Guest WiFi & abuse control for beginners: Incomplete?

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
shsc
DD-WRT Novice


Joined: 24 Jun 2016
Posts: 3

PostPosted: Fri Jun 24, 2016 21:54    Post subject: Guest WiFi & abuse control for beginners: Incomplete? Reply with quote
I'm not sure whether the "Guest WiFi & abuse control for beginners" wiki is incomplete or (more likely) not applicable to my use case.

I have been trying to follow this wiki with my somewhat limited knowledge. It seemed to describe my desired set-up, and “beginners” is accurate at least Smile

I wish to have a Guest VAP with Internet access but without access to my LAN/WLAN. My connectivity is:

Non-dd-wrt router with integrated ADSL modem as WAN. Provides WLAN access (1)

LAN port of that router connected to network (printers, NAS, etc.) and to LAN port of dd-wrt router (WAN port not used)

dd-wrt router provides WLAN access (2) and VAP(Guest)

The DHCP on the non-dd-wrt router and the dd-wrt router have non-overlapping pools. Wiki says I have to run DHCP on dd-wrt router to get DHCP for the VAP, so chose to run on both.

WLAN1 and WLAN2 work great - they have access to Internet and internal LAN.

However, if I access via the VAP I can do DNS lookup but have no access to internet. For example “ping www.google.com” will resolve to a numeric address but then the ping itself fails.

Is there something missing from the wiki instructions?

They seem to imply that the VAP will have Internet access just by enabling NAT – but reading the forums it seems like many people are using forwarding rules for very similar situations.

I don’t understand what to do.

I note that my VAP comes up as wl0.1 and not ath0.1 as described in the instructions… but I also note some of the features to be in slightly different places than described so I assume that’s just due to revisions to the code since publication.

I am using Linksys E1200v2 with the wiki-recommended dd-wrt.v24-29519_NEWD-2_K3.x_mega-nv64k.bin. I also tried dd-wrt.v24-29974_NEWD-2_K3.x_mega-nv64k.bin in case the latest build solved some problem. It seemed to work just the same.

Non-dd-wrt router: 192.168.1.254/255.255.255.0 and it is Gateway + local DNS

dd-wrt router 192.168.1.252/255.255.255.0 Gateway & local DNS configured as 192.168.1.254

wl0.1 172.16.1.1./255.255.255.0

Currently I’m not trying to implement Abuse Control/Forced DNS redirection and/or bandwidth limiting as I figure that can be added later.

I would really appreciate being pointed in the right direction. I realize that I may need to understand how to set up complicated stuff that I don’t currently understand... but the wiki seemed to have it covered as it stood.

Any help much appreciated. Screenshots attached.



Image 036.png
 Description:
 Filesize:  40.75 KB
 Viewed:  6031 Time(s)

Image 036.png



Image 032.png
 Description:
 Filesize:  22.97 KB
 Viewed:  6031 Time(s)

Image 032.png



Image 034.png
 Description:
 Filesize:  27.22 KB
 Viewed:  6031 Time(s)

Image 034.png


Sponsor
shsc
DD-WRT Novice


Joined: 24 Jun 2016
Posts: 3

PostPosted: Sat Jun 25, 2016 13:56    Post subject: Multiple WLANs Reply with quote
Saw in Multiple WLANs wiki a reference to Unbridged Virtual Interfaces not working... so playing with what I can glean from that now. More to follow...
shsc
DD-WRT Novice


Joined: 24 Jun 2016
Posts: 3

PostPosted: Sat Jul 02, 2016 22:10    Post subject: iptables it is then Reply with quote
I was unable to get the router working as desired using the GUI and various items from the wiki alone.

As it happens, I needed to temporarily set up a wired router to connect two disjoint subnets in a particularly goofy way for a work project. I decided that the E1200v2 ought to work for that so I read up on the iptables command.

The Administration/Commands page makes interpreting output from iptables rather tricky due to line-wrapping so I decided to ssh in to the router instead. That was a lot easier.

NOTE: IF YOU SSH IN YOU NEED TO LOG IN AS root WITH THE PASSWORD YOU HAVE CONFIGURED, NOT THE USERNAME YOU HAVE CONFIGURED WITH THE PASSWORD CONFIGURED (go figure).

Now that I have understood how the iptables stuff works I was able to make the router do exactly what I wanted from LAN to WAN for my work experiment. Now all I have to do is extricate the router from that experiment so I can use it for my guest WLAN!

So far, using the GUI, I had managed to get the guest VAP working with Internet access but with (unwanted) access to devices on the wired LAN that is also the path to the other router that gives access to the Internet.

Now that I can see how iptables work I believe that it will be relatively easy to add some rules to drop packets if a user on the guest WLAN tries to get to the other devices.

When I get my router back and get a chance to play I will post my results here. Thank goodness for "real"work... I would have never spent the time to get to grips with the linux kernel router had it not been for that Smile
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6855
Location: Romerike, Norway

PostPosted: Sat Jul 02, 2016 22:32    Post subject: Reply with quote
The reason that Internet does not work from 172.16.1.0 is that the return packet does not get routed back because yoour main router does not know where 172.16.1.0/24 is. You have to enter a route with the dd-wrt router as gateway.
whitebeard
DD-WRT User


Joined: 26 Jul 2013
Posts: 117
Location: Canada

PostPosted: Sun Sep 18, 2016 21:10    Post subject: Reply with quote
Per Yngve Berg wrote:
The reason that Internet does not work from 172.16.1.0 is that the return packet does not get routed back because yoour main router does not know where 172.16.1.0/24 is. You have to enter a route with the dd-wrt router as gateway.


Is this still true? I'm using "r28598 mega" and I do have a guest Wifi on 192.168.100.x while the main Wifi/Lan is on 192.168.1.x and if I dump the routing table using Setup->Advanced Routing->Show Routing Table, I get:

Code:

Routing Table Entry List
Destination LAN NET   Subnet Mask   Gateway   Flags   Metric   Interface
default   0.0.0.0   107.171.195.1   UG   0   WAN
107.171.195.0   255.255.255.0   *   U   0   WAN
169.254.0.0   255.255.0.0   *   U   0   LAN & WLAN
192.168.1.0   255.255.255.0   *   U   0   LAN & WLAN
192.168.100.0   255.255.255.0   *   U   0   wl1.1


Am I reading this correctly that the route has been added automatically?
Per Yngve Berg
DD-WRT Guru


Joined: 13 Aug 2013
Posts: 6855
Location: Romerike, Norway

PostPosted: Mon Sep 19, 2016 4:27    Post subject: Reply with quote
@whitebeard: In your case, the network is on the same router, not located on a separate router. The router will always add a route to networks it's directly connected to.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum