VAP with seprate IP no internet but see it in other router

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2  Next
Author Message
jhsd
DD-WRT Novice


Joined: 11 Feb 2014
Posts: 20

PostPosted: Mon Jan 22, 2018 20:37    Post subject: VAP with seprate IP no internet but see it in other router Reply with quote
Firmware: DD-WRT v3.0-r34311 std (12/29/17)
WiFi Device: ASUS AC3200
Connection: The ASUS is connected by the WAN port as an Access Point to the rest of the network
(The Setup->Basic Setup value for Connection Type is set to Automatic Configuration DHCP and the device has a static IP under the Router IP section of 1.2 and a Gateway of 1.1 which is a Juniper Router that manages internet access and DHCP addresses for non-guest devices).

WiFi: Physical WLAN users get 192.168.1.x
Guest WLAN users get 192.168.31.x
A route exists on the Juniper that points traffic for 31.x to the ASUS router

Thank you for the continued work on this firmware. It has been very useful the last few years we've been using it on a AC66u. Now we have a new set of devices and it's not working as desired.

I followed this excellent, simple, guide for deploying a VAP for a Guest network that provides a separate subnet to the guests, and keep them AP isolated.

https://www.dd-wrt.com/wiki/index.php/Guest_WiFi_%2B_abuse_control_for_beginners

Non-guest users work perfectly fine.
Guest have no Internet access.

Users connecting on the physical WLAN get an IP assigned (1.x) by a Juniper brand router that controls internet access. The ASUS passes the DHCP request nicely.

Users joining the virtual WLAN signal get an IP from the ASUS (31.x subnet) according to the instructions in the link noted above.

On the Juniper logs, I can clearly see the guest devices appearing in the log (192.168.31.49 for example). When they try to browse, I can see DNS requests to 208.67.222.222 from 192.168.31.49 have a RESP result. But the guest gets no web page.

I can successfully ping from another device on the non-guest network (1.x) to 31.2 (the Gateway for the guest network).

But if I try to Ping 8.8.8.8 from the guest device (31.49 for example), it has 100% loss. So it seems to be:

The ASUS receives request from 31.49 (for example(
The ASUS 31.2 passes that to itself through 1.2
That passes through to the Juniper at 1.1
The Juniper sends it to the web
The Juniper gets a reply
The Juniper sends it back to ASUS
The ASUS does NOT finish by providing the result back to the guest


Is there something in that Guide that is now incorrect / out of date to make this work? Do I need to do some manual adding of rules or commands? Various older posts talk about IP tables but they don't seem to apply to what the current firmware is supposed to be able to do. The tutorial listed above makes no mention of a need to do extra commands.

Any help would be appreciated, thanks folks.


Last edited by jhsd on Tue Jan 23, 2018 16:45; edited 3 times in total
Sponsor
jxm
DD-WRT Guru


Joined: 23 Jul 2017
Posts: 710
Location: Brisbane, Australia

PostPosted: Tue Jan 23, 2018 1:19    Post subject: Reply with quote
See if this helps:

https://stackoverflow.com/questions/31391724/dd-wrt-virtualap-with-guest-and-private-wifi-access-on-2nd-router

It has a detailed step by step instruction on how to set up a Guest wifi on a secondary router running as an access point with DD-WRT. I believe that is what your requirement boils down to.

Cheers.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Tue Jan 23, 2018 5:34    Post subject: Reply with quote
Quote:
On the Juniper logs, I can clearly see the guest devices appearing in the log (192.168.31.49 for example).


That would appear to be the problem.

It wasn't clear from your description if the WAN is actually being used in a routed config, or whether it really is only being used as an AP, and the WAN has been reassigned to the LAN, and therefore the fact it's a WAN vs. LAN port is of no significance.

Anyway, the fact the guest IP network is showing up on the Juniper logs is a problem. That device doesn't know how to route packets back to that network! Not unless you add a static route to the Juniper and tell it to send reply packets back to the AP's LAN ip (since that's the gateway to the guest network).

Since many ISP devices don't support user-defined static routes, the usual way to solve this problem is to NAT the guest network over the private network (if the device is an AP), or over the WAN (if the device is a router, with active WAN). That's why I asked about how this device is actually configured wrt the WAN.

And frankly, I prefer the old school wiki for multiple WLANs. The newer wikis are misleading. The one you referenced, for example, *assumes* a router config, i.e., you're using a WAN, but the old school wikis make a point of how you properly NAT the guest network depending on whether you're using a routed or AP (bridged) config. This is one of those cases where using the old school method results in less confusion.

https://www.dd-wrt.com/wiki/index.php/Multiple_WLANs
jhsd
DD-WRT Novice


Joined: 11 Feb 2014
Posts: 20

PostPosted: Tue Jan 23, 2018 16:57    Post subject: Reply with quote
Thank you for your replies JXM and EIBRGAD.

I see what you mean by the WAN question there so I updated my original post to add more specifics about the way the WAN port is defined in the Basic settings and so on. So yes, the Juniper did already have a route in place pointing back to the 31.x subnet. In fact, I can Ping from any device in 1.x to the 31.x gateway address for the guest subnet.

After my original post I continued searching, and found a page very much like the one you listed Eibgrad.
https://flashrouters.zendesk.com/hc/en-us/articles/115000967873-How-To-Setup-a-DD-WRT-Guest-Wireless-Network-On-Your-FlashRouter

So I tried those steps where it uses bridging, and sadly still have no throughput for the guest to internet side. However, I am going to try them yet again because it was late last night when I did it, and you know.. maybe I missed something from being burned out on this struggle all day.

JXM - The post you listed speaks about changing the WAN connection drop-down to Disabled and then checking a box that says "Assign Wan Port to Switch". I do not see that Switch check box option though. It could be it won't show up unless I change that WAN connection box to disabled, not sure. I can't do that right now because it will cut off users who are on the non-guest side. I'll have to wait another 5 hours for the place to close before I can take down the working non-guest side with tests like that.

Many thanks again for your suggestions. I'll let you know what comes from tests I can do now, and if no luck there, from the ones I have to wait for until tonight.

I wish the Wiki posts had dates and firmware version details right at the top in bold to help readers nail down if they have the most current tips and applicable version steps!
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Tue Jan 23, 2018 17:29    Post subject: Reply with quote
Based on your latest revision, the fact the WAN connection type is enabled w/ DHCP means that router is configured *as* a router, it's not an AP/WAP.

Around here, when someone says they've configured the router as an AP/WAP, that's understood to mean that you've *disabled* the WAN (and probably reassigned the WAN to the LAN to make that port available again), disabled it DHCP server, and connected it LAN to LAN to the primary router. That's what makes it *just* an AP/WAP.

So as I suspected, we have a terminology problem here.

Since it's apparently configured as a router, that begs the question, why would the primary router need a static route for the guest network? The guest network, like the private network, would normally be NAT'd over the second router's WAN (provided the tutorial takes care of that detail for you, or you apply the appropriate NAT firewall rule manually). When NAT'd, the primary router nevers see the guest network. It only sees the WAN ip of the second router, and that's sufficient for the purpose of sending replies from the primary router back to the guest router.

So something doesn't add up here.

The risk in allowing the guest's IP network to reach the primary router is if the primary router is *only* NAT'ing its own local IP network over its WAN! And if that's the case, the guests will not have internet access. That's why the better approach is to make sure the guests are NAT'd over their own router (no need for static routes). Now everything from the perspective of the primary router appears to be coming from the WAN ip of the second router, and now internet access is available for the guests.


Last edited by eibgrad on Tue Jan 23, 2018 17:58; edited 1 time in total
jhsd
DD-WRT Novice


Joined: 11 Feb 2014
Posts: 20

PostPosted: Tue Jan 23, 2018 17:54    Post subject: Reply with quote
Interesting.. I'm drawing from the terminology I see on the router configuration pages themselves. So for example, here is a copy from the Wireless->Basic page showing the WiFi signal for the non-guest users and for the virtual.

Within it, you see below the Wireless mode is described as "AP" which I would think meant Access Point mode? No?



Wireless Physical Interface wl0 [5 GHz/802.11ac]

Physical Interface wl0 - SSID [OurWIFI]

Wireless Mode
AP

Wireless Network Mode
Mixed

Wireless Network Name (SSID)
OurWIFI

Wireless Channel
Auto

Channel Width
Wide HT40 (40 MHz)

Extension Channel
lower upper

Wireless SSID Broadcast
Enable Disable

Optimize Multicast Traffic
Enable

Explicit Beamforming
Disable

Implicit Beamforming
Disable

Airtime Fairness
Disable

Network Configuration
Bridged


Virtual Interfaces

Virtual Interfaces wl0.1 SSID [GUEST]

Wireless Network Name (SSID)
GUEST

Wireless SSID Broadcast
Enable

AP Isolation
Enable

Optimize Multicast Traffic
Disable

Network Configuration
Bridged
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Tue Jan 23, 2018 18:09    Post subject: Reply with quote
There's a difference between the router configuration as a whole (router, AP/WAP, client, client bridge, etc.) vs. the specific configuration of the AP within that router. In *my* mind, I was interpreting your description as the former.

For example, I can have the router configured as a router, but rather than have its AP in AP mode, have the AP reconfigured as a wireless client, aka, "client" mode. Now the wireless client acts as a virtual WAN, while the wired WAN is disabled (or else reassigned to the LAN).

I know, it sounds complicated, but it's not my intent to make a big deal about it. I'm only mentioning it because around here, terminology tends to be understood in certain ways, and when someone uses it differently, it can lead to confusion.

Bottom line, as now described, you simply have a plain ol' standard router configuration (which implies an AP in AP mode). And you've added a guest VAP off the existing AP. And it works except there's no internet access.
jwh7
DD-WRT Guru


Joined: 25 Oct 2013
Posts: 2336
Location: Indy

PostPosted: Tue Jan 23, 2018 18:42    Post subject: Reply with quote
eibgrad wrote:
Bottom line, as now described, you simply have a plain ol' standard router configuration (which implies an AP in AP mode). And you've added a guest VAP off the existing AP. And it works except there's no internet access.
Maybe this will help: https://www.dd-wrt.com/wiki/index.php/Guest_Network#VAP_with_no_WAN
_________________
# NAT/SFE/CTF: limited speed w/ DD # Repeater issues # DD-WRT info: Builds, Types, Modes, Changelog, Peacock, Demo #
x64 OPNsense 19.7.2|EA6900v1.1@1GHz FT 2019.3b|DD 40599: WNDR4500v2, WNDR4000@533, E1500@353, R6300v1,
2*E2500, WRT54*@250: GLv1.1 nsg, GSv6 µ
|RT-N66U@663 Merlin 380.70|OEM: WGR614v10@400-WNR1000v3 mod
jhsd
DD-WRT Novice


Joined: 11 Feb 2014
Posts: 20

PostPosted: Tue Jan 23, 2018 23:56    Post subject: Reply with quote
This is an absolutely infuriating nightmare.

Changing the Wireless Mode to "Client" and clicking save wiped out the VAPs, and there was no option to create new ones. So that was of no value/function.

Restoring it to "AP" and setting the WAN port to Disabled and Checking the box for use WAN as Switch made no difference - guests still get no Internet.

These instructions failed too:
https://stackoverflow.com/questions/31391724/dd-wrt-virtualap-with-guest-and-private-wifi-access-on-2nd-router
Clients couldn't even connect anymore. I don't think that post reflects anything correctly anymore. It speaks of IP tables and firewall commands to be done manually.

Meanwhile the Wiki for the "old" method also fails. It is polluted with various side notes that say "but this doesn't apply anymore since firmware Dec 2015" and so on.

So I am back at square one again - no internet for guests. What the hell do people use to setup the configuration for a Guest WiFi on a separate IP that works? It clearly is not correct as written in any of the Wikis. We're talking having done full factory reset, apply the settings, reboot, test, and nothing works for the guests, only the non-guests. It was never this ridiculously hard with the ac66u.

My setup is currently identical to this (including having AP isolation turned off right now):
https://flashrouters.zendesk.com/hc/en-us/articles/115000967873-How-To-Setup-a-DD-WRT-Guest-Wireless-Network-On-Your-FlashRouter
jhsd
DD-WRT Novice


Joined: 11 Feb 2014
Posts: 20

PostPosted: Wed Jan 24, 2018 0:02    Post subject: Reply with quote
jwh7 wrote:
eibgrad wrote:
Bottom line, as now described, you simply have a plain ol' standard router configuration (which implies an AP in AP mode). And you've added a guest VAP off the existing AP. And it works except there's no internet access.
Maybe this will help: https://www.dd-wrt.com/wiki/index.php/Guest_Network#VAP_with_no_WAN


Thank you for your reply JWH7. But that refers to a very old firmware. I am running Firmware: v3.0-r34311 std (12/29/17)
jwh7
DD-WRT Guru


Joined: 25 Oct 2013
Posts: 2336
Location: Indy

PostPosted: Wed Jan 24, 2018 0:35    Post subject: Reply with quote
jhsd wrote:
Thank you for your reply JWH7. But that refers to a very old firmware. I am running Firmware: v3.0-r34311 std (12/29/17)
What gives you that idea? It is for builds "23020 and later"; I updated that wiki info last month, specifically for the "AP or no WAN" rules. It was tested it on 33771, using WNDR4000 and WNDR4500v2, both set up as 2.4GHz CB + 5GHz AP+VAP, worked fine.
_________________
# NAT/SFE/CTF: limited speed w/ DD # Repeater issues # DD-WRT info: Builds, Types, Modes, Changelog, Peacock, Demo #
x64 OPNsense 19.7.2|EA6900v1.1@1GHz FT 2019.3b|DD 40599: WNDR4500v2, WNDR4000@533, E1500@353, R6300v1,
2*E2500, WRT54*@250: GLv1.1 nsg, GSv6 µ
|RT-N66U@663 Merlin 380.70|OEM: WGR614v10@400-WNR1000v3 mod
jhsd
DD-WRT Novice


Joined: 11 Feb 2014
Posts: 20

PostPosted: Wed Jan 24, 2018 0:59    Post subject: Reply with quote
The page says:

"If the router is not used as a gateway (like an AP, thus WAN and DHCP are disabled, but the same subnet as the primary gateway router."

My description as posted is that the VAP guests are not assigned an IP in the same subnet.
jhsd
DD-WRT Novice


Joined: 11 Feb 2014
Posts: 20

PostPosted: Wed Jan 24, 2018 19:48    Post subject: Reply with quote
I just tried updating to Firmware: DD-WRT v3.0-r34578 std (01/19/1Cool

No difference. No guest can access the internet.

I pulled out the old ac66u, which runs a much older firmware, turned it on, and it works perfectly.

I duplicated the settings I see on the 66u on the 3200 (as closely as possible.. the new firmware has some extra features). Still no internet for guests.

I am not wasting another 10 hours on this. Something is completely wrong with the wiki instructions, or the firmware, or both. At a minimum, Guest VAPs will not work for AC3200 routers.
jxm
DD-WRT Guru


Joined: 23 Jul 2017
Posts: 710
Location: Brisbane, Australia

PostPosted: Wed Jan 24, 2018 21:11    Post subject: Reply with quote
jhsd wrote:
I just tried updating to Firmware: DD-WRT v3.0-r34578 std (01/19/1Cool

No difference. No guest can access the internet.

I pulled out the old ac66u, which runs a much older firmware, turned it on, and it works perfectly.

I duplicated the settings I see on the 66u on the 3200 (as closely as possible.. the new firmware has some extra features). Still no internet for guests.

I am not wasting another 10 hours on this. Something is completely wrong with the wiki instructions, or the firmware, or both. At a minimum, Guest VAPs will not work for AC3200 routers.


Just a thought.... when you log into the 3200 and go to the Sysinfo / Status tab, what IP settings do you have for LAN IP and WAN IP?
On the Setup tab, what do you have for Locap IP Address, and Gateway?

Are these settings the same on the 66u?

Cheers.
jwh7
DD-WRT Guru


Joined: 25 Oct 2013
Posts: 2336
Location: Indy

PostPosted: Wed Jan 24, 2018 21:35    Post subject: Reply with quote
jhsd wrote:
My description as posted is that the VAP guests are not assigned an IP in the same subnet.
My reply was in regard to eibgrad's reply that you're using an AP setup:
eibgrad wrote:
Bottom line, as now described, you simply have a plain ol' standard router configuration (which implies an AP in AP mode). And you've added a guest VAP off the existing AP. And it works except there's no internet access.
If that's the case, since what you're doing now isn't working, then I suggest to reset and follow the wiki's "New DNSMasq Method" and "VAP with no WAN" instructions, which work, at least on the last build I tested.
_________________
# NAT/SFE/CTF: limited speed w/ DD # Repeater issues # DD-WRT info: Builds, Types, Modes, Changelog, Peacock, Demo #
x64 OPNsense 19.7.2|EA6900v1.1@1GHz FT 2019.3b|DD 40599: WNDR4500v2, WNDR4000@533, E1500@353, R6300v1,
2*E2500, WRT54*@250: GLv1.1 nsg, GSv6 µ
|RT-N66U@663 Merlin 380.70|OEM: WGR614v10@400-WNR1000v3 mod
Goto page 1, 2  Next Display posts from previous:    Page 1 of 2
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum