LAN only wireless sub/guest network possible?

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
avpman
DD-WRT Novice


Joined: 05 Sep 2008
Posts: 32

PostPosted: Tue May 27, 2014 22:33    Post subject: LAN only wireless sub/guest network possible? Reply with quote
I know this is probably the reverse of what people want and before I go into all the specifics I want to find out if it's even possible.

1) Kong's DD-WRT v24-sp2 (04/08/14) kongac - build 23885M
2) Netgear R6300 V1 router.
3) LAN net 192.168.1.0
3) I want to create a wireless "guest or VLAN?" (in addition to my regular lan/wan) network which allows access to everything ONLY on the LAN (same subnet I guess, access to the printers, computers, IP scanners, etc) but blocked from accessing anything and everything on the Internet.

I know I can use date/time rules in the router to turn on/off internet access by MAC or IP address of the laptop but I just want it to be more simple and "connect" to a different SSID which has LAN WAN access and another which has LAN access only.

Basically have one wireless network which is "Internet restricted" and one SSID which is "Internet/LAN accessible." Both SSID must have access to the same local LAN.
Is this possible?

I hope I didn't overexplain it.
Sponsor
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Thu May 29, 2014 20:03    Post subject: Reply with quote
http://www.dd-wrt.com/wiki/index.php/Multiple_WLANs

See the restricting access chapter at the bottom.
avpman
DD-WRT Novice


Joined: 05 Sep 2008
Posts: 32

PostPosted: Thu May 29, 2014 22:56    Post subject: Reply with quote
Per Yngve Berg wrote:
http://www.dd-wrt.com/wiki/index.php/Multiple_WLANs

See the restricting access chapter at the bottom.


Yes I read that chapter <eyes glazed over.> Here is what I have already done and what I need to do:

1) Main LAN, LAN/WAN access, subnet .1 wireless interface wl0. (Done)

2) Guest network, subnet .11, own DHCP server, virtual wireless interface wl0.1. Access to internet and any other computer on the Guest network. Isolated from anything on the main LAN. (Done)

3) Network restricted to the LAN. (This is what I need) A wireless virtual interface wl0.2, same subnet as #1 (or rules to allow the two subnets to see each other) Access to everything on LAN #1 except for internet access. So I want to be on the main LAN with all accesses' and privileges (access to NAS, router, printers, etc) EXCEPT no internet access.

I can post my iptables rules if you have time to look this over and help. Any help would be very much appreciated. Just tell me which commands to execute to get you the iptables.
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Fri May 30, 2014 5:31    Post subject: Reply with quote
3) Create a separate sub-net. Block from this interface to WAN with iptables and allow to LAN.

Code:

iptables -I FORWARD -i wl0.2 -o `get_wanface` -m state --state NEW -j DROP
iptables -I FORWARD -i wl0.2 -o lan -m state --state NEW -j ACCEPT
avpman
DD-WRT Novice


Joined: 05 Sep 2008
Posts: 32

PostPosted: Fri May 30, 2014 18:00    Post subject: Reply with quote
Per Yngve Berg wrote:
3) Create a separate sub-net. Block from this interface to WAN with iptables and allow to LAN.

Code:

iptables -I FORWARD -i wl0.2 -o `get_wanface` -m state --state NEW -j DROP
iptables -I FORWARD -i wl0.2 -o lan -m state --state NEW -j ACCEPT


The above 1/2 works - soooo close! It correctly blocks the internet from users logged in to the SSID (subnet .12) associated with wl0.2 But it will not let those users see or ping anything on the main LAN wl0 (subnet .1)

Any thoughts? Thanks again for your time.
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Fri May 30, 2014 18:08    Post subject: Reply with quote
You can try br0 instead of lan

iptables -I FORWARD -i wl0.2 -o br0 -m state --state NEW -j ACCEPT
avpman
DD-WRT Novice


Joined: 05 Sep 2008
Posts: 32

PostPosted: Sat May 31, 2014 14:50    Post subject: Reply with quote
Per Yngve Berg wrote:
You can try br0 instead of lan

iptables -I FORWARD -i wl0.2 -o br0 -m state --state NEW -j ACCEPT


Thank you! I am "mostly" there. I can not access devices on the main LAN by any way other than by using their ip address (i.e. \\NAS doesn't appear under "Network" and I have to refer to it by it's actual I.P. address; 192.168.1.xx.) However, if I add an entry to the Hosts file on my laptop then I can reference it as \\NAS, but it still doesn't show up under network discovery.

A couple of the networked printers are also problematic. They use their own proprietary "port ID", but if I change it to the actual IP address then it will print. I'm still working on that.

The last thing I really need, and can't seem to get to work, is my Network to USB server adapter. The Silex drivers won't see the server adapter when I'm connected to the non-wan wireless SSID. It does have the ability to add broadcast addresses to the driver, which I did, but it still won't see the server on the main LAN. I know it uses certain UDP/TCP ports to communicate. Perhaps the iptables FORWARD rule implied some firewall rules??

Bridging the non-wan subnet to the main one should operate more "cleanly." I'm beginning to wonder if the Kong implementation of the wireless virtual adapters was done in some non-standard way (for convenience of the user) which is causing these other headaches.

You have been a tremendous help to me and I've learned a lot. I *may* try to rebuild the wireless virtual adapters manually (without using the Kong applet) and see if I have any better success. Unless you think there is another way? I wish I knew more about using and interpreting iptables rules. Then I could possible figure out what his applet does as opposed to doing it manually.
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Sat May 31, 2014 15:02    Post subject: Reply with quote
There is nothing more you can do on the router. Broadcasts does not flow from one segment to the other. To see the NAS in Explorer, you must have a Wins server.

Other Non Routed Discovery Protocols will also not work.

As you have discovered, you can use the host file or declare them in a dns server.
avpman
DD-WRT Novice


Joined: 05 Sep 2008
Posts: 32

PostPosted: Sat May 31, 2014 15:19    Post subject: Reply with quote
Per Yngve Berg wrote:
There is nothing more you can do on the router. Broadcasts does not flow from one segment to the other. To see the NAS in Explorer, you must have a Wins server.

Other Non Routed Discovery Protocols will also not work.

As you have discovered, you can use the host file or declare them in a dns server.


Doesn't DD-WRT have a place to manually enter dns entries in the router? I *thought* I used one a very long time ago to create pseudonyms for various device IP addresses on the network as well as outside network locations (i.e router, scanner, TiVo1, TiVo2, mail, ftpserver, etc?) But I can't seem to find the setup section again.
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Sat May 31, 2014 15:36    Post subject: Reply with quote
http://dd-wrt.com/wiki/index.php/DNSMasq_as_DHCP_server
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Sat May 31, 2014 16:17    Post subject: Reply with quote
http://dd-wrt.com/wiki/index.php/DNSMasq_Local_Network
avpman
DD-WRT Novice


Joined: 05 Sep 2008
Posts: 32

PostPosted: Fri Jun 06, 2014 1:44    Post subject: Reply with quote
Per Yngve Berg wrote:
There is nothing more you can do on the router. Broadcasts does not flow from one segment to the other. To see the NAS in Explorer, you must have a Wins server.

Other Non Routed Discovery Protocols will also not work.

As you have discovered, you can use the host file or declare them in a dns server.


I got to thinking - why not just strip this down and try something more basic instead of trying to get two subnets to talk to each other? The only reason I tried adding the second subnet in the first place was just to be able to disallow the internet access.

So first step - I created a new virtual wan interface (wl0.1) gave it its own SSID (ddwrtvl)and set it's network configuration to bridged. I can log on to the new virtual wan interface (SSID ddwrtv1) and I've got access to the local lan, I'm on the same subnet (.1), I can access all my network shares, and I've got internet access.

So I figure - great! Now all I have to do is block wl0.1's internet access, so I put this into the firewall commands and rebooted the router:
iptables -I FORWARD -i wl0.1 -o `get_wanface` -m state --state NEW -j DROP

Logically (at least in my head) I would think that this should block WAN traffic to and from the virtual wireless interface wl0.1 - but it doesn't. Is it because wl0.1 is assigned to the same bridge (br0) as the physical wireless interface (wl0) and that takes precedence over my firewall rule? Sad Am I close or am I real far off base? I'm really trying hard on my own to make this work. But the more I read about iptables the more lost I get. Sad
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Fri Jun 06, 2014 15:02    Post subject: Reply with quote
avpman wrote:
Doesn't DD-WRT have a place to manually enter dns entries in the router? I *thought* I used one a very long time ago to create pseudonyms for various device IP addresses on the network as well as outside network locations (i.e router, scanner, TiVo1, TiVo2, mail, ftpserver, etc?) But I can't seem to find the setup section again.



You can enter static leases at the DHCP server.
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6858
Location: Romerike, Norway

PostPosted: Fri Jun 06, 2014 16:40    Post subject: Reply with quote
Services->Services to administrate DHCP

You should have enabled JFFS to store the leases.

On what device is your NAS?
crashfly
DD-WRT Guru


Joined: 24 Feb 2009
Posts: 2026
Location: Sol System > Earth > USA > Arkansas

PostPosted: Sat Jun 07, 2014 19:56    Post subject: Reply with quote
Something alternatively you can do (idea for thought), is to just allow specific computers/devices with access to the internet. Then block anything else not specified.

Plain, simple, to the point. If it connects to your network, and you have not set it up to connect to the internet, block it.

_________________
E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]

Try Dropbox for syncing files - get 2.5gb online for free by signing up.

Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum