Posted: Sun Aug 23, 2020 18:54 Post subject: Guest VAP connects but no Internet
It is possible to have the dhcp forwarder for one subnet, while having a dhcp server on another subnet on a WAP?
I have this WAP (Netgear R6250) connected to my main gateway (Linksys EA8500) which is the dhcp server on subnet 192.168.254.x. the R6250 runs in router mode and acts as a dhcp forwarder. I have tried adding a Guest VAP network on the R6250 and serve addresses to 192.168.5.x, which does correctly assign the proper subnet IPs. Here are the steps I have taken:
- Created an unbridged Virtual Access Point called Guest on wl0.1 (2.4ghz)
- Assigned the VAP wl0.1 to IP 192.168.5.1/24 and turned on Network Isolation
- In Networking tab, I added DHCP server assigned to wl0.1. It then shows me Interface wl0.1: IP 192.168.5.1/255.255.255.0 above it.
- Rebooted.
I can connect to it and get a IP address, but it doesn't have internet access. I cannot ping my main gateway router on the 192.168.254.x subnet but I can ping the main IP of the WAP which is 192.168.254.13 and also the VAP on 192.168.5.1.
What am I missing here? A firewall rule? A route? I would like to keep network isolation for obvious reasons. _________________ Linksys EA8500 (Internet Gateway, AP/VAP) - DD-WRT r53562
Features in use: WDS-AP, Multiple VLANs, Samba, WireGuard, Entware: mqtt, mlocate
Wireless 5ghz only
Netgear R7800 (WDS-AP, WAP, VAP) - DD-WRT r55779
Features in use: multiple VLANs over single trunk port
Linksys EA8500 WDS Station x2 - DD-WRT r55799
Netgear R6400v2 WAP, VAP 2.4ghz only w/VLANs over single trunk port. DD-WRT r55779
OSes: Fedora 38, 9 RPis (2,3,4,5), 20 ESP8266s: Straight from Amiga to Linux in '94, never having owned a Windows PC.
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Sun Aug 23, 2020 19:14 Post subject: Re: Guest VAP connects but no Internet
lexridge wrote:
It is possible to have the dhcp forwarder for one subnet, while having a dhcp server on another subnet on a WAP?
I have this WAP (Netgear R6250) connected to my main gateway (Linksys EA8500) which is the dhcp server on subnet 192.168.254.x. the R6250 runs in router mode and acts as a dhcp forwarder. I have tried adding a Guest VAP network on the R6250 and serve addresses to 192.168.5.x, which does correctly assign the proper subnet IPs. Here are the steps I have taken:
- Created an unbridged Virtual Access Point called Guest on wl0.1 (2.4ghz)
- Assigned the VAP wl0.1 to IP 192.168.5.1/24 and turned on Network Isolation
- In Networking tab, I added DHCP server assigned to wl0.1. It then shows me Interface wl0.1: IP 192.168.5.1/255.255.255.0 above it.
- Rebooted.
I can connect to it and get a IP address, but it doesn't have internet access. I cannot ping my main gateway router on the 192.168.254.x subnet but I can ping the main IP of the WAP which is 192.168.254.13 and also the VAP on 192.168.5.1.
What am I missing here? A firewall rule? A route? I would like to keep network isolation for obvious reasons.
It helps if you not only share your router model but also your build number (see my signature for the forum guide lines)
If you enable NET isolation you can not get access to your primary router that is what net isolation is all about (actually you can in this case because Net isolation does not work on a WAP)
See my notes how I setup a VAP on a WAP (love this alliteration) maybe they are helpful
1) Set a static route on the main router.
192.168.5.0\24 gateway 192.168.254.13
2) Enable NAT for all sub-nets on the main router with this firewall rule:
iptables -t nat -A POSTROUTING -o `get_wanface` -j MASQUERADE
Thank you Per Yngve Berg.
While this does allow the 192.168.5.0 subnet to now access the Internet, it also allows me to see and ping everything on the 192.168.254.0 network, which I don't want. _________________ Linksys EA8500 (Internet Gateway, AP/VAP) - DD-WRT r53562
Features in use: WDS-AP, Multiple VLANs, Samba, WireGuard, Entware: mqtt, mlocate
Wireless 5ghz only
Netgear R7800 (WDS-AP, WAP, VAP) - DD-WRT r55779
Features in use: multiple VLANs over single trunk port
Linksys EA8500 WDS Station x2 - DD-WRT r55799
Netgear R6400v2 WAP, VAP 2.4ghz only w/VLANs over single trunk port. DD-WRT r55779
OSes: Fedora 38, 9 RPis (2,3,4,5), 20 ESP8266s: Straight from Amiga to Linux in '94, never having owned a Windows PC.
iptables -I FORWARD -i wl0.1 -d 192.168.254.0\24 -m state --state NEW -j REJECT
Exactly what I was looking for! It works! Thank you again very much.
If anyone uses this for future reference, It should be noted this rule goes on the WAP, not the main router. _________________ Linksys EA8500 (Internet Gateway, AP/VAP) - DD-WRT r53562
Features in use: WDS-AP, Multiple VLANs, Samba, WireGuard, Entware: mqtt, mlocate
Wireless 5ghz only
Netgear R7800 (WDS-AP, WAP, VAP) - DD-WRT r55779
Features in use: multiple VLANs over single trunk port
Linksys EA8500 WDS Station x2 - DD-WRT r55799
Netgear R6400v2 WAP, VAP 2.4ghz only w/VLANs over single trunk port. DD-WRT r55779
OSes: Fedora 38, 9 RPis (2,3,4,5), 20 ESP8266s: Straight from Amiga to Linux in '94, never having owned a Windows PC.
The forwarder is only forwarding on the 192.168.254.0 subnet. The server is assigning addresses to 192.168.5.0 network. It seems they are working very well together.
Quote:
If you enable NET isolation you can not get access to your primary router that is what net isolation is all about (actually you can in this case because Net isolation does not work on a WAP)
See my notes how I setup a VAP on a WAP (love this alliteration) maybe they are helpful
Thanks to Per Yngve Berg I have it working exactly how I wanted it as you probably saw from above.
You are a book of DDWRT knowledge, @egc. I used your OpenVPN guide a few times to get that working. Much appreciation to the both of you. _________________ Linksys EA8500 (Internet Gateway, AP/VAP) - DD-WRT r53562
Features in use: WDS-AP, Multiple VLANs, Samba, WireGuard, Entware: mqtt, mlocate
Wireless 5ghz only
Netgear R7800 (WDS-AP, WAP, VAP) - DD-WRT r55779
Features in use: multiple VLANs over single trunk port
Linksys EA8500 WDS Station x2 - DD-WRT r55799
Netgear R6400v2 WAP, VAP 2.4ghz only w/VLANs over single trunk port. DD-WRT r55779
OSes: Fedora 38, 9 RPis (2,3,4,5), 20 ESP8266s: Straight from Amiga to Linux in '94, never having owned a Windows PC.
