br1?


yes you are correct, a type error on my part
bmupton
DD-WRT User


Joined: 16 Mar 2011
Posts: 111
Location: Saskatoon, SK, Canada

PostPosted: Tue Oct 30, 2012 16:33    Post subject: Reply with quote
jfish99 wrote:
from what your saying you have 2 VAP setup on 2 physical routers both as br1 and on the subnet 192.168.2.0/24 and you wish for them both to talk to each other - am I correct ?


Precisely.

And on the second router, it's set up as a WAP with WAN port disabled.

The first router has the main WLAN as "main" and VAP as "guest". The WAP router has the main WLAN as "main" with same security settings as the main router's "main" WLAN. All that works. I cannot get the "guest" WLAN on the WAP to work at all.

My main router's firewall is:
Code:

#Fix for DHCP not renewing properly
iptables -I INPUT -p udp --sport 67 --dport 68 -j ACCEPT

#VAP rules from VAP guide for separation
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT

#VPN rules to allow port forwards through VPN tunnel
iptables -I FORWARD -i br0 -o tun1 -j ACCEPT
iptables -I FORWARD -i tun1 -o br0 -j ACCEPT
iptables -I INPUT -i tun1 -j REJECT

#port forward rule for SSH server, through the VPN tunnel
iptables -t nat -I PREROUTING -i tun1 -p tcp --dport 22 -j DNAT --to-destination 192.168.1.2
jfish99
DD-WRT User


Joined: 25 Aug 2011
Posts: 97

PostPosted: Tue Oct 30, 2012 16:54    Post subject: Reply with quote
have you got any firewall rules on the second WAP - so it will allow traffic from the VAP to the main router - without rules all traffic destined from the second VAP to the first VAP on the primary router will not be routed/allowed thru

Use the firewall rules in my pdf on the WAP - as this used the LAN address variable rather than the WAN Address variable.
bmupton
DD-WRT User


Joined: 16 Mar 2011
Posts: 111
Location: Saskatoon, SK, Canada

PostPosted: Tue Oct 30, 2012 18:25    Post subject: Reply with quote
jfish99 wrote:
have you got any firewall rules on the second WAP - so it will allow traffic from the VAP to the main router - without rules all traffic destined from the second VAP to the first VAP on the primary router will not be routed/allowed thru

Use the firewall rules in my pdf on the WAP - as this used the LAN address variable rather than the WAN Address variable.


Yes, I used the rules from your PDF. Perhaps I did something incorrectly. I'll try it again when I am home from work.

I'll let you know what happens.
jfish99
DD-WRT User


Joined: 25 Aug 2011
Posts: 97

PostPosted: Tue Oct 30, 2012 20:06    Post subject: Reply with quote
bmupton wrote:
jfish99 wrote:
have you got any firewall rules on the second WAP - so it will allow traffic from the VAP to the main router - without rules all traffic destined from the second VAP to the first VAP on the primary router will not be routed/allowed thru

Use the firewall rules in my pdf on the WAP - as this used the LAN address variable rather than the WAN Address variable.


Yes, I used the rules from your PDF. Perhaps I did something incorrectly. I'll try it again when I am home from work.

I'll let you know what happens.


so you have firewall rules on both routers, I suggest only having the firewall rules on the second router. May be the two firewall rules are conflicting and blocking traffic between the two.
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum