Wired guest network on a AP

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
david0000
DD-WRT Novice


Joined: 17 Jun 2019
Posts: 4

PostPosted: Mon Jun 17, 2019 14:38    Post subject: Wired guest network on a AP Reply with quote
Hi all,

I have 2 broadcom routers (e900 and R7000) with dd-wrt. The e900 is in a separate building as an AP, servicing wireless clients and a couple of wired connections to a NAS and a Pi.

I'd like to configure the wired connection to the Pi to be isolated from the rest of the network but have internet access via the R7000

Is this possible ?

I confess this is somewhat beyond my current skill level but would like to learn who to set it up.

Thanks in advance for your help.

Best

David
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8022

PostPosted: Mon Jun 17, 2019 18:38    Post subject: Reply with quote
How is the AP (e900) in the other building connected to the primary router (R7000)? Wire? Wireless? I would assume as a repeater bridge, but I want to be sure.

Assuming it's repeater bridge, if you want a separate network on the AP for certain devices, and assuming the e900's wireless adapter supports it, you can create an additional VAP for those purposes, then route that VAP over the private/primary network. The AP would need the following firewall rules to gain internet access, and prevent clients of the VAP from gaining access to resources on the private/primary network.

Code:
# nat guest network over the private network
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)

# deny guests access to resources on private network (internet access only)
iptables -I FORWARD -i br1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -j REJECT


In the above, I assume you will add the VAP to a new bridge (br1). It's considered good practice. But if you don't for some reason, then you could just reference the new VAP's network interface name (e.g., wl0.1) rather than br1.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
david0000
DD-WRT Novice


Joined: 17 Jun 2019
Posts: 4

PostPosted: Mon Jun 24, 2019 13:12    Post subject: Reply with quote
eibgrad wrote:
How is the AP (e900) in the other building connected to the primary router (R7000)? Wire? Wireless? I would assume as a repeater bridge, but I want to be sure.


Sorry, I thought I'd replied but for some reason it didn't post.

The e900 is connected via wired Cat5 to the R7000.

When you talk about VAP (Virtual Access point?) is this implemented using the VLAN tab found in the dd-wrt set ups on both routers ?

Thanks in advance.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 8022

PostPosted: Mon Jun 24, 2019 19:41    Post subject: Reply with quote
david0000 wrote:
When you talk about VAP (Virtual Access point?) is this implemented using the VLAN tab found in the dd-wrt set ups on both routers ?


No. VLANs are strictly related to wired connections. I'm talking about adding a VAP (virtual AP), which can be done in the Wireless->Basic Settings->Virtual Interfaces section of the router.

If you need *both* wired and wireless support, then you can add both a new vlan (e.g., vlan3) and VAP, then assign them to a new bridge (e.g., br1). But not all dd-wrt compatible routers support VLAN reconfiguration, since VLANs are hardware dependent.

Frankly, this discussion of VAPs and VLANs may be premature since the description of your configuration wasn't totally clear. When you said, for example…

"The e900 is in a separate building as an AP, servicing wireless clients and a couple of wired connections to a NAS and a Pi."

… I wasn't sure if the NAS and Pi where wired to the AP (e900), or you just meant they were on the primary router (R7000) and accessible from the AP. This is a case where it might help if you provided a diagram (hand-drawn is fine), because sometimes the choice of words and phrasing can lead to misinterpretation.

_________________
DD-WRT: DNS Leak Detection w/ VPNs (updated 6/5/19)
NEW SCRIPT!: ddwrt-mount-usb-drives.sh
NEW SCRIPT!: ddwrt-blacklist-domains.sh
NEW SCRIPT!: ddwrt-ovpn-remote-access.sh
NEW SCRIPT!: ddwrt-pptp-policy-based-routing.sh
david0000
DD-WRT Novice


Joined: 17 Jun 2019
Posts: 4

PostPosted: Thu Jul 04, 2019 16:02    Post subject: Reply with quote
eibgrad wrote:
"The e900 is in a separate building as an AP, servicing wireless clients and a couple of wired connections to a NAS and a Pi."

… I wasn't sure if the NAS and Pi where wired to the AP (e900), or you just meant they were on the primary router (R7000) and accessible from the AP. This is a case where it might help if you provided a diagram (hand-drawn is fine), because sometimes the choice of words and phrasing can lead to misinterpretation.


The Pi and NAS are directly wired to the e900. Other clients (eg a chromebook) also connect via Wifi e900 for internet access.

The idea is to separate the wired Pi and a guest wifi on the e900 from the rest of the network but still access the internet.

I do have a diagram and will try and pop it up somewhere to display here.

I've had a go this afternoon setting up a guest wifi on the e900 but no success so far Smile

Sorry again for the slow reply - I'm not getting the email notifications.
david0000
DD-WRT Novice


Joined: 17 Jun 2019
Posts: 4

PostPosted: Thu Jul 04, 2019 16:05    Post subject: Reply with quote


^^ How's that ?
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum