[RESOLVED] Netgear R7000 WAP Guest Network Issues

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
Aar
DD-WRT User


Joined: 25 Aug 2020
Posts: 56
Location: New York, USA

PostPosted: Sun Aug 30, 2020 1:52    Post subject: [RESOLVED] Netgear R7000 WAP Guest Network Issues Reply with quote
Hello all! I've been having a bit of an issue. I recently picked up a Netgear R7000 to use as a WAP, and it's been performing tremendously well. However, I can't seem to get a functional guest network on it. Following the usual tutorials of using another DHCP server (client gets an IP, no Internet) or DnsMasq and Firewall rules (client does not get an IP nor Internet) haven't worked thus far, and I'm pretty much out of ideas. Can anyone help me with my situation?
_________________
HP EliteDesk 800 G2 Mini PC [i3-6100T] (WAN, DHCP, QoS)
NETGEAR R7000 (AP)
NETGEAR WNDR4300 (Switch)


Last edited by Aar on Sun Aug 30, 2020 20:58; edited 1 time in total
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Sun Aug 30, 2020 3:43    Post subject: Reply with quote
Biggest difference when configuring a guest network on a WAP when compared to a router configuration is that the guest network necessarily has to be routed over the private network (br0). And that requires two additional steps; 1) nat'ing the traffic from the guest network as it's dropped on the private network (or else add a static route to the primary router that points to the WAP's LAN ip as the gateway to the guest network), and 2) additional firewall rules to prevent the guest network from gaining access to resources on the private network (iow, it *only* has permission to use the private network as a gateway to the upstream WAN, nothing else).

Note, the GUI can't handle this situation properly. Any attempt to NAT assumes the WAN, which of course is irrelevant on a WAP; it has no WAN. Also, iirc, it won't take any preventive measures on its own to protect the private network from the guest network.

Assuming the private network is 192.168.1.0/24 (br0), and the guest network is 192.168.2.0/24 (br1) …

Code:
iptables -t nat -I POSTROUTING -s 192.168.2.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)
iptables -I FORWARD -i br1 -d 192.168.1.0/24 -j REJECT


Personally, I prefer the following for my FORWARD rules, since it prevents access to any future private networks as well, perhaps something I introduce later, like a VPN.

Code:
iptables -I FORWARD -i br1 -d 10.0.0.0/8  -j REJECT
iptables -I FORWARD -i br1 -d 172.16.0.0/12 -j REJECT
iptables -I FORWARD -i br1 -d 192.168.0.0/16 -j REJECT

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
Aar
DD-WRT User


Joined: 25 Aug 2020
Posts: 56
Location: New York, USA

PostPosted: Sun Aug 30, 2020 4:19    Post subject: Reply with quote
eibgrad wrote:
Assuming the private network is 192.168.1.0/24 (br0), and the guest network is 192.168.2.0/24 (br1) …

Code:
iptables -t nat -I POSTROUTING -s 192.168.2.0/24 -o br0 -j SNAT --to $(nvram get lan_ipaddr)
iptables -I FORWARD -i br1 -d 192.168.1.0/24 -j REJECT


Personally, I prefer the following for my FORWARD rules, since it prevents access to any future private networks as well, perhaps something I introduce later, like a VPN.

Code:
iptables -I FORWARD -i br1 -d 10.0.0.0/8  -j REJECT
iptables -I FORWARD -i br1 -d 172.16.0.0/12 -j REJECT
iptables -I FORWARD -i br1 -d 192.168.0.0/16 -j REJECT


Since I'm only going to be using one interface for the guest network, wl0.1, Would changing br1 to wl0.1 and adding all of these rules to the Firewall work just as well?

EDIT: I went ahead and tried it, and it worked! Thanks a bunch for your help! Now to add some QoS rules on the Gateway Smile

_________________
HP EliteDesk 800 G2 Mini PC [i3-6100T] (WAN, DHCP, QoS)
NETGEAR R7000 (AP)
NETGEAR WNDR4300 (Switch)
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Sun Aug 30, 2020 4:31    Post subject: Reply with quote
Note, when configuring QoS on the WAN, if you used the NAT rule, you can only identify the guest network based on the LAN ip of the WAP. If instead you used a static route, you can identify them by their network (e.g., 192.168.2.0/24).

And yes, you can specify the virtual network interface instead of the bridge (br1). I'm just in the habit of always creating a bridge, even it only has the one network interface assigned to it. Just in case things change later and I decide to add a second virtual wireless adapter, or even wired port. I then don't have to change/add rules.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
Aar
DD-WRT User


Joined: 25 Aug 2020
Posts: 56
Location: New York, USA

PostPosted: Sun Aug 30, 2020 4:40    Post subject: Reply with quote
eibgrad wrote:
Note, when configuring QoS on the WAN, if you used the NAT rule, you can only identify the guest network based on the LAN ip of the WAP. If instead you used a static route, you can identify them by their network (e.g., 192.168.2.0/24).


I'm looking into configuring QoS now (using 192.168.2.0/24), so I guess it's time to get into static routing too. I have a lot to learn, it seems!

_________________
HP EliteDesk 800 G2 Mini PC [i3-6100T] (WAN, DHCP, QoS)
NETGEAR R7000 (AP)
NETGEAR WNDR4300 (Switch)
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Sun Aug 30, 2020 4:48    Post subject: Reply with quote
There's nothing wrong w/ using the LAN ip of the WAP for QOS, it's just I wanted you to know this was an issue when using the NAT rule. For all intents and purposes, the LAN ip *is* the same as specifying 192.168.2.0/24.

And sometimes you have no other choice than to use a NAT rule, like when the primary router doesn't support static routes (fairly common w/ OEM firmware).

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
Aar
DD-WRT User


Joined: 25 Aug 2020
Posts: 56
Location: New York, USA

PostPosted: Sun Aug 30, 2020 4:50    Post subject: Reply with quote
eibgrad wrote:
There's nothing wrong w/ using the LAN ip of the WAP for QOS, it's just I wanted you to know this was an issue when using the NAT rule. For all intents and purposes, the LAN ip *is* the same as specifying 192.168.2.0/24.

And sometimes you have no other choice than to use a NAT rule, like when the primary router doesn't support static routes (fairly common w/ OEM firmware).


I'm glad you relayed the info! I'm still interested in setting up a static route because this WAP is not only serving as the guest AP, but also as the primary AP (because the coverage of this new router is utterly amazing compared to my old one).

_________________
HP EliteDesk 800 G2 Mini PC [i3-6100T] (WAN, DHCP, QoS)
NETGEAR R7000 (AP)
NETGEAR WNDR4300 (Switch)
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum