ro-maniak DD-WRT User
Joined: 07 Jun 2006 Posts: 367
|
Posted: Fri Dec 23, 2016 14:07 Post subject: Please help: 2,4 guest network network on WAP, special conf |
|
Hi all, could someone please help me with setting up the following configuration? I did try a lot and dig into the manuals of iptables, dnsmasq, etc., but cannot quite get it to work.
This is a different set up than the regular guest network on the main router which is NAT routing the WAN connection (for which there are plenty tutorials).
I have a main router, hosting WAN and local net at 192.168.1.xxx (R7000). DNSMasq DHCP server, nothing very special otherwise. Into that, a wireless access point is plugged upstairs. That's a WNDR3700v4. It's really just a 5 ghz WAP, plugged into the LAN of the R7000, WAN port assigned to switch, allowing wireless clients on. No local DHCP, DNS, or whatever.
So on this second box, the WAP, I want to host a 2.4 ghz guest network. Now, the 2.4 ghz is disabled (so we don't need a virtual interface/SSID but can work directly with ath0).
The 2.4 ghz should host a network at 192.168.2.xxx. It should only have access to the WAN, not the 192.168.1.xxx network.
I tried: creating a separate bridge and assigning ath0 to it. Ok. Set up that bridge. Run DNSMasq on the WAP as DHCP on the new bridge to hand out 192.168.2.xxx network. So far so good, it seems.
Where I think I fail is that the new network needs to be bridged with the WAN via that gateway which is at 192.168.1.1. At the same time, guest clients should not have access to the host or any other 192.168.1.xxx client at all...
Any help appreciated!! _________________ If you use DD-WRT, you HAVE to make a donation! See this topic too: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=228 |
|
mrjcd DD-WRT Guru
Joined: 31 Jan 2015 Posts: 6290 Location: Texas
|
Posted: Fri Dec 23, 2016 17:19 Post subject: |
|
Use instructions from here 'WAP Guest Network'
Just change interface for DNS options Code: | interface=ath0
dhcp-option=ath0,3,192.168.2.1
dhcp-range=ath0,192.168.2.1,192.168.2.50,255.255.255.0,12h |
and the firewall like so - Code: | iptables -I FORWARD -i ath0 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr` |
I know this works fine on builds 30082 thru 30958.
Make sure you are setup correctly for a WAP.
Gateway should be set to your main router's IP holding the WAN connection
You also MUST SET LOCAL DNS ... usually would be same IP as gateway....
...the unbridged interface will never get DNS if this is not set on main setup page.
No amount of forcing a DNS on it from iptables and/or firewall rules will work unless
you have local DNS set ..... you will have to ask BS why the heck that is.
Guest are completely isolated from other network and isolated from accessing this router.
If you have a local somesuch you want the guest to have access to just throw this in bottom of firewall.
e.g. a server or printer @ 192.168.1.101 setup to use tcp/IP port you could allow guest access by -
Code: | iptables -I FORWARD -i ath0 -o br0 -d 192.168.1.101 -m state --state NEW -j ACCEPT |
'bout all I know |
|