Posted: Mon Apr 12, 2021 0:38 Post subject: No Internet on VAP created with Trendnet TEW-812DRU router
I am trying to create a guest VAP on a Trendnet TEW-812DRU v2 that is being using as a WAP. The set-up is that the WAP is connected to a VLAN (Netgear managed switch) which is connected to a router (running pfSense software) that manages the Internet service for the building. The VLAN goes to a small non-profit organization that is renting space from a place I volunteer at. We provide them with Internet access (via the VLAN) and their office equipment is connected to that VLAN. They are using the Trendnet as a WAP for their wireless needs; they would like to offer wireless access to visitors but they do not want visitors on the same network as their office equipment. I could set up a separate wireless router for the visitors, but I figured it would be neat if I could do it with their existing router.
Firmware build 23808 was on the router; I know it is old but I figured I would not change the firmware in case I needed to put things back (I made a configuration back-up). I found a Wiki detailing how to create multiple WLAN's (https://wiki.dd-wrt.com/wiki/index.php/Multiple_WLANs) which I followed to create the WLAN's. The office SSID is on the main WLAN (wl0) and the guest SSID is on the VAP (wl0.1). I set up the router on the bench at home, using my home network to mimic the office pfSense router and provide Internet service. I entered the following iptables commands into the Firewall, based on the access restrictions I wanted:
#Restrict br0 from accessing br1
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
#Restrict br1 from accessing br0's subnet but pass traffic through br0 to the Internet
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
#Enable NAT for traffic being routed out br0 so that br1 has connectivity
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
#Restrict br1 from accessing the router's local sockets
iptables -I INPUT -i br1 -m state --state NEW -j DROP
#Allow br1 to access DNS on the router
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT
I tested the WLAN’s at every step as the Wiki instructed, and everything responded as expected until I entered the iptables commands. Once the commands were entered and the router was rebooted, I could connect to the office SSID and reach the Internet, but when I connected to the guest SSID I could not access the Internet (kept receiving a “No Internet” warning). Through trial and error, I figured out that the iptables command restricting br1 from accessing the router’s local sockets was causing the issue with Internet access. When I removed that command from the firewall, the guest WAP started working. It was restricted from accessing the office network, but I could enter the router’s address and access the GUI which is what I wanted to prevent. I figured I would work that out later, so I took the router to the office to install it.
I installed the router and ensured that all of the IP addresses in the configuration were changed to match the office set-up. I rebooted the router and tested the WLAN’s; the office WLAN worked as expected but the “No Internet” issue was back with the guest WLAN. I took the router back home, changed the appropriate IP addresses in the configuration to match my home set-up and started it up – and I was able to get Internet access with the guest VLAN.
Now I that I have two issues I thought I would stop and get some help. For the first issue (guest WLAN accessing the router’s GUI), I don’t know what to try. Is there another way to create the iptables entry that could work?
For the “No Internet” issue when the router is installed at the office, I am wondering if it could be a DNS issue. In the DNSMasq section, I have the entry “dhcp-option=br1,6,8.8.8.8,8.8.4.4” as I was anticipating using the Google DNS for the guest WLAN. However, I also entered the two iptables commands to allow the guest WLAN to access the DNS on the router which, I assume, overrides the DNSMasq entry. Could it be that the VLAN/pfSense router set-up at the office is preventing the guest VLAN from using its DNS? The office WLAN is accessing the Internet and I assumed that it was using the router’s DNS, but maybe that is not a good assumption. Should I remove the iptables commands? Should I use different commands? Other suggestions?
Yes, "Masquerade / NAT" is enabled. I can access the Internet on the guest WLAN when I install the WAP on my home network to test the set-up. When I take the WAP to the office where I want to install it I do not get Internet access on the guest WLAN.
Joined: 08 May 2018 Posts: 14217 Location: Texas, USA
Posted: Mon Apr 12, 2021 20:24 Post subject:
The only thing I can think of is what the office subnet is in relation to the VAP. You do have a dhcp server serving the clients on the VAP, correct? If so, if the two subnets are the same subnet (i.e. 192.168.1.x), then one needs to change to another subnet (i.e 192.168.5.x)...
To clarify the questions about the set-up - the office WLAN is the Trendnet router's main 2.4GHz WLAN (wl0). The Trendnet router is set up as an AP (DHCP turned off) so the office WLAN gets its DHCP service from the main router (a computer running pfSense software). I created a 2.4GHz VAP (wl0.1) for the guest network and created a DHCP server for it on the Trendnet router. The main router's (and office WLAN) subnet is 192.168.1.x; I assigned 192.168.20.x to the guest WAP.
A suggestion was made to ensure that the Trendnet router had access to the main router DHCP. The office WLAN already has access because it is using the same subnet as the main router. I did not do this for the guest WLAN because I thought that setting up DHCP on the Trendnet router took care of this service so the guest WLAN did not need access to the main router DHCP. Do I still need to grant access to the main router DHCP in this case?
Finally, when I moved the Trendnet from my home bench to the office, I checked to make sure that I changed all of the IP addresses (Local IP, Gateway, Local DNS) to match the office network. I guess it is possible that I missed one, so I will double-check when I install it again.
Joined: 18 Mar 2014 Posts: 12882 Location: Netherlands
Posted: Tue Apr 13, 2021 8:21 Post subject:
Your main clients are getting DHCP and DNS from the primary router that is how a WAP works but your VAP is on its own subnet so it must have DHCP from the WAP (it gets DHCP from DNSMasq)
Thanks - this confirms what I thought about DHCP. As mentioned, I set up DHCP for the VAP through DNSMasq and it works; devices that connect to the VAP receive IP addresses from the subnet I set up for the VAP.
The issue remains that devices connected to the VAP cannot reach the Internet when the VAP is installed in the office. At home on my bench, devices connected to the VAP can access the Internet; this is why I am thinking that the issue may be with the DNS set-up. My theory is that the two iptables commands I entered that allow the VAP to access the main router's DNS may not work in the office due to how the office's main router is set up. Similar to DHCP, I think I need to allow the VAP to get DNS service from DNSMasq. I will try this and report back.
Also, I still have the issue with the VAP being able to access the Trendnet router's GUI. The iptables command I used from the Wiki that is supposed to block the VAP from accessing it appears to break the VAP's Internet access. Any ideas on this one?
I had a chance to work on the router at the office today.
First, I removed the two iptables commands from the firewall that are supposed to allow the VAP to access DNS on the router, rebooted the router and tested the VAP. Unfortunately, I was still unable to access the Internet on devices connected to the VAP.
Next, I checked the firewall rules on the main router running pfSense. The rules allow the main subnet of the Trendnet router to access the DNS port (53) but blocked the DNS port to all other subnets. After I changed the rule to allow all subnets to access the DNS port, I was able to access the Internet on the VAP.
I am still a bit confused as to how all of the rules (DNSMasq, Trendnet firewall, main router firewall) work together, but at least I have solved the Internet access issue for the guest network. I would love for someone to help me better understand how the rules work together.
I still have the issue with the guest network being able to access the Trendnet router's GUI. After I fixed the Internet issue, I re-entered the iptables command to restrict br1 from accessing the router's local sockets and I lost Internet access again. I do not understand the iptables command well enough to know why this happens. Rather than use that command, is there a way for me to block the VAP from accessing the router's IP address?
1. Since I removed the pfSense firewall DNS blocking rule and opened up the main router’s DNS port to all subnets, I figured that I no longer needed the DNSMasq entry (“dhcp-option=br1,6,8.8.8.8,8.8.4.4”) to provide DNS service. I removed the entry and rebooted the router, and the VAP still had Internet access.
2. I did a little iptables research on the Internet and found a command that blocked access to a specific IP address. I modified it to block the VAP’s bridge (br1) from accessing the Trendnet router’s IP address to stop devices connected to the VAP from accessing the GUI; here is the command: “iptables -I INPUT -i br1 -d XXX.XXX.XXX.XXX -j DROP” where XXX.XXX.XXX.XXX is the router’s IP address. There is probably a more elegant way to do this, but this command worked so I am leaving it for now. I still do not know why the command that the Wiki suggested (“iptables -I INPUT -i br1 -m state --state NEW -j DROP”) did not work for me.
3. I do not want to leave the main router’s DNS port wide open, so I did some research on the Internet and found a pfSense article that details how to route all DNS requests to the main router so they are resolved locally (https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html). I have not had a chance to try this yet, but if it does not work I will leave the port open until I find another way to secure it.