"Tunnel" guest network from WAP to Router to WAN

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
puterboy2
DD-WRT Novice


Joined: 24 Feb 2019
Posts: 24

PostPosted: Thu Jun 06, 2019 5:22    Post subject: "Tunnel" guest network from WAP to Router to WAN Reply with quote
I have 2 Netgear R6700 routers running Kong firmware.

Both routers are configured as gateways (as recommended) with router A acting as a router connecting to the WAN and router B connected over Ethernet to router A and acting as a WAP to extend my wireless range.

Both routers have 2 guest networks (wl0.0 and wl1.0) bridged as br1 on the respective Router.

On Router A, enabling Masquerade/NAT and Net Isolation allows the guest network to connect to the WAN (Internet), appropriately isolated from the main LAN (br0).

How do I create a similar situation for Router B so that the bridged guest networks (br1 for Router B) on that router can "tunnel" through to Router A either to bridge with the guest network on Router A (br1 for Router A) or failing that to tunnel through to the WAN as a separate guest network isolated both from the main LAN and from the guest network on Router A.

Right now, I can connect wirelessly to the guest networks on Router B but they (understandably) have no Internet access.

Any suggestions?
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8022

PostPosted: Thu Jun 06, 2019 5:44    Post subject: Reply with quote
Two steps.

1. You NAT the guest network over the primary network.

Code:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)


2. You add firewall rules to prevent access by guests to resources on that primary network (they only have internet access).

Code:
iptables -I FORWARD -i br1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -j REJECT


While VLANs is theoretically possible (so that all guest APs/VAPs share the same logical ethernet/IP network), on dd-wrt, it's usually not practical. The easiest solution is just to maintain separate guest networks.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
puterboy2
DD-WRT Novice


Joined: 24 Feb 2019
Posts: 24

PostPosted: Fri Jun 07, 2019 3:08    Post subject: Reply with quote
eibgrad wrote:
Two steps.

1. You NAT the guest network over the primary network.

Code:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)


2. You add firewall rules to prevent access by guests to resources on that primary network (they only have internet access).

Code:
iptables -I FORWARD -i br1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -j REJECT


While VLANs is theoretically possible (so that all guest APs/VAPs share the same logical ethernet/IP network), on dd-wrt, it's usually not practical. The easiest solution is just to maintain separate guest networks.


Thanks! This works great,

One question:
I saw an alternative version of the second iptables rule limiting the reject to new packets, specifically:

Code:

iptables -I FORWARD -i br1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j DROP


Is that better/worse/equivalent to rejecting all such packets?
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8022

PostPosted: Fri Jun 07, 2019 3:43    Post subject: Reply with quote
What makes sense all depends on the circumstances.

Without the consideration of state, *all* attempts by guests to communicate w/ the primary network are thwarted. But suppose you wanted clients on the primary network to be able to initiate connections to guests, or perhaps even port forward from the WAN of the primary router to those guests. Now you have a problem. Those guests can't reply due to the firewall rule! But if you add state (as in NEW), you still prevent guests from initiating connections to the primary network, but clients on the primary network can still initiate connections to guests, and you can still port forward to those guests, because the firewall doesn't prevent replies which are in the ESTABLISHED state.

When you have a guest network, things like having clients on the primary network initiate connections or port forwarding to those guests is generally not expected, so using a rule without state is sufficient. The lack of state also means that if by chance some guest gets a connection established before the firewall comes up (there's usually a small window of opportunity), you can eventually kill that connection. OTOH, if you use state NEW under such circumstances, since the connection is already ESTABLISHED, they can continue to use it, even after the firewall comes up.

So in general, NOT using state is preferred when you have a blanket need to prevent something, while using STATE is usually for those situations where you need to make some exceptions, as I described above.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
puterboy2
DD-WRT Novice


Joined: 24 Feb 2019
Posts: 24

PostPosted: Fri Jun 07, 2019 4:57    Post subject: Reply with quote
eibgrad wrote:
What makes sense all depends on the circumstances.

Without the consideration of state, *all* attempts by guests to communicate w/ the primary network are thwarted. But suppose you wanted clients on the primary network to be able to initiate connections to guests, or perhaps even port forward from the WAN of the primary router to those guests. Now you have a problem. Those guests can't reply due to the firewall rule! But if you add state (as in NEW), you still prevent guests from initiating connections to the primary network, but clients on the primary network can still initiate connections to guests, and you can still port forward to those guests, because the firewall doesn't prevent replies which are in the ESTABLISHED state.

When you have a guest network, things like having clients on the primary network initiate connections or port forwarding to those guests is generally not expected, so using a rule without state is sufficient. The lack of state also means that if by chance some guest gets a connection established before the firewall comes up (there's usually a small window of opportunity), you can eventually kill that connection. OTOH, if you use state NEW under such circumstances, since the connection is already ESTABLISHED, they can continue to use it, even after the firewall comes up.

So in general, NOT using state is preferred when you have a blanket need to prevent something, while using STATE is usually for those situations where you need to make some exceptions, as I described above.


Thanks for taking the time to explain -- truly helpful!!!
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum