Guest WiFi with different Gateway?

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
RockNLol
DD-WRT Novice


Joined: 21 Jan 2016
Posts: 11

PostPosted: Tue May 14, 2019 18:16    Post subject: Guest WiFi with different Gateway? Reply with quote
hi,
I use two DD-WRT Routers as WiFi-access points in my house. The gateway to the internet is a dedicated opnsense firewall though, which also does DNS and DHCP.

I would like to configure a guest network, but I am unsure as to where I even start in my case. I can configure a virtual interface wl0.1 very easily, but how do I route this to the firewall on a different vlan on the same cable? Are there tutorials for this case out there?

Hope you can help me and thanks in advance Wink
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8034

PostPosted: Tue May 14, 2019 23:16    Post subject: Reply with quote
You don't need VLANs to solve this problem (although some ppl may choose to go that route provided their router supports it). Just route the guest network over the private network.

Code:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)


Then add the following rule to prevent those same guests from accessing resources on the private network. All they get is internet access.

Code:
iptables -I FORWARD -i wl0.1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT


Both rules should be placed in the router's firewall script.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
RockNLol
DD-WRT Novice


Joined: 21 Jan 2016
Posts: 11

PostPosted: Wed May 15, 2019 8:08    Post subject: Reply with quote
Thanks for your reply! Unfortunately this does not seem to work, but maybe I am doing something wrong here:
(note that my dd-wrt is in german, so I might be translating some things differentley here) I set up a virtual interface wl0.1:
SSID Broadcast enabled
AP Isolation disabled
Network configuration bridged

Then I save the two iptables commands into the firewall section under administration > diagnosis

and finally reboot the router.

The result is a working guest network, but with full access to the local network. If I understand the iptables command correctley, this only works, if the router is also the gateway, because it does NAT?
Also DHCP clients get the local dns-server which would/should be blocked by the iptables, right? I do not think the opnsense firewall which does the DHCP could differ between clients on guest or private network.

Do I need vlans now? (I hope not, as I do not have a lot of experience setting vlans up)


Last edited by RockNLol on Tue May 21, 2019 10:08; edited 1 time in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 3682
Location: Netherlands

PostPosted: Wed May 15, 2019 8:41    Post subject: Reply with quote
When you want to isolate a guest network you have to unbridge the interface.

See my attached notes.

There are 2 ways to do this see the references in my notes

There is also a section for when you are using a WAP (like you seem to do) and there are the commands from @eibgrad coming into play

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
Simple PBR (Policy Based Routing) script: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318662
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN server setup guide:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum