2 SSID (guest network) on a bridged wifi

Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking
Author Message
Cramaboule
DD-WRT Novice


Joined: 07 Feb 2020
Posts: 3

PostPosted: Fri Feb 07, 2020 13:21    Post subject: 2 SSID (guest network) on a bridged wifi Reply with quote
Hello,

I have the following network settings at work. We would like to set up a Guest WIFI. (see attached pic)

My aim:
- is to have the guest having internet, but not access to the servers.
- in the other hand, intern SSID must have access to the internal Servers (and internet obviously).

I searched for tuto but didn't find anything like we have.

Do you have any hint ?
I am quite new to dd-wrt.

Thanks in advance.

Cramy
Sponsor
devopsmyth
DD-WRT Novice


Joined: 18 Jun 2019
Posts: 17
Location: Maryland - US

PostPosted: Tue Feb 18, 2020 20:02    Post subject: Reply with quote
Will the ASUS Wireless AP be functioning as a router in this scenario, or does the other "router" in your image handle all internal routing?

Are you planning on using 802.1q VLANs to segment the two different wireless networks? Or does your environment not support VLANs?

Essentially, without knowing the answers to the above, you'll need to have two bridges on the ASUS router. You'll create your two wireless networks and assign each of them to one of the bridges. Then depending on where the routing is happening, you'll create rules to allow or deny access to the internet or other networks. If you're routing on the ASUS, you'll end up using isolation on the guest network, and some IPTables rules to prevent the guest network from reaching anything other than the internet. There are plenty of guides in this forum on isolating guest wireless.

If you can give me more information by answering the above questions, I'll try to steer you in the right direction.

_________________
----------------------------------------
| "we see things not as they are, but |
| as we are." -Talmud | ----------------------------------------

devopsmyth
Cramaboule
DD-WRT Novice


Joined: 07 Feb 2020
Posts: 3

PostPosted: Wed Feb 19, 2020 9:33    Post subject: Reply with quote
Thanks for your reply!

Quote:
Will the ASUS Wireless AP be functioning as a router in this scenario, or does the other "router" in your image handle all internal routing?


Depend what is best and easy to do.
I can set the ASUS as a router, but then the 'internal' wi-fi will have different IP range/network... thus not having access to the servers. or there is a dns or ip table routing that makes this possible ?

Quote:
Are you planning on using 802.1q VLANs to segment the two different wireless networks? Or does your environment not support VLANs?


I could,... but I would not prefer that option.

I already looked at the Guest wifi tuto... but it didn't work for me. Either the guest has access to the server, either there is no internet access...

I am open to any working options...
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 4846
Location: Netherlands

PostPosted: Wed Feb 19, 2020 10:28    Post subject: Reply with quote
Setup the Asus as a WAP:
https://wiki.dd-wrt.com/wiki/index.php/Wireless_access_point

for a Guest Wifi make an unbridged VAP

From the tutorial:
Quote:
VAP on WAP
If you place the unbridged VAP on a wireless access point (a secondary router with a disabled WAN, no DHCP and on the same subnet as a the primary router) then you have to add the following rule to the firewall in order to get internet access from the VAP.
In the web-interface of the router: Administration/Commands save Firewall:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)

Net Isolation does not work on a WAP so just keep it disabled and add the following line to the firewall:
iptables -I FORWARD -i wl0.1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT

For isolating the WAP itself from the guest network:
iptables -I INPUT -i wl0.1 -m state --state NEW -j REJECT
iptables -I INPUT -i wl0.1 -p udp -m multiport --dports 53,67 -j ACCEPT
(note: not all firmwares have the multiport directive)


Note this is for Broadcom (which yours is I think)

_________________
Routers:Netgear R7800, Netgear R6400v1, Netgear R6400v2, Linksys EA6900 (XvortexCFE), Linksys E2000 (converted WRT320N), WRT54GS v1.
Install guide Linksys EA6900: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=291230
OpenVPN Policy Based Routing guide: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=321686
Install guide R6400v2:http://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
OpenVPN Server Setup:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=318795
Install guide R7800: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Wireguard Setup guide:https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1183135
Cramaboule
DD-WRT Novice


Joined: 07 Feb 2020
Posts: 3

PostPosted: Fri Feb 21, 2020 14:54    Post subject: Reply with quote
egc wrote:
Setup the Asus as a WAP:
https://wiki.dd-wrt.com/wiki/index.php/Wireless_access_point

for a Guest Wifi make an unbridged VAP

From the tutorial:
Quote:
VAP on WAP
If you place the unbridged VAP on a wireless access point (a secondary router with a disabled WAN, no DHCP and on the same subnet as a the primary router) then you have to add the following rule to the firewall in order to get internet access from the VAP.
In the web-interface of the router: Administration/Commands save Firewall:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)

Net Isolation does not work on a WAP so just keep it disabled and add the following line to the firewall:
iptables -I FORWARD -i wl0.1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT

For isolating the WAP itself from the guest network:
iptables -I INPUT -i wl0.1 -m state --state NEW -j REJECT
iptables -I INPUT -i wl0.1 -p udp -m multiport --dports 53,67 -j ACCEPT
(note: not all firmwares have the multiport directive)


Note this is for Broadcom (which yours is I think)


Thanks I will have a close look at it !
C.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum