Joined: 25 Aug 2020 Posts: 56 Location: New York, USA
Posted: Sun Aug 30, 2020 1:52 Post subject: [RESOLVED] Netgear R7000 WAP Guest Network Issues
Hello all! I've been having a bit of an issue. I recently picked up a Netgear R7000 to use as a WAP, and it's been performing tremendously well. However, I can't seem to get a functional guest network on it. Following the usual tutorials of using another DHCP server (client gets an IP, no Internet) or DnsMasq and Firewall rules (client does not get an IP nor Internet) haven't worked thus far, and I'm pretty much out of ideas. Can anyone help me with my situation? _________________ HP EliteDesk 800 G2 Mini PC [i3-6100T] (WAN, DHCP, QoS)
NETGEAR R7000 (AP)
NETGEAR WNDR4300 (Switch)
Last edited by Aar on Sun Aug 30, 2020 20:58; edited 1 time in total
Biggest difference when configuring a guest network on a WAP when compared to a router configuration is that the guest network necessarily has to be routed over the private network (br0). And that requires two additional steps; 1) nat'ing the traffic from the guest network as it's dropped on the private network (or else add a static route to the primary router that points to the WAP's LAN ip as the gateway to the guest network), and 2) additional firewall rules to prevent the guest network from gaining access to resources on the private network (iow, it *only* has permission to use the private network as a gateway to the upstream WAN, nothing else).
Note, the GUI can't handle this situation properly. Any attempt to NAT assumes the WAN, which of course is irrelevant on a WAP; it has no WAN. Also, iirc, it won't take any preventive measures on its own to protect the private network from the guest network.
Assuming the private network is 192.168.1.0/24 (br0), and the guest network is 192.168.2.0/24 (br1) …
Personally, I prefer the following for my FORWARD rules, since it prevents access to any future private networks as well, perhaps something I introduce later, like a VPN.
Personally, I prefer the following for my FORWARD rules, since it prevents access to any future private networks as well, perhaps something I introduce later, like a VPN.
Since I'm only going to be using one interface for the guest network, wl0.1, Would changing br1 to wl0.1 and adding all of these rules to the Firewall work just as well?
EDIT: I went ahead and tried it, and it worked! Thanks a bunch for your help! Now to add some QoS rules on the Gateway _________________ HP EliteDesk 800 G2 Mini PC [i3-6100T] (WAN, DHCP, QoS)
NETGEAR R7000 (AP)
NETGEAR WNDR4300 (Switch)
Note, when configuring QoS on the WAN, if you used the NAT rule, you can only identify the guest network based on the LAN ip of the WAP. If instead you used a static route, you can identify them by their network (e.g., 192.168.2.0/24).
Joined: 25 Aug 2020 Posts: 56 Location: New York, USA
Posted: Sun Aug 30, 2020 4:40 Post subject:
eibgrad wrote:
Note, when configuring QoS on the WAN, if you used the NAT rule, you can only identify the guest network based on the LAN ip of the WAP. If instead you used a static route, you can identify them by their network (e.g., 192.168.2.0/24).
I'm looking into configuring QoS now (using 192.168.2.0/24), so I guess it's time to get into static routing too. I have a lot to learn, it seems! _________________ HP EliteDesk 800 G2 Mini PC [i3-6100T] (WAN, DHCP, QoS)
NETGEAR R7000 (AP)
NETGEAR WNDR4300 (Switch)
There's nothing wrong w/ using the LAN ip of the WAP for QOS, it's just I wanted you to know this was an issue when using the NAT rule. For all intents and purposes, the LAN ip *is* the same as specifying 192.168.2.0/24.
Joined: 25 Aug 2020 Posts: 56 Location: New York, USA
Posted: Sun Aug 30, 2020 4:50 Post subject:
eibgrad wrote:
There's nothing wrong w/ using the LAN ip of the WAP for QOS, it's just I wanted you to know this was an issue when using the NAT rule. For all intents and purposes, the LAN ip *is* the same as specifying 192.168.2.0/24.
And sometimes you have no other choice than to use a NAT rule, like when the primary router doesn't support static routes (fairly common w/ OEM firmware).
I'm glad you relayed the info! I'm still interested in setting up a static route because this WAP is not only serving as the guest AP, but also as the primary AP (because the coverage of this new router is utterly amazing compared to my old one). _________________ HP EliteDesk 800 G2 Mini PC [i3-6100T] (WAN, DHCP, QoS)
NETGEAR R7000 (AP)
NETGEAR WNDR4300 (Switch)