HOW TO: Guest WiFi + abuse control for beginners

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Atheros WiSOC based Hardware
Goto page Previous  1, 2, 3, 4, 5, 6, 7  Next
Author Message
h2opolo
DD-WRT Novice


Joined: 10 Apr 2014
Posts: 3
Location: Pacific time, USA

PostPosted: Sat Jan 31, 2015 15:28    Post subject: Reply with quote
Mile-Lile wrote:
Thx. Feel free to add your suggestions, ideas to improve this tutorial...


Hi, Thanks for the tutorial. One suggestion I have: Include information on how to block access to LAN ports. Even with AP Isolation enabled, I believe that machines on the LAN are still accessible. (I want to do this, but am having trouble coming up with the correct iptables rules.)
Sponsor
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1516
Location: Belgrade

PostPosted: Sun Feb 01, 2015 13:12    Post subject: Reply with quote
h2opolo wrote:
Mile-Lile wrote:
Thx. Feel free to add your suggestions, ideas to improve this tutorial...


Hi, Thanks for the tutorial. One suggestion I have: Include information on how to block access to LAN ports. Even with AP Isolation enabled, I believe that machines on the LAN are still accessible. (I want to do this, but am having trouble coming up with the correct iptables rules.)


If you enable Net isolation you don't have to worry, your machines on the LAN are protected. I f you want to check by yourself type in CLI:
Code:
cat /tmp/.ipt

You will see that eveything except DNS and DHCP is DROPed from your guests...
icornish
DD-WRT Novice


Joined: 19 Jun 2014
Posts: 9

PostPosted: Sun Feb 01, 2015 16:31    Post subject: Excellent guide! Reply with quote
Just done this to replace my existing "Kids" wifi solution.
Only extra thing I needed was a bridge from ath0.1 to br0 to get it all working properly.

Good stuff!
If we can now get the time scheduler working well, I will sleep better at night!
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1516
Location: Belgrade

PostPosted: Sun Feb 01, 2015 19:27    Post subject: Re: Excellent guide! Reply with quote
icornish wrote:
Just done this to replace my existing "Kids" wifi solution.
Only extra thing I needed was a bridge from ath0.1 to br0 to get it all working properly.

Good stuff!
If we can now get the time scheduler working well, I will sleep better at night!


It was working last time I checked. Did you enabled Cron?
icornish
DD-WRT Novice


Joined: 19 Jun 2014
Posts: 9

PostPosted: Sun Feb 01, 2015 19:53    Post subject: Cron running... Reply with quote
Cron is running just fine, and I have a job to shutdown, and startup this interface. However, startup is not consistently reliable.

I know the broadcom chips have a function under Access Restrictions to support this built into the dd-wrt UI.
icornish
DD-WRT Novice


Joined: 19 Jun 2014
Posts: 9

PostPosted: Sun Feb 01, 2015 20:16    Post subject: Bridging / routing. Reply with quote
I've been tinkering with this setup today. My router functions as a pure router, not a gateway - I have another (SKY) router to be my main gateway to the internet (though that's all it does).
The only change I had to make was to add a Bridge from ath0.1 to br0, otherwise I could not access the internet.
The consequence is that the devices on the guest VAP seem to get a 192.x.x.x IP, which means they are not filtered via the accessibility settings.
Any thoughts on what I can do?

(Disclaimer: I'm not a networking guru)
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1516
Location: Belgrade

PostPosted: Mon Feb 02, 2015 7:21    Post subject: Reply with quote
I am not networking guru too, but I think it won't work that way. You probably using your ddwrt as a L2 bridge where WAN is disabled? It is different story way out this tut...Sad
bl@d3runn3r
DD-WRT User


Joined: 10 Jan 2010
Posts: 208

PostPosted: Mon Feb 02, 2015 10:46    Post subject: Reply with quote
I'm stuck at the WAN Access policy.
It doesn't show me GuestWifi in policy drop down list.
It only shows 1(),2(),3() etc.

Is this a build rev issue i'm running or should i reboot router to show them?

/edit:
It also looks like i don't have the services in my list like gre, ipsec, openvpn etc.

_________________
D-Link DIR-825 B1 / DD-WRT v3.0-r33215 std (08/25/17)
Netgear R7000 / DD-WRT v3.0-r33679 std (11/04/17)
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1516
Location: Belgrade

PostPosted: Mon Feb 02, 2015 11:31    Post subject: Reply with quote
No, name of policy is given by you. Read wiki http://www.dd-wrt.com/wiki/index.php/Access_Restrictions

about L7 and nDPI filters... I remember that on my old router (3.5 kernel) did't have all filters...
bl@d3runn3r
DD-WRT User


Joined: 10 Jan 2010
Posts: 208

PostPosted: Mon Feb 02, 2015 12:13    Post subject: Reply with quote
Got the name policy fixed, thanks.

About available services, looks like my build is on Linux kernel 3.5.7.33 #18877 Tue Jan 20 05:26:45 CET 2015 mips

Not really needed but still strange it isn't available.

_________________
D-Link DIR-825 B1 / DD-WRT v3.0-r33215 std (08/25/17)
Netgear R7000 / DD-WRT v3.0-r33679 std (11/04/17)
michalko58
DD-WRT Novice


Joined: 23 May 2010
Posts: 28

PostPosted: Thu Feb 05, 2015 15:40    Post subject: Reply with quote
Hi, this guide doesn´t work for me (and not even this one on wiki http://www.dd-wrt.com/wiki/index.php/Multiple_WLANs ). With DD-WRT build 25648

I´d like to have separated guest wifi on second router (TP-Link WDR3600) connected through LAN (DHCP disabled). When I make two SSID´s everything is working (in both, your´s and wiki´s guides), but when I´ll try to make the guest SSID unbridged, then following your guide - devices cannot obtain IP and following wiki´s guide - devices are unable to access the internet.

Could someone help me please? Funny fact is, that separated guest wifi doesn´t work on original tp-link FW too...

Thanks
tatsuya46
DD-WRT Guru


Joined: 03 Jan 2010
Posts: 7385
Location: YWG, Canada

PostPosted: Sun Feb 08, 2015 9:17    Post subject: Reply with quote
u probably didnt setup multi dhcpd properly or have dnsmasq off, it must be on
_________________
LATEST FIRMWARE(S)

BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers

[x86_64] Haswell i3-4150/QCA9984/QCA9882 ------> r44901 std
[QUALCOMM] DIR-862L --------------------------------> r44901 std
[QUALCOMM] WNDR4300 v1 --------------------------> r44901 std
[QUALCOMM] DIR-862L --------------------------------> r44901 std
▲ ACTIVE / INACTIVE ▼
[BROADCOM] DIR-860L A1 ----------------------------> r44901 std


If you use DSLReports please enable hi-res bufferbloat.


Sigh.. why do i exist anyway..
michalko58
DD-WRT Novice


Joined: 23 May 2010
Posts: 28

PostPosted: Sun Feb 08, 2015 15:12    Post subject: Reply with quote
dnsmasq is on and Multiple DHCP settins are the same as in the guide and nothing is working.


Have tried to reset the router again and follow this guide again: http://www.dd-wrt.com/wiki/index.php/Multiple_WLANs

According this guide I have Wireless Access Point (WAP). Now I can get IP, but I can´t get internet access from the unbridged network.

My dnsmasq additional options are:

dhcp-option=br1,3,192.168.2.1
dhcp-range=br1,192.168.2.100,192.168.2.150,255.255.255.0,24h
dhcp-option=br1,6,8.8.8.8,8.8.4.4


And my firewall commands are:

iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
iptables -I INPUT -i br1 -m state --state NEW -j DROP
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT

But still no internet. Can someone help me please?


Thanks
tatsuya46
DD-WRT Guru


Joined: 03 Jan 2010
Posts: 7385
Location: YWG, Canada

PostPosted: Sun Feb 08, 2015 23:40    Post subject: Reply with quote
why are all those firewall commands there? u dont even need those for this..
_________________
LATEST FIRMWARE(S)

BrainSlayer wrote:
we just do it since we do not like any restrictions enforced by stupid cocaine snorting managers

[x86_64] Haswell i3-4150/QCA9984/QCA9882 ------> r44901 std
[QUALCOMM] DIR-862L --------------------------------> r44901 std
[QUALCOMM] WNDR4300 v1 --------------------------> r44901 std
[QUALCOMM] DIR-862L --------------------------------> r44901 std
▲ ACTIVE / INACTIVE ▼
[BROADCOM] DIR-860L A1 ----------------------------> r44901 std


If you use DSLReports please enable hi-res bufferbloat.


Sigh.. why do i exist anyway..
Mile-Lile
DD-WRT Guru


Joined: 24 Feb 2013
Posts: 1516
Location: Belgrade

PostPosted: Mon Feb 09, 2015 7:51    Post subject: Reply with quote
Quote:
I´d like to have separated guest wifi on second router (TP-Link WDR3600) connected through LAN (DHCP disabled).


Won't work this way! Everything written on this article works on WAN port of router. So, you must seek some other solution...
Goto page Previous  1, 2, 3, 4, 5, 6, 7  Next Display posts from previous:    Page 2 of 7
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Atheros WiSOC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum