Posted: Tue Sep 06, 2016 19:35 Post subject: Guest network has no internet access
Unit: Belkin F7D7301
Firmware: v24-sp2 (03/25/13) big
I know this unit is old, I am planning to get a WRT1900ACS but I want to familiarize myself with DD-WRT and the functions I am interested in.
Steps I have taken (from fresh install of DD-WRT):
1. Set local IP to 192.168.101.1
2. Name my Physical Wlan (wl0) interface and create my bridged virtual interface (wl0.1). - main & guest have internet
3. Create new Bridge (br1) using 192.168.102.1. - main & guest have internet (both still under br0)
4. Assign wl0.1 to br1. - main has internet, guest has no internet
5. Add DHCPD for br1. - main has internet, guest has no internet
6. Added DNSMasq: - main has internet, guest has no internet
interface=br1
dhcp-option=br1,3,192.168.102.1
dhcp-range=br1,192.168.102.100,192.168.102.150,255.255.255.0,24h
7. Added Firewall: - main has internet, guest has no internet
#Allow guest bridge access to Internet
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#Block access between private and guest
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
#NAT to make Internet work
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
#Block torrent and p2p
iptables -I FORWARD -p tcp -s 192.168.102.0/24 -m connlimit --connlimit-above 50 -j DROP
iptables -I FORWARD -p ! tcp -s 192.168.102.0/24 -m connlimit --connlimit-above 25 -j DROP
#Block guest access to router services
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset
Most of the tutorials I have read and watched follow this kind of flow (some that I have come across stop at adding the DHCPD). I still do not have internet for the guest network. Am I missing something? (Besides network security)
It's used as an Access Point with DHCP server enabled.
And the plan is to restrict access of the guest WLAN to internet only, not touching other services that the main WLAN and LAN have.
The same router will be handling both the private and guest Network with a separate modem in charge of providing internet to those connected to the wireless router.
It's used as an Access Point with DHCP server enabled.
And the plan is to restrict access of the guest WLAN to internet only, not touching other services that the main WLAN and LAN have.
The same router will be handling both the private and guest Network with a separate modem in charge of providing internet to those connected to the wireless router.
You didn't say if this is a gateway. Do you have the WAN port of this device plugged into your modem so it is the gateway of your network??
Firewall rules are different for a device that has a WAN connection and is in gateway mode.
Different than just setting up a guest network on a WAP (wireless access point) that is already wired to your network all on same subnet.
Sorry, I thought using it as an AP is the same as saying, yes it is used as a "gateway". The Belkin is wired (Ethernet) to a separate device (modem) and the Belkin distributes the internet thru its LAN ports and wifi by assigning IP addresses to other devices.
In the steps I listed, I tried to check the internet at each step. I started to lose internet access for the guest network even before I added firewall settings (which I added last). Upon reaching the last step, I still have internet via LAN and on the main WLAN but none in the guest network.
Hmm do you have an alternative suggestion/configuration for what I have that may allow the guest network to have internet access as well?
The guest network is able to assign IPs to other devices (checked thru ipconfig for WLAN details), but there is no internet connection.
If it's worth mentioning, I have also tried to not create and assign a bridge to the virtual WLAN by selecting "unbridged" and setting its IP like the previous (192.168.102.1). Guest still has no internet connection even after adding the DHCPD.
Since it's a gateway you can take this out-
interface=br1
dhcp-option=br1,3,192.168.102.1
dhcp-range=br1,192.168.102.100,192.168.102.150,255.255.255.0,24h
Don't use that -- ok
use Multiple DHCP Server at bootom of page in Setup / Networking
since you have a br1 setup you can assign this to it.
or the DNSMasq otion will work -- just don't use both -- ok
Thanks for the suggestion! I will try it later when I'm in front of a computer near my router
I have also read stuff about different ddwrt versions/builds from other developers (brainslayer, kong, lede), but I couldn't find links to them in the downloads page. The current ddwrt Big build I'm using is the only one available from the main download page of the ddwrt site so I assumed it was the latest. Can you please point me to later builds for this router?
I actually have 2 units of this Belkin router, I will also try to set that one up with similar settings and check. Maybe the one I'm currently tinkering is just not functioning as it should. It is quite old now.
I can't/shouldn't say much about your router cause I've never had a Belkin ... but I do know that k2.6 builds after January 2015 have trouble with VAPs so you may not want to get a new one. K3.x builds are good --- looks like your box has 8 MB flash /64 RAM w/480MHz CPU so it would prolly run K3.x builds with no problem.
You should do a little research into that before jumping in...
The setup & firewall rules I mentioned work good with the 21061 build on a E2500 -- I have notes from way back -- so you shouldn't have any troubles.
good luck -
---
EDIT:
In new builds you can do all this in the wireless settings and just add multiple DHCP server -- for the most part firewall rules are added automatically
but -
oh well why I'm here and you mentioned have two routers ---
If you want a WAP (WAN disabled - wired in your network on same subnet) with a guest network -- set it
up same way but DO NOT use multiple DHCP server. You must use the DNSMasq option in Services for this.
and these firewall rules will work for it ¬
It worked! I followed your instruction to remove the code from DNSMasq and just use the Multiple DHCP Server for assigning the IPs connected to the wireless router. Hoho.
Thank you very much!
I also tried to upgrade the firmware using: dd-wrt.v24-29147_NEWD-2_K3.x_mega_f7d7301.bin, but it won't upgrade. The countdown does not finish and loads the notification of a successful upgrade, but upon checking the firmware listed on the upper right of the dd-wrt/router page, it is still the same k2.x (21061) build. Nonetheless, the guest network does have internet access now.
I hope the settings/configuration will be the same the dd-wrt for WRT1900ACS when I get it. Hehe
i have Firmware: DD-WRT v3.0-r30534 std (09/01/16)
and trying to setup guest network and having the same trouble.
added multiple DHCP
guest network had internet until i created br1 and assigned wl0.1 to it
i didn't realise about Net Isolation (assuming this is what you are talking about firewall rules added automatically) as the last time i played around with DD-WRT i was running 14929
but for the life of me i can't get it going still. i cant even get it back to internet working with guest network
i have removed all firewall commands
removed br1
removed multiple DHCP but not sure how to add it to DNSMasq (or do i only need to do that if i want it on the same subnet?)
havent enable net isolation yet
any chance of a step by step on from the start to see if im missing anything?
i erased nvram and redone my settings and worked fine using net isolation.
must of been some firewall setting not being cleared properly after messing about
so quick rundown on DD-WRT v3.0-r30534 std (09/01/16)
in wireless tab/
setup guest network
changed to unbridged
-
enabled net isolation (this must be the auto firewall rules)
setup guest ip address to different subnet
set subnet mask
wireless security/
setup password
then in setup/
basic setup/ set gateway to router ip
under DHCPD
setup another dhcp server with wl0.1
save all settings after each page is complete before navigating away from the page, then apply settings and reboot when done
whats the benefit of creating br1? when it works fine using wl0.1 for the dhcpd multiple server?
is that because you are manually setting bridge to a different subnet rather than setting the AP to a different subnet but unbridging it at the wireless settings?
Joined: 13 Aug 2013 Posts: 6867 Location: Romerike, Norway
Posted: Thu Sep 08, 2016 11:42 Post subject:
By creating a Bridge, you can bridge the interface wl0.1 to other interfaces like wired ports. If you do not intend to use it, no need to create the Bridge.
