Guest Network - access restrictions

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.)
Author Message
kalle_karlsson
DD-WRT Novice


Joined: 21 Jul 2010
Posts: 10

PostPosted: Mon Aug 13, 2018 15:16    Post subject: Guest Network - access restrictions Reply with quote
Hi!
I set up a guest network on a WRT3200 mainly following these guides:
https://flashrouters.zendesk.com/hc/en-us/articles/115000967873-How-To-Setup-a-DD-WRT-Guest-Wireless-Network-On-Your-FlashRouter
https://wiki.dd-wrt.com/wiki/index.php/Guest_Network
The WRT3200 is in AP mode behind an dsl modem/router.
The DHCP for the guest network provides the following ip's: 192.168.2.xxx
Everything works fine, but when logged in to the guest network, I still have access to my private ip´s (192.168.1.xxx).
The firewall rules are as follows:
Code:

#Allow guest bridge access to Internet
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
#Block access between private and guest
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW-j DROP
#NAT to make Internet work
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
#Block torrent and p2p
iptables -I FORWARD -p tcp -s 192.168.2.0/24 -m connlimit --connlimit-above 50 -j DROP
iptables -I FORWARD -p ! tcp -s 192.168.2.0/24 -m connlimit --connlimit-above 25 -j DROP
#Block guest access to router services
iptables -I INPUT -i br1 -p tcp --dport telnet -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport ssh -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport www -j REJECT --reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp --dport https -j REJECT --reject-with tcp-reset


Almost the same configuration works alright on an old dd-wrt build on a WRT160NL, using DNSMasq.

Any ideas where my fault is?

/Karlsson
Sponsor
kalle_karlsson
DD-WRT Novice


Joined: 21 Jul 2010
Posts: 10

PostPosted: Thu Aug 30, 2018 18:25    Post subject: Reply with quote
Anyone an idea?

/Karlsson
AmesJainchill
DD-WRT Novice


Joined: 10 Aug 2017
Posts: 37
Location: MI, USA

PostPosted: Thu Aug 30, 2018 20:11    Post subject: Reply with quote
I did it according to these instructions on my WRT3200ACM running BS 33986.

https://wiki.dd-wrt.com/wiki/index.php/Guest_WiFi_%2B_abuse_control_for_beginners

I just followed the Instructions section. Didn't get in to the QoS section. Anything connected to my guest vap cannot connect to any devices on my private LAN/SSIDs (NAS, PCs, printers, etc.). Just able to hit the internet. The Net Isolation option seems to be the kicker here.

EDIT:
This seems to be important too...Smile

"Net isolation works ONLY on an unbridged interface on newer builds, starting from build:

Broadcom 23020, Atheros 24759, Mediatek (Ralink) 25934"
johnnyNobody999
DD-WRT User


Joined: 10 Jan 2014
Posts: 345

PostPosted: Fri Aug 31, 2018 19:41    Post subject: WRT3200ACM WDA STATION Reply with quote
I was unable to set up a guest config on any WDS Station. The only thing that I could see being an issue is that the WDS Station doesn't have a checkbox for NAT. Guest config works fine on the router running as a WDS AP though.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Marvell MVEBU based Hardware (WRT1900AC etc.) All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum