[egc]

have look here: https://pastebin.com/r4u62P0B

[atErik]

Hi @egc, Thanks, . . . . . . . . . (my POST-9 in this thread)
adopted/converted your given br0 & guest-net rules,
for this/my ddwrt-router's VLANs, APs/WAPs/VAPs, Bridges.
please see firewall rules.

i have attempted to translate the words & sentences which are used
in that PASTEBIN instruction, and tried to explain with different words
in order to make those rules/functionalities more meaningful & more
descriptive , so that, those can make more sense or can be more easy to
understand for general/new level users,
if possible wud you pls kindly take a look at those #comment lines
& please see/check if my translation is valid or not,
for the same iptables rule.
btw, what does "(internet only)" means/signifying ?

c = 192.168… . ip = ip-address . gw = gateway . sm = SubnetMask.
d1 = dns1 . d2 = dns2 . br = bridge (logical-switch) . rtr = router.
wl = WLAN (can work as WiFi AP or Virtual-AP/VAP) . adrs = address.
nif = network-interface . nic = network-interface card/adapter.
vlan = virtual-LAN, in ddwrt its the physical/wired ethernet port/switch.
= ✅ = working , = ❎ = not-working

DDWRT-CONFIG-62
My expected network-packet movement summary & this/my ddwrt-rtr's internal network-devices info:
DDWRT RTR-2's br0 has ip c.10.251, sm /24, gw+dns c.10.254.
gw c.10.254 in RTR-2's traffic goes into RTR-1, then into Internet.
RTR-2's vlan4 + wl1.2 <-> interlinked with br1 : uses c.20.0/24 subnet <-> br0 <-> Internet.
RTR-2's vlan3 + wl1.1 <-> interlinked with br2 : uses c.30.0/24 subnet <-> br3 <-> br0 <-> Internet.
RTR-2's wl1.3 <-> interlinked with br4 : uses c.32.0/24 subnet <-> br3 <-> br0 <-> Internet.
br1 has ip c.20.1 , br2 has ip c.30.1,
br4 has ip c.32.1 , br3 has ip c.31.1

i used hardware network-switch device & wired multiple client-devices
(and also WiFi client devices) , and connected behind this/my DDWRT
RTR-2 LAN-ports or connected with AP/VAP, etc to find out , which can
ping/etc to/from which device.

please check my previous post where i posted
Additional-Config for DNSMASQ
Startup script

current firewall rules for DDWRT-CONFIG-62 :

[Per Yngve Berg]

[atErik]

this is my POST-10 in this forum-thread

few annoying things i have been noticing in this DDWRT router that:

after firewall/iptables changes, a complete Shutdown+Startup
or Shutdown+Restart process of the DDWRT router device
gives better & actual result,
bcuz ( i have been noticing/watching that ) just after a "Reboot"
( or "Apply-Changes" ) ,
some responses from DDWRT router are indeed wrong response !

sometime i needed to wait around 1 to 2 minutes,
before i could do network tests for receiving correct response.

And it appears to me that, When any changes done in "Networking.asp"
or in VPN("PPTP.asp") or in few other specific ddwrt config-webpages,
& then a "SAVE" or "APPLY-CHANGES" button was used or a "Reboot" button
was used ,
then AFTER REBOOTING or AFTER APPLYING-CHANGES
a GHOST WIFI AP (AccessPoint) with MAC-Adrs 00:00:00:00:00:00
from XEROX manufacturer shows up !!
& that has same SSID name used in VAP (virtual-APs) wl1.2 or wl1.1 !!

in a WIFI ANALYZER device or in App, all SSID & MAC-Adrs can be seen very easily.

( here MAC-Adrs does not mean APPLE-company's Mac,MacBook,etc computer(s)
or macOS or MacOS,etc
here MAC-Adrs means Media-Access-Control Address, which is a special hexbyte number,
it is used to identify each networking/communication-devices used in computers,
phones,etc,etc )

when that GHOST AP/WAP/VAP is present, then TWO MAC-addresses (for
same SSID)
gets AUTO-ALLOWED / AUTO-APPROVED by wifi-client-devices when
they connect with a DDWRT WiFi WAP/VAP/AP !!
thats not good, actually very bad . Client-devices does not warn users
about the unsafe GHOST SSID / GHOST MAC-Adrs which it just approved.
Such is allowed ( that is, SAME SSID & multiple different MAC-adrses
is allowed ) when WIFI extenders, etc are used,
BUT a thief ( group-of or a data-thief, or fishy-hacker, or fishy-state-agent,
or friend/fiend/relative who already has that SSID's passcode ) ,
can come close to your home/work DDWRT router
& can impersonate with your visible/broadcasted SSID & that
known ghost MAC-Adrs ( 00:00:00:00:00:00 )
and start capture/intercept/RECORD your SSID net-traffics.
So client-devices need to warn users about this unsafety,
as such warning wud be justified to increase Security+Privacy protection measures/steps.

i think this (GHOST AP presence) is happening because of some type of hack done
by DDWRT/WRT/BusyBox devs for applying network changes temporarily into
a (temporary) net device inside the router , before the changes are completely
applied after a Shutdown+Startup process.
or its an authentic bug waiting to be fixed/reported.
or its an intentional bug ( or a backdoor )

once router is Shutdown+Restarted, & when NO conflicting configs
were given into DDWRT , then that GHOST AP does not appear.

so remove the MAC-adrs of that Ghost wifi WAP/VAP/AP from your allowed/approved
list of SSID+MAC-Adrs , by using such an App (in your wifi-client) that allows you
to inspect+see pre-approved SSID & their used MAC-addresses.
( i.e: in Android you may use "WiFi Privacy Police" by "UHasselt" )

in your WiFi-Analyzer app, you can see list of all nearby WiFi AP/stations SSID,
MAC-Adrs, etc, etc , find out if there are more than one device
with same SSID name, or find out if there are more than one device
with two different signal levels but have same SSID & same MAC-adrs,
if you see such ,
then do not join or connect-with that SSID , as TWO or MORE MAC-Adrs
will be added/approved by your wifi device.

Back to DDWRT configuration,
now trying DDWRT-CONFIG-75

box-diagram for current ddwrt config 75 :


( in previous diagrams, i have shown arrows from wl1.1, wl1.2 & wl1.3 going into wl1,
sorry, it should have been opposite ( as wl1.x are under wl1 ) , & tun1 remain
connected with wl0 instead of br0, fixed that & other mistakes, etc )

Firewall SPI is now turned ON.
and WiFi wl1.3 & wl1.2 , began to work again
and after further refinement of iptables rules & slight DNSMASQ changes,
even the WiFi wl1.1 VAP has began to work
so DNSMASQ additional config and iptables rules does affect VAPs, VLANs,
which is ofcourse how it should be.

check/see these links, if you want to see/understand more iptables rules:
IPTABLES / FIREWALL commands/rules:
https://wiki.dd-wrt.com/wiki/index.php/Iptables_command
iptables original dev's page:
https://netfilter.org/documentation/HOWTO//packet-filtering-HOWTO-7.html

those who want more done during router Startup, can see this:
https://wiki.dd-wrt.com/wiki/index.php/Startup_Scripts


Startup script : ( DDWRT-CONFIG-75 )
its still same as DDWRT-CONFIG-60, pls go back to previous page
& find that paragraph under
"DDWRT-CONFIG-60" https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1192085#1192085

dnsmasq Additional-Config lines : ( DDWRT-CONFIG-75 )