[Carldean84]

I've been trying to set up a virtual guest network in a secure way following guides around creating bridges etc. but whenever I do so I an no longer connect via the guest virtual network.

Currently on DD-WRT v3.0-r43516 std (06/25/20)

Any help would be appreciated

[kernel-panic69]

Bridged vaps on Broadcom require startup script commands workaround. This is well-documented in the forum.

• VAPs not working at boot fixed for unbridged VAPs with r40564:40566. Workaround startup command examples:

[eibgrad]

In general, I *do* recommend that you use bridges when creating virtual wireless connections. It just makes it easier to deal w/ situations where eventually you decide to bridge it w/ other physical/virtual wireless connections or wired connections (e.g., you don't have to rewrite the firewall rules). But if you don't anticipate that ever happening, it's not strictly necessary. You can just reference the virtual network interface directly and keep it simple.

IOW, the use of bridges is NOT inherently more safe/security than referencing the actual network interfaces. It's more a matter of convenience than anything else.

[Carldean84]

[eibgrad]

As I read your post, it sounded to me as if you had the impression that assigning your virtual wireless network to a bridge was somehow going to make things more secure. IT DOES NOT! Whether you reference the virtual wireless network interface directly (e.g., wl0.1), or assign it to a new bridge (e.g., br1) and reference that instead, it's all the same as far as security is concerned. In either case, you need to create firewall rules that reference one or the other.

What a bridge does is add convenience. For example, suppose I have *multiple* virtual wireless interfaces or even want to add a wired network interface such that they are all configured w/ the same IP network. I can add them all to their own bridge and reference only it (e.g., in creating firewall rules) rather than dealing w/ the individual network interfaces.

Again, there is no security benefit here. And that's why sometimes, esp. in simple configurations, such as adding a virtual wireless network for guests, users will forgo a bridge and just create firewall rules based on that network interface (e.g., wl0.1).

[egc]

Attached my personal notes how I do it for setting up a simple VAP

If you enable NET isolation the unbridged VAP is isolated from the router and from br0

[eibgrad]

Thanks for the clarification egc.

Yes, I had always assumed that depending on whether you configured the virtual wireless network interface as bridged or unabridged, Net Isolation would ultimately create one or the other set of rules as I described above. My manual firewall rules are more to make clear what's happening, and using the Net Isolation option to obtain the same effect is probably preferred.

But as you know, I'm old school. And I don't fully trust those additional settings, particularly when dealing w/ any non-routed configuration (e.g., WAP). If you decide to configure a WAP, then add a virtual wireless network interface for guests, those auto-generated rules are worthless since you can't deny access from the guest network through the private network and still gain internet access.

That's why there are always caveats to using the GUI. The GUI works in *most* cases for typical configurations (usually routed). But as we all know, it's commonplace around here for ppl to create all kinds of configurations in which the GUI will fail you because of its assumptions. Just keep that in mind.

[Carldean84]

[egc]