No internet access on Guest wireless (BR1)

Post new topic   Reply to topic    DD-WRT Forum Index -> Senao Devices
Author Message
gimosuby
DD-WRT Novice


Joined: 22 Feb 2013
Posts: 3

PostPosted: Mon Feb 25, 2013 20:14    Post subject: No internet access on Guest wireless (BR1) Reply with quote
I have a EnGenius (ECB3500), flashed it to DD-WRT and bought activation. I'm trying to create an Access Point with regular and guest access.

My gateway to internet is 10.10.10.1 (255.255.255.0)

Disabled WAN on router and set up LAN IP as 10.10.10.41. (255.255.255.0)
(Router only has one port)

"Assign WAN Port to Switch" is checked.

Set up Ath0 wireless, and Ath0.1 (For Guest access).

Ath0 works great, client can access gets IP from main DHCP server and can access internet, however Ath0.1 does not work. Client get IP from DHCP server on DD-WRT router, but no internet access. Can anyone help me out?

This is what I did so far:

Followed these instructions (http://www.dd-wrt.ca/wiki/index.php/Multiple_WLANs)

Created a bridge: br1 with IP: 192.168.2.1 (255.255.255.0)

Asigned ath0.1 to br1, and created DHCP server.
Set DNSMasq options as follows:

# Enables DHCP on br1
interface=br1
# Set the default gateway for br1 clients
dhcp-option=br1,3,192.168.2.1
# Set the DHCP range and default lease time of 24 hours for br1 clients
dhcp-range=br1,192.168.2.100,192.168.2.150,255.255.255.0,24h


I then connected to Ath0.1 fine, got an IP from DHCP, but cannot access internet.

Went to Administration/Commands and saved to Firewall:

#Restrict br1 from accessing br0's subnet but pass traffic through br0 to the internet (for WAP's - WAN port disabled)
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP

#Enable NAT for traffic being routed out br0 so that br1 has connectivity (for WAP's - WAN port disabled)
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`

#Restrict br1 from accessing the router's local sockets (software running on the router)
iptables -I INPUT -i br1 -m state --state NEW -j DROP
Sponsor
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17619
Location: Hesse/Germany

PostPosted: Tue Feb 26, 2013 22:54    Post subject: Reply with quote
upgrade 1st
_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
gimosuby
DD-WRT Novice


Joined: 22 Feb 2013
Posts: 3

PostPosted: Tue Feb 26, 2013 23:36    Post subject: Upgrade? Reply with quote
Upgrade 1st? You mean activate the license? I've done that
Sash
DD-WRT Guru


Joined: 20 Sep 2006
Posts: 17619
Location: Hesse/Germany

PostPosted: Wed Feb 27, 2013 13:16    Post subject: Reply with quote
read:
_________________
Forum Guidelines...How to get help
&
Forum Rules
&
RTFM/STFW
&
Throw some buzzwords into the WIKI search Exclamation
_________________
I'm NOT rude, just offer pure facts!
_________________
Atheros (TP-Link & Clones, etc ) debrick service in EU
_________________
Guide on HowTo be Safe, Secure and Protect Your Online Anonymity!
gimosuby
DD-WRT Novice


Joined: 22 Feb 2013
Posts: 3

PostPosted: Wed Feb 27, 2013 18:28    Post subject: Thanks Reply with quote
Okay, I've spent hours getting this to work, trying all kinds of different ways.

But now it's working!

So here's what I did:
I did an upgrade to the very latest Beta(choosing: "Don't reset" settings), however I had problems with the AP's not showing (Even with SSID broadcast). So I reset to factory settings.

Set everything up again and it was working..

I just don't like running on the very latest Beta, so I did a firmware upgrade down to 13064 (the recommended beta), and everything continued to work smoothly.

My firewall config is this:
Code:
#Enable NAT for traffic being routed out br0 so that br1 has connectivity (for WAP's - WAN port disabled)
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`

#Restrict br1 from accessing br0's subnet but pass traffic through br0 to the internet (for WAP's - WAN port disabled)
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP

#Prevent access to router from br1
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset

#Force the use of local DNS Servers on br1
iptables -t nat -A PREROUTING -i br1 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br1 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)


Also, 'Setup/Advanced Routing/Operating Mode' is set to Gateway.

Not sure, if upgrading then downgrading helped fix this issue or whether it just helped me find that sweet spot config, either way - thanks Sash
kostac
DD-WRT Novice


Joined: 14 Feb 2015
Posts: 1

PostPosted: Sat Feb 14, 2015 14:30    Post subject: Re: Thanks Reply with quote
gimosuby wrote:
Okay, I've spent hours getting this to work, trying all kinds of different ways.

But now it's working!

So here's what I did:
I did an upgrade to the very latest Beta(choosing: "Don't reset" settings), however I had problems with the AP's not showing (Even with SSID broadcast). So I reset to factory settings.

Set everything up again and it was working..

I just don't like running on the very latest Beta, so I did a firmware upgrade down to 13064 (the recommended beta), and everything continued to work smoothly.

My firewall config is this:
Code:
#Enable NAT for traffic being routed out br0 so that br1 has connectivity (for WAP's - WAN port disabled)
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`

#Restrict br1 from accessing br0's subnet but pass traffic through br0 to the internet (for WAP's - WAN port disabled)
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP

#Prevent access to router from br1
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset

#Force the use of local DNS Servers on br1
iptables -t nat -A PREROUTING -i br1 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br1 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)


Also, 'Setup/Advanced Routing/Operating Mode' is set to Gateway.

Not sure, if upgrading then downgrading helped fix this issue or whether it just helped me find that sweet spot config, either way - thanks Sash


Hey gimosuby, thank you!!!

Your excellent post solved the guest AP setup for me on my
Linksys WRT160N v3
DD-WRT v24-sp2 (03/25/13) mini - build 21061

The only thing lacking at this point is to get unique password protection working the guest AP. When I try to setup a password on any WPA2 Personal combination, it refuses to authenticate the client.

I any event, your post was great. Thanks again. K
Morphlingg
DD-WRT Novice


Joined: 17 Jul 2019
Posts: 4

PostPosted: Wed Jul 17, 2019 17:36    Post subject: Re: Thanks Reply with quote
gimosuby wrote:
Okay, I've spent hours getting this to work, trying all kinds of different ways.

But now it's working!

So here's what I did:
I did an upgrade to the very latest Beta(choosing: "Don't reset" settings), however I had problems with the AP's not showing (Even with SSID broadcast). So I reset to factory settings.

Set everything up again and it was working..

I just don't like running on the very latest Beta, so I did a firmware upgrade down to 13064 (the recommended beta), and everything continued to work smoothly.

My firewall config is this:
Code:
#Enable NAT for traffic being routed out br0 so that br1 has connectivity (for WAP's - WAN port disabled)
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`

#Restrict br1 from accessing br0's subnet but pass traffic through br0 to the internet (for WAP's - WAN port disabled)
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP

#Prevent access to router from br1
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset

#Force the use of local DNS Servers on br1
iptables -t nat -A PREROUTING -i br1 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br1 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)


Also, 'Setup/Advanced Routing/Operating Mode' is set to Gateway.

Not sure, if upgrading then downgrading helped fix this issue or whether it just helped me find that sweet spot config, either way - thanks Sash

Thank you dude, you saved me too
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Senao Devices All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum