Multiple WLANs - New Builds - How to???

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Author Message
shmackitup
DD-WRT Novice


Joined: 06 Feb 2011
Posts: 28

PostPosted: Thu Sep 13, 2012 0:44    Post subject: Multiple WLANs - New Builds - How to??? Reply with quote
I've just upgraded to dd-wrt.v24-19519_NEWD-2_K2.6_big-nv60k on my Linksys E4200. Previously I have had little problem setting up multiple guest networks but the setup has changed a bit now.

The how to at: http://www.dd-wrt.com/wiki/index.php/Multiple_WLANs no longer works with the newer builds and neither do the mods posted by mrengles here: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=148519&highlight=

Can someone please point me in the right direction so I can get my guest network back up and running with this new build?

Thanks!
Sponsor
James2k
DD-WRT Guru


Joined: 23 Oct 2011
Posts: 549

PostPosted: Thu Sep 13, 2012 7:51    Post subject: Reply with quote
I found that on newer builds the create bridge section is slightly different than the Wiki guide (due to the wireless driver I think) which was written with an older build. This confused me at first but the process generally remains the same. I experienced problems until I corrected my firewall rules:

Setup the assignments as normal so the virtual wlan gets put onto br1. Here's what my bridging table looks like:

Bridge Name STP enabled Interfaces
br0 no vlan1 eth1 tap0
br1 yes wl0.1

br1 has STP on. Setup a DHCP range as stated in the Wiki guide.

Then use the following firewall rules:

Code:
ptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT


Add them to your firewall table in that order. Here's what each do in order:

- Enable NAT on the WAN port to correct a bug in builds over 17000. (This is a must!)
- Allows br1 acccess to br0 with SPI firewall on
- Allows br1 to access DHCP
- Allows br1 to access DNS

Test that out to see if it works, if it does you can then isolate the two bridges completly so br1 is truely isolated from br0 and neither can access each other if that's what you require, slot these firewall rules in before the DHCP and DNS rules:

Code:
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP

_________________
James

Main router:

Netgear R7000 overclocked to 1.2GHz - DD-WRT v3.0-r35965M kongac

IPv6 6in4 (HE.net), OpenVPN (with PBR and split tunnelling), Entware, dnsmasq with ipset

Easy ipset support for the R7000

VPN speed: Download: 77.96 Mbps Upload: 5.00 Mbps (AES-128-CBC HMAC-SHA1)

Yes you can get 50 Mbps+ with OpenVPN on a R7000 if you configure it properly!

Previous routers:

ASUS RT-N66U - The Dark Knight
WNR2000v3 - Bought on the cheap for someone else, neutered crap
WNR3500Lv1 - First venture into the DD-WRT world
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Thu Sep 13, 2012 18:32    Post subject: Reply with quote
James2k wrote:
I found that on newer builds the create bridge section is slightly different than the Wiki guide (due to the wireless driver I think) which was written with an older build. This confused me at first but the process generally remains the same.

The create bridge section just lists br0 now but last time I checked (when it was first added while I was trying to get another bug fixed) those br0 settings are buggy because there are other settings that contend with them. Just pretend that br0 isn't there.

The only real change you should need to do is add that firewall command to enable NAT for all traffic going out the WAN port instead of just for traffic from br0.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
James2k
DD-WRT Guru


Joined: 23 Oct 2011
Posts: 549

PostPosted: Thu Sep 13, 2012 20:09    Post subject: Reply with quote
I have used 17670 and 18730 in terms of newer builds, both Kong mod builds (as sadly the official DD-WRT builds are to big now for WNR3500L, but loving Kong builds so its all good) so if the create bridge table has changed since then I stand corrected

On build 14929 when I created a bridge it just listed bridge 1 on its own, on newer builds its a bit different as both bridge 0 and bridge 1 are listed in the create bridge section, so it made me think it wasn't possible to do it on newer builds initially as I thought it was a bug, but in the end the bridging table worked out the same.

In reality, it was actually additional firewall rules were needed to get it working for me on "newer" builds. The main one being the specific rule for the NAT WAN issue like you mentioned. For some reason I needed to add a few more than before. One being SPI firewall, which I don't remember having 14929 and it still worked. Mileage may vary from different setup I guess.



bridges.jpg
 Description:
Bridges on newer builds
 Filesize:  55.07 KB
 Viewed:  11662 Time(s)

bridges.jpg



_________________
James

Main router:

Netgear R7000 overclocked to 1.2GHz - DD-WRT v3.0-r35965M kongac

IPv6 6in4 (HE.net), OpenVPN (with PBR and split tunnelling), Entware, dnsmasq with ipset

Easy ipset support for the R7000

VPN speed: Download: 77.96 Mbps Upload: 5.00 Mbps (AES-128-CBC HMAC-SHA1)

Yes you can get 50 Mbps+ with OpenVPN on a R7000 if you configure it properly!

Previous routers:

ASUS RT-N66U - The Dark Knight
WNR2000v3 - Bought on the cheap for someone else, neutered crap
WNR3500Lv1 - First venture into the DD-WRT world
shmackitup
DD-WRT Novice


Joined: 06 Feb 2011
Posts: 28

PostPosted: Fri Sep 14, 2012 20:53    Post subject: Reply with quote
This seems to be working perfectly! Thank you very much for this!!!
shmackitup
DD-WRT Novice


Joined: 06 Feb 2011
Posts: 28

PostPosted: Fri Sep 14, 2012 20:55    Post subject: Reply with quote
Evil or Very Mad

Last edited by shmackitup on Sat Sep 15, 2012 1:56; edited 2 times in total
buddee
DD-WRT Guru


Joined: 06 Feb 2010
Posts: 7401
Location: Little Rock

PostPosted: Fri Sep 14, 2012 21:41    Post subject: Reply with quote
shmackitup wrote:
This should be added to the wiki.


What should be added to the wiki? I don't see anything in this post that isn't covered in the multiple wlans guide already..

_________________
Wireless N Config | Linking Routers | DD-WRT Wiki | DD-WRT Builds | Peacock - Broadcom FAQ

Having problems with port forwarding? Check out Port Forward Troubleshooting for more info.
shmackitup
DD-WRT Novice


Joined: 06 Feb 2011
Posts: 28

PostPosted: Fri Sep 14, 2012 23:09    Post subject: Reply with quote
-duh-

Last edited by shmackitup on Sat Sep 15, 2012 1:55; edited 1 time in total
buddee
DD-WRT Guru


Joined: 06 Feb 2010
Posts: 7401
Location: Little Rock

PostPosted: Fri Sep 14, 2012 23:42    Post subject: Reply with quote
shmackitup wrote:
The updated firewall rules which Enable NAT on the WAN port to correct a bug in builds over 17000.


Perhaps you should read guides more closely..That is in the guide already, and has been there for quite sometime - Feb. of 2012.. matter fact, its the first rule listed in the restricting section..

_________________
Wireless N Config | Linking Routers | DD-WRT Wiki | DD-WRT Builds | Peacock - Broadcom FAQ

Having problems with port forwarding? Check out Port Forward Troubleshooting for more info.
mbwd
DD-WRT Novice


Joined: 13 Feb 2009
Posts: 31

PostPosted: Fri Sep 14, 2012 23:53    Post subject: Reply with quote
Has anyone been able to get this setup working with a WDS??

I followed the Multiple VLANs guide -- including the contested part about enabling the NAT for the WAN (sorry shmackitup -- that was in the guide), and can get the VAP working -- but it kills the WDS. Shocked
ColdFusion
DD-WRT Novice


Joined: 16 Sep 2012
Posts: 6

PostPosted: Sun Sep 16, 2012 23:45    Post subject: secure the guest network- allow access to wireless printer Reply with quote
This is my first post on this forum, so forgive me if I screw up with screenshots and code.

I am running DD-WRT v24-sp2 (04/07/12) big (SVN revision 18946M NEWD-2 K2.6 Eko) with OTRW, on my Linksys E4200 V1 router as a base.
DD-WRT v24-sp2 big (c) 2012 NewMedia-NET GmbH
Release: 04/07/12 (SVN revision: 18946)
Enhanced with OTRW



My goal is to secure the guest network and keep it isolated from my private network.
Except I would like my guests to be able to use my wireless HP Envy 100 D410 printer that is DHCP reserved.

I followed instructions for multiple WLANS at http://www.dd-wrt.com/wiki/index.php/Multiple_WLANs step by step and read numerous wikis and forum posts on the topic.

Everything works as it should, except the printer is not available.
I tried printing from the guest net from my Ipad and my laptop.




CODE:

iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d `nvram get wan_ipaddr`/`nvram get wan_netmask` -m state --state NEW -j DROP
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -d 192.168.200.40 -j ACCEPT




See ping and tracert from laptop.



IPv4 Address. . . . . . . . . . . : 172.16.1.124(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Sunday, September 16, 2012 4:01:27 PM
Lease Expires . . . . . . . . . . : Wednesday, September 19, 2012 4:01:27 AM
Default Gateway . . . . . . . . . : 172.16.1.254
DHCP Server . . . . . . . . . . . : 172.16.1.254
DNS Servers . . . . . . . . . . . : 172.16.1.254



ping 192.168.200.40

Pinging 192.168.200.40 with 32 bytes of data:
Reply from 192.168.200.40: bytes=32 time=5ms TTL=254
Reply from 192.168.200.40: bytes=32 time=6ms TTL=254
Reply from 192.168.200.40: bytes=32 time=4ms TTL=254
Reply from 192.168.200.40: bytes=32 time=5ms TTL=254

Ping statistics for 192.168.200.40:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 4ms, Maximum = 6ms, Average = 5ms

tracert 192.168.200.40

Tracing route to HP-Envy-D410A [192.168.200.40]
over a maximum of 30 hops:

1 1 ms 1 ms 1 ms 172.16.1.254
2 4 ms 2 ms 2 ms HP-Envy-D410A [192.168.200.40]

Trace complete.




Is this setup supported, or am I missing something in the network settings, Vlans, etc.
Code:


Last edited by ColdFusion on Tue Sep 25, 2012 4:58; edited 1 time in total
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10143

PostPosted: Sun Sep 23, 2012 5:29    Post subject: Reply with quote
@mbwd - Yes it works with WDS but WDS can be quite finicky. When WDS links go down you may have to reboot all the routers (maybe even multiple times) to get the links to come back up. You can use the WDS keepalive feature to automate it.

@ColdFusion - It looks like ICMP is getting through fine so the router firewall should be okay. If the printer is configurable then check if there's anything to allow printing from hosts in other subnets. You might be able to trick it by having the router NAT traffic going to the printer.

iptables -t nat -I POSTROUTING -o br0 -d 192.168.200.40 -j SNAT --to `nvram get lan_ipaddr`

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
ColdFusion
DD-WRT Novice


Joined: 16 Sep 2012
Posts: 6

PostPosted: Thu Sep 27, 2012 1:21    Post subject: Reply with quote
Phuzi0n

Thanks for the reply and advice to ty the code.

Unfortunately, it still doesn't work.

[code]

iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr'
iptables -t nat -I POSTROUTING -o br0 -d 192.168.200.40 -j SNAT --to `nvram get lan_ipaddr`
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
iptables -I FORWARD -i br1 -d 192.168.200.40 -j ACCEPT


Did I place it in the correct location?


The printer has no options for allowing printing from other subnets.
Could it be possible that I need to add bonjour, internet printing and UpNp in the iptables?

One thing to note, the printer port on my windows 7 laptop is using the Product Serial Number

CN0ADD21DW05KZ

I cant believe that nobody else wants this feature with a guest network setup.

Thanks again for the advice.

[
phurley
DD-WRT User


Joined: 18 Nov 2006
Posts: 74

PostPosted: Sun Oct 28, 2012 20:54    Post subject: Guest Network Can Ping Main Network Default Gateway Reply with quote
I used:

iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP


However, the guest network can ping 192.168.0.1 and I don't want them to be able to login to the router even though it's password protected.

Can I block the guest from access to the main network router IP address?
rocky13
DD-WRT User


Joined: 25 Apr 2008
Posts: 158

PostPosted: Sun Oct 28, 2012 21:33    Post subject: Re: Guest Network Can Ping Main Network Default Gateway Reply with quote
phurley wrote:
I used:

iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROP
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP


However, the guest network can ping 192.168.0.1 and I don't want them to be able to login to the router even though it's password protected.

Can I block the guest from access to the main network router IP address?


Yes you can,

iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum