Posted: Mon Feb 25, 2013 20:14 Post subject: No internet access on Guest wireless (BR1)
I have a EnGenius (ECB3500), flashed it to DD-WRT and bought activation. I'm trying to create an Access Point with regular and guest access.
My gateway to internet is 10.10.10.1 (255.255.255.0)
Disabled WAN on router and set up LAN IP as 10.10.10.41. (255.255.255.0)
(Router only has one port)
"Assign WAN Port to Switch" is checked.
Set up Ath0 wireless, and Ath0.1 (For Guest access).
Ath0 works great, client can access gets IP from main DHCP server and can access internet, however Ath0.1 does not work. Client get IP from DHCP server on DD-WRT router, but no internet access. Can anyone help me out?
This is what I did so far:
Followed these instructions (http://www.dd-wrt.ca/wiki/index.php/Multiple_WLANs)
Created a bridge: br1 with IP: 192.168.2.1 (255.255.255.0)
Asigned ath0.1 to br1, and created DHCP server.
Set DNSMasq options as follows:
# Enables DHCP on br1
interface=br1
# Set the default gateway for br1 clients
dhcp-option=br1,3,192.168.2.1
# Set the DHCP range and default lease time of 24 hours for br1 clients
dhcp-range=br1,192.168.2.100,192.168.2.150,255.255.255.0,24h
I then connected to Ath0.1 fine, got an IP from DHCP, but cannot access internet.
Went to Administration/Commands and saved to Firewall:
#Restrict br1 from accessing br0's subnet but pass traffic through br0 to the internet (for WAP's - WAN port disabled)
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
#Enable NAT for traffic being routed out br0 so that br1 has connectivity (for WAP's - WAN port disabled)
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
#Restrict br1 from accessing the router's local sockets (software running on the router)
iptables -I INPUT -i br1 -m state --state NEW -j DROP
Posted: Wed Feb 27, 2013 18:28 Post subject: Thanks
Okay, I've spent hours getting this to work, trying all kinds of different ways.
But now it's working!
So here's what I did:
I did an upgrade to the very latest Beta(choosing: "Don't reset" settings), however I had problems with the AP's not showing (Even with SSID broadcast). So I reset to factory settings.
Set everything up again and it was working..
I just don't like running on the very latest Beta, so I did a firmware upgrade down to 13064 (the recommended beta), and everything continued to work smoothly.
My firewall config is this:
Code:
#Enable NAT for traffic being routed out br0 so that br1 has connectivity (for WAP's - WAN port disabled)
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
#Restrict br1 from accessing br0's subnet but pass traffic through br0 to the internet (for WAP's - WAN port disabled)
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
#Force the use of local DNS Servers on br1
iptables -t nat -A PREROUTING -i br1 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br1 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
Also, 'Setup/Advanced Routing/Operating Mode' is set to Gateway.
Not sure, if upgrading then downgrading helped fix this issue or whether it just helped me find that sweet spot config, either way - thanks Sash
Posted: Sat Feb 14, 2015 14:30 Post subject: Re: Thanks
gimosuby wrote:
Okay, I've spent hours getting this to work, trying all kinds of different ways.
But now it's working!
So here's what I did:
I did an upgrade to the very latest Beta(choosing: "Don't reset" settings), however I had problems with the AP's not showing (Even with SSID broadcast). So I reset to factory settings.
Set everything up again and it was working..
I just don't like running on the very latest Beta, so I did a firmware upgrade down to 13064 (the recommended beta), and everything continued to work smoothly.
My firewall config is this:
Code:
#Enable NAT for traffic being routed out br0 so that br1 has connectivity (for WAP's - WAN port disabled)
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
#Restrict br1 from accessing br0's subnet but pass traffic through br0 to the internet (for WAP's - WAN port disabled)
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
#Force the use of local DNS Servers on br1
iptables -t nat -A PREROUTING -i br1 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br1 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
Also, 'Setup/Advanced Routing/Operating Mode' is set to Gateway.
Not sure, if upgrading then downgrading helped fix this issue or whether it just helped me find that sweet spot config, either way - thanks Sash
Hey gimosuby, thank you!!!
Your excellent post solved the guest AP setup for me on my
Linksys WRT160N v3
DD-WRT v24-sp2 (03/25/13) mini - build 21061
The only thing lacking at this point is to get unique password protection working the guest AP. When I try to setup a password on any WPA2 Personal combination, it refuses to authenticate the client.
Posted: Wed Jul 17, 2019 17:36 Post subject: Re: Thanks
gimosuby wrote:
Okay, I've spent hours getting this to work, trying all kinds of different ways.
But now it's working!
So here's what I did:
I did an upgrade to the very latest Beta(choosing: "Don't reset" settings), however I had problems with the AP's not showing (Even with SSID broadcast). So I reset to factory settings.
Set everything up again and it was working..
I just don't like running on the very latest Beta, so I did a firmware upgrade down to 13064 (the recommended beta), and everything continued to work smoothly.
My firewall config is this:
Code:
#Enable NAT for traffic being routed out br0 so that br1 has connectivity (for WAP's - WAN port disabled)
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
#Restrict br1 from accessing br0's subnet but pass traffic through br0 to the internet (for WAP's - WAN port disabled)
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
#Force the use of local DNS Servers on br1
iptables -t nat -A PREROUTING -i br1 -p udp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -i br1 -p tcp --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
Also, 'Setup/Advanced Routing/Operating Mode' is set to Gateway.
Not sure, if upgrading then downgrading helped fix this issue or whether it just helped me find that sweet spot config, either way - thanks Sash