HOW TO: Guest WiFi + abuse control for beginners

Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next
Author Message
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade

PostPosted: Tue Aug 04, 2015 6:46    Post subject: Reply with quote
Did you enabled "Net isolation" on unbridged interface? When you enable Net isolation radio button, router basically do the code you provided - drops everything but the DNS (port 53) and DHCP (port 68 )

about yahoo and AR... the only way to block yahoo is on l7 level (service filter)... yahoo start using long time ago https (secure socket layer) and the traffic is encrypted... so use service filter to block yahoo...
Sponsor
peppo
DD-WRT Novice


Joined: 26 Jul 2015
Posts: 27

PostPosted: Tue Aug 04, 2015 16:40    Post subject: Reply with quote
Yeah... I did it exactly like in your howto.
It should be working without additional rules...
Maybe a bug in the software?

Yahoo was only an example. Wink
Other websites, which do not use https, can´t also block. (I tested it with dd-wrt.com)
The keyword blocking also not working.
I tried to use "torrent" as a keyword, with the same result...
bdg2
DD-WRT User


Joined: 18 Apr 2013
Posts: 319

PostPosted: Wed Aug 19, 2015 0:59    Post subject: Reply with quote
tatsuya46 wrote:
very good, i agree with everything..& the DHCPD config for the vap is right, many users do the old way using the bridge interface which has problems now. note that to use multiple DHCPD u MUST be using dnsmasq, not uDHCPd.


What problems might I have if I leave my guest networks set up the old way using br1 and firewall rules?
tatsuya46
DD-WRT Guru


Joined: 03 Jan 2010
Posts: 7568
Location: YWG, Canada

PostPosted: Thu Aug 20, 2015 0:44    Post subject: Reply with quote
it didnt work whatsoever when i tried it again at the time of that post, maybe it works now again, or on some routers

it keeps going back & forth overtime..between the current easier way & that old way of putting the unbridged vap on a new created bridge, vs leaving it unbridged on its own. but now theres the net isolation & other firewall changes in the code over the years so usually separate on another bridge shouldnt be needed for most people. unless u need something specifically custom in which case ud probably have to shove it in the firewall regardless how the interface is setup

_________________
LATEST FIRMWARE(S)

BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers

[x86_64] Haswell i3-4150/QCA9984/QCA9882 ------> r55488 std
[QUALCOMM] DIR-862L --------------------------------> r55460 std
▲ ACTIVE / INACTIVE ▼
[QUALCOMM] WNDR4300 v1 --------------------------> r50485 std
[BROADCOM] DIR-860L A1 ----------------------------> r50485 std


Sigh.. why do i exist anyway.. | I love you Anthony.. never forget that.. my other 99% that ill never see again..

toastgodsupreme
DD-WRT Novice


Joined: 14 Aug 2011
Posts: 20

PostPosted: Sun Sep 27, 2015 0:32    Post subject: Reply with quote
Code:
# Block access to router configuration from guest wifi (ath0.1)
iptables -I INPUT -i ath0.1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i ath0.1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i ath0.1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i ath0.1 -p tcp --dport https -j REJECT --reject-with tcp-reset

# Deny access to br0 (main network)
iptables -I FORWARD -i ath0.1 -o br0 -j DROP
dspratomo
DD-WRT Novice


Joined: 27 Sep 2015
Posts: 3

PostPosted: Sun Sep 27, 2015 12:34    Post subject: Reply with quote
Hi, thanks for the concise howto, I have tp-link tl-wwr941nd V.3, which I already convert to ddwrt firmware. I already tried several howto to give my guest wifi access, before finally stumbled on this forum. This is the only howto that work, and I'm stuck up to this step:
Quote:
Now, lets set some limits. You can put your private network on Maximum and Guest to bulk. The bulk class is only allocated remaining bandwidth when the remaining classes are idle.
If the line is full of traffic from other classes, Bulk will only be allocated 1% of total set limit. So, basically you guests will not affect your private speed.
Or you can set hardcoded limits.


Now, check your connection. You should be able to browse internet from your guest wifi network.


After this step guest AP can browse Internet ok, however the private AP, no longer able to browse internet, it got IP address & gateway from DHCP, but when I tried to ping gateway, it failed. Next, when I gave Guest AP security password (TKIP+AES), the Private AP failed to give even IP number. I'm a beginner in this, care to guide me how to troubleshoot?

Thanks
bdg2
DD-WRT User


Joined: 18 Apr 2013
Posts: 319

PostPosted: Sun Sep 27, 2015 14:01    Post subject: Reply with quote
dspratomo wrote:
Hi, thanks for the concise howto, I have tp-link tl-wwr941nd V.3, which I already convert to ddwrt firmware.
...

What exact version of dd-wrt?
h8red
DD-WRT Guru


Joined: 28 Jun 2011
Posts: 580
Location: Vilnius, Lithuania

PostPosted: Sun Sep 27, 2015 14:15    Post subject: Reply with quote
27506 is alright
_________________
[Ramips] Nexx WT3020F Openwrt @kernel #4.14.167 (OpenVPN server, Wireguard server, AD blocking, SQM QOS, USB)
dspratomo
DD-WRT Novice


Joined: 27 Sep 2015
Posts: 3

PostPosted: Mon Sep 28, 2015 8:23    Post subject: Reply with quote
bdg2 wrote:
dspratomo wrote:
Hi, thanks for the concise howto, I have tp-link tl-wwr941nd V.3, which I already convert to ddwrt firmware.
...

What exact version of dd-wrt?

I downloaded the latest beta Firmware: DD-WRT v3.0-r27805 std (09/11/15)
dspratomo
DD-WRT Novice


Joined: 27 Sep 2015
Posts: 3

PostPosted: Mon Sep 28, 2015 12:08    Post subject: Reply with quote
h8red wrote:
27506 is alright

Downgrade to 27506 and it worked, Thank you.
yellcirc2012
DD-WRT Novice


Joined: 24 Nov 2012
Posts: 2

PostPosted: Mon Nov 02, 2015 11:15    Post subject: Access control not working on r27506 TP-Link wr941ND_v3.6 Reply with quote
Hello!
Thank You for wonderful and concise how-to, but I followed Your steps to letters and found myself in situation where bandwidth control(QoS) is working fine, iptables commands do their job by blocking web access and DNS forcing/substituting.
But access control does not work. Neither everyday/single days checked, nor deny/filter seem to apply.

I have tried Your guide on DD-WRT r21676, r25697, r 27506 - AR not working.

Am I missing something?
Is there a way to block specific traffic type (bittorrent) by other means?
Is there a way to block a shortlist of unwanted sites (e.g. fb.com, other social media, youtube etc...)?
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade

PostPosted: Mon Nov 02, 2015 12:17    Post subject: Reply with quote
If you use OpenDNS then it is possible to block p2p and media but... problem is when you want to block just few URLs for just one or two MACs and you force everyone to use OpenDNS servers... I had problems with AR too... some units uses nDPI filters, some uses old outdated l7layer filters... (as always problem is not enough flashspace and RAM)... even with routers with 8MB flash and > 32 RAM nDPI has problem to block youtube (https://github.com/ntop/nDPI/issues/22) but it is nDPI and kernel problem not ddwrt...

The problem that I never understood why blocking URL by keyword did not worked for me? Never. Even http! But I could'n never check it on kernel 3.18. I allways had 3.5 and 3.10 kernel units...

I know that ddwrt uses WEBSTRING for blocking keyword in URL...

After applying AR, telnet to your router and do:

Code:
cat /tmp/.ipt


give us print. Give us unit model, kernel version and firmware version. I will post bug ticket for you or you can do it by yourself on http://svn.dd-wrt.com/
post some screenshots of your configuration and try to explain your problem.
I will check AR again as soon as I get time (for the weekend probably) ...
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade

PostPosted: Mon Nov 02, 2015 18:56    Post subject: Re: Access control not working on r27506 TP-Link wr941ND_v3. Reply with quote
yellcirc2012 wrote:
Hello!
Thank You for wonderful and concise how-to, but I followed Your steps to letters and found myself in situation where bandwidth control(QoS) is working fine, iptables commands do their job by blocking web access and DNS forcing/substituting.
But access control does not work. Neither everyday/single days checked, nor deny/filter seem to apply.

I have tried Your guide on DD-WRT r21676, r25697, r 27506 - AR not working.

Am I missing something?
Is there a way to block specific traffic type (bittorrent) by other means?
Is there a way to block a shortlist of unwanted sites (e.g. fb.com, other social media, youtube etc...)?



I have bad news for you dude. Access Restrictions worksforme!!! So, check your configuration once again.

After I aplied settings on AR page, I did

Code:
cat /tmp/.ipt


and got this relevat lines in firewall

Code:
-A grp_1 -s 192.168.2.30 -j advgrp_1
-A grp_1 -d 192.168.2.30 -j advgrp_1
-A advgrp_1 -p tcp -m webstr --host
-A advgrp_1 -p tcp -m webstr --url


tried to access www.kurir.rs but no chance...
htismaqe
DD-WRT User


Joined: 05 Nov 2015
Posts: 471

PostPosted: Thu Nov 05, 2015 18:29    Post subject: Reply with quote
EDIT: My apologies. I forgot to mention I'm running Kong's build v3.0-r28050M (10/30/15) on a Linksys WRT1900AC v1.

----------------------

I read through this thread as well as Kong's instructions from http://tips.desipro.de/2013/12/06/guest-wifi-setup-dd-wrt/

Kong's instructions are quick and simple and work great for setting up a single, unbridged virtual interface attached to a single radio.

My issue is that I want to have a unified SSID for my guest network that uses both the 2.4Ghz and 5Ghz radios together, like I have on my private network.

What I did was created two unbridged virtual interfaces, one on the 2.4Ghz and one on the 5Ghz, and left them unnumbered. I then created a bridged interface under Setup | Networking, put both of the virtual interfaces in that bridge, and assigned it an IP address.

I basically setup everything according to Kong's instructions, except I enabled AP isolation on the virtual interfaces and net isolation/NAT on the bridged interface.

It appears to be functioning identically to Kong's setup, so my first question is this: did I do it correctly?

My second question is: it doesn't appear that Kong's instructions restrict access to the DD-WRT router itself. From a connected guest, I cannot ping, see, or connect to a device on the private LAN like say, my NAS. However, with both Kong's config and my config, a connected guest CAN ping the router, using both the guest gateway IP AND the private gateway IP. In addition, attempting to load the GUI in a web browser prompts for username and password. I would really like to set it up so that admin access is blocked.

Thanks in advance.
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1634
Location: Belgrade

PostPosted: Thu Nov 05, 2015 19:45    Post subject: Reply with quote
maybe iptables?

http://www.dd-wrt.com/wiki/index.php/Multiple_WLANs
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8  Next Display posts from previous:    Page 5 of 8
Post new topic   Reply to topic    DD-WRT Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum