Joined: 04 Aug 2018 Posts: 1444 Location: Appalachian mountains, USA
Posted: Wed Sep 16, 2020 17:07 Post subject:
Since no one seems to be replying and I need something to do while I slowly build my caffeine level, let me be a complete fool and try to whip out a basic guide to get you moving. I don't claim my proofreading is perfect, and certainly there are many possible dd-wrt configurations that would require changing something from the basic setup here. But I hope this will get you started in the right direction and that others can step in and help you tailor it if needed. With that said, here is my basic how-to on getting VAPs going (I have four VAPs here) with routed through the VPN client and some bypassing it (which I do here also). Could be that I've left out something important. Hope not.
40559 is not a great build. Ignore the router database. It is not well maintained. Get a recent build. The very latest ones are having wifi issues on the Linksys/Marvell routers (like the 3200). I'd try 44213, the last one before the iffy wifi driver changes, and if that presents serious problems, fall back to 44048, which seems to have lots of fans. See the "Cliff Notes" sticky post at the top of the Marvell forum for important details of handing flashing and setup. The Cliff Notes are your basic guide.
You can easily have multiple guest networks. The topic to research is Virtual Access Points (VAPs). There is a lot of old info out there, so be careful. Here's my quick version.
First, note that you are creating it for one wifi band. If you want both wifi bands, create two guest networks with separate SSIDs. Combining both bands into one network with a shared SSID might be tempting, but if you bridge VAP A and VAP B together, there will be no way to keep clients of A and clients of B from seeing each other and interacting. That violates the idea of a guest network. So, here's how you create one VAP.
In the Wireless/BasicSettings page you need to Add Virtual AP, check Advanced Settings, check AP Isolation so that clients cannot see each other, check Unbridged for Network Configuration, and check Masquerade/NAT so your clients can reach the internet. If you will have only one guest network (VAP), check Net Isolation so that clients on the main and guest networks cannot see each other. If you will have more than one guest network, leave it unchecked and use the firewall tweak discussed below instead. I like checking "Forced DNS Redirection" so that clients are strongly encouraged ("forced" is not actually possible) to use dd-wrt's DNS system.
If your router IP is 192.168.1.1 (the default), try entering 192.168.X.1 as both Optional DNS Target and IP Address, with X some small number not equal to 1. Use a different X for each VAP. Don't give the VAP the same IP that your modem uses for dd-wrt's WAN connection (usually not a problem, but it can happen). Most people use X=2 for the first VAP, X=3 for the second, etc. Note the name of the virtual interface, likely ath0.1 or ath1.1, that you have created. Save and Apply.
Move to the Wireless Security subtab and give the VAP a Security Mode of WPA, a Network Authentication type of "WPA2 Personal," and a WPA Algorithms choice of "CCMP-128 (AES)." Put the password in as WPA Shared Key, Save and Apply. At this stage you should be able to connect to the VAP wifi, but you won't yet have internet on it.
On the Setup>BasicSettings page, at the bottom, I'm assuming you have these three checked:
Use DNSMasq for DNS
DHCP-Authoritative
Forced DNS Redirection
I'm not saying the below won't work otherwise, only that I'm too lazy to think the matter through.
Go to Setup>Networking, scroll to the bottom to the DHCPD section, and click Add to create a new DHCP server at the bottom of the list. Use the drop-down menu to select the VAP you have created. Set Start to 128 and Max to 64 rather than use the defaults for those. This will make setting up the VPN easier later on. The other defaults are fine. Save and Apply. You should now have a functioning guest network.
Note that a lot of the guides out there talk about using bridges for VAPs either because the guides are old, from before the simpler unbridged option was available in dd-wrt, or because some routers/builds had trouble with unbridged VAPs for some time. Your router and a modern build are perfectly compatible with unbridged VAPs.
Old guides may also suggest various iptables rules to add to the firewall for VAPs. None of these are needed in a modern setup unless you want Net Isolation for multiple VAPs. If your main network is (the default) bridge br0 with IP 192.168.1.1 and your VAPs are on interface ath0.1 with IP 192.168.2.1 and interface ath0.2 with IP 192.168.3.1, achieving that Net Isolation can be accomplished by putting these three firewall commands in Administration>Commands in the Firewall box (enter in Commands box and click Save Firewall):
Code:
for i in br0 ath0.1 ath0.2; do
iptables -I FORWARD -i $i -d 192.168.0.0/16 -m state --state NEW -j DROP
done
There are many guides to iptables online if you want to sort this out. Be sure you have a backed-up configuration before playing with the firewall, because the wrong kind of errors can lock you out of your router. And this particular firewall setup for Net Isolation is probably not universal. It works for my setup here. In the ssh/PuTTY CLI do iptables -vnL FORWARD | grep DROP to see the rules this created in the firewall (and maybe a few others as well).
If you already have a working VPN setup, all you need to do is enter, in the Policy Based Routing (PBR) window in Services>VPN, the IP ranges you want on the VPN. If your VAP IP is 192.168.2.1 with DHCP Start=128 and Max=64, enter 192.168.2.128/26. You can enter multiple lines for multiple VAPs. If this notation is unfamiliar, google CIDR notation. (An IP address is four groups of 8 bits each so 32 bits total. The /26 means the first 26 bits are as given with the last 6 representing wild cards. Here 2^6 is 64.) For more on PBR, see egc's guide posted as a sticky at the top of the Advanced Networking forum.
The two new builds I recommend above have a "Ignore WAN DNS" box at the top of the Setup>BasicSettings page. Check it. Those new builds also automatically use the DNS server pushed by the VPN provider.
You'll likely want a VPN kill switch. Add to the Administration>Commands to the Firewall window (click Edit in that window to copy its contents to the Commands window, add material below, click Save Firewall to move it back to the Firewall window):
There are many different reasonable kill switches out there. The one Nord recommends, unless they've changed it recently, uses a udp-reset in the last rule. There is no such thing as a udp-reset, and if you make such an error in an iptables command, no firewall rule is created. This kill switch automatically tailors to your PBR setup by reading the internal file where the PBR configuration is stored. Use iptables -vnL FORWARD | grep REJECT in the ssh/PuTTY CLI to see these rules (and a few others) in the firewall, to check that they went in OK. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.
I know this thread is a few years old, but this is the first successful isolated guest VAP I've been able to setup since switching to DD-WRT a few weeks ago. Thanks SurprisedItWorks!
I have a question and thought I'd post it here - How do I see what's connected to the guest network? my primary is the typical 192.168.1.1 with the guest as 192.168.2.1. However, when I log on to the guest network and query the IP's, using advanced IP scanner, I get nothing.
Joined: 04 Aug 2018 Posts: 1444 Location: Appalachian mountains, USA
Posted: Thu Mar 16, 2023 14:31 Post subject:
You get nothing? Perhaps you have AP Isolation enabled in wifi settings.
To see what's connected, use the GUI's Status tab and its Sys Info subtab. The listing of wifi clients near (but not at) the bottom will show for each what wifi interface it's connected to.
I hope you are using a modern build and not the specific ones recommended in that old post. The wifi issues mentioned there were fixed long ago, and modern builds have generally been solid. Do check the new-build thread of any you are considering though. FWIW, I'm on 51530 and happy, but it's not because it's somehow special. It just happened to be the latest one at the time I made my choice. I generally upgrade every 3 to 4 months.
You get nothing? Perhaps you have AP Isolation enabled in wifi settings.
To see what's connected, use the GUI's Status tab and its Sys Info subtab. The listing of wifi clients near (but not at) the bottom will show for each what wifi interface it's connected to.
I hope you are using a modern build and not the specific ones recommended in that old post. The wifi issues mentioned there were fixed long ago, and modern builds have generally been solid. Do check the new-build thread of any you are considering though. FWIW, I'm on 51530 and happy, but it's not because it's somehow special. It just happened to be the latest one at the time I made my choice. I generally upgrade every 3 to 4 months.
I'm using a WRT1200AC/V2 with DD-WRT v3.0-r44715 std (11/03/20). I did start with what I thought was a newer release, but seemed very unstable for WiFi so I haven't attempted to upgrade from what I'm currently running. I do have AP Isolation turned on... thinking that would just prevent someone on the guest network from snooping the main network. I guess that just shows how much I still need to learn!
Joined: 04 Aug 2018 Posts: 1444 Location: Appalachian mountains, USA
Posted: Fri Mar 17, 2023 21:52 Post subject:
Quote:
prevent someone on the guest network from snooping the main network.
To do that you need "network isolation". AP Isolation is to keep wifi clients on the same wifi network from seeing each other. You may well want to use both, which is fine.
Re which build... I completely agree with @egc who is something of a master guru around here. Somewhere between your old build and the good ones we have now, there was a period maybe eight or nine months long when we were having wifi issues with the WRTblah builds. Perhaps the one you tried was one of those. But things have been good for something like a year and a half, so go for a recent one if you can. There have been lots and lots of improvements, to security and otherwise. _________________ 2x Netgear XR500 and 3x Linksys WRT1900ACSv2 on 53544: VLANs, VAPs, NAS, station mode, OpenVPN client (AirVPN), wireguard server (AirVPN port forward) and clients (AzireVPN, AirVPN, private), 3 DNSCrypt providers via VPN.