Guest Lan and Wifi dont have internet access

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
InfoCGagn
DD-WRT Novice


Joined: 15 Jul 2021
Posts: 34

PostPosted: Thu Jul 15, 2021 6:13    Post subject: Guest Lan and Wifi dont have internet access Reply with quote
Hi! I need help to recreate this but with DD-WRT:
https://zedt.eu/tech/hardware/setting-up-guest-wireless-access-on-tomato/

It very well on a D-Link DIR-865L running Tomato unfortunately the router died recently so now I have a Netgear R6250 with DD-WRT (latest version) to replace it.

My main router IP is 192.168.0.1, IP range is 192.168.0.10 to 192.168.0.254 (it is a bell home hub 3000 router, very restricted, very poor and basic functions on it)

My DD-WRT access point/router IP is 192.168.0.2/24, WAN Connection Type and DHCP Server are disabled, WAN port is assigned to VLAN1 so it is a fifth lan port but it is unused, VLAN2 is where the WAN port is checked it is unused, VLAN3 is where lan ports 1 and 2 are checked it is my Guest network bridged to BR1, VLAN1 is where lan ports 3 and 4 are checked it is my main network bridged to BR0, nothing in VLAN0 it is unused, WL0 and WL1 are bridged to BR0, WL0.1 and WL1.1 are bridged to BR1... My pc is connected to lan port 4 and the main router to lan port 3 just like an access point. Tell me if something is missing.

I tried this saved as firewall:
https://wiki.dd-wrt.com/wiki/index.php/Guest_Network

iptables -I FORWARD -i wl0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j REJECT
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`

It did nothing then I added this in Additional Dnsmasq Options:
interface=br1
dhcp-option=br1,3,192.168.1.1
dhcp-range=br1,192.168.1.10,192.168.1.254,255.255.255.0,24h

But still nothing, no internet access in guest network.

First I also tried the same Firewall rules as for the tomato access point but it failed as well:
iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
iptables -I FORWARD -i br1 -m iprange --dst-range 192.168.0.3-192.168.0.250 -j REJECT
iptables -I INPUT -i br0 -p tcp --dport 67:68 --sport 67:68 -j REJECT
iptables -I INPUT -i br0 -p udp --dport 67:68 --sport 67:68 -j REJECT

I think at this point I need to find the right firewall rules or something like this...

Thanks!



Capture.PNG
 Description:
 Filesize:  249.98 KB
 Viewed:  2335 Time(s)

Capture.PNG


Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12812
Location: Netherlands

PostPosted: Thu Jul 15, 2021 7:37    Post subject: Reply with quote
Do you have access from br0? Is it only from br1 you do not have access?

If setup correctly you should have access by default, only this rule should be necessary:
Code:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)


Reboot the router and from one of the clients connected to br1 see if you can ping the WAP, main router and internet (ping 8.8.8.8 )

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14102
Location: Texas, USA

PostPosted: Thu Jul 15, 2021 12:22    Post subject: Reply with quote
Did you set up "multiple dhcp" in networking tab for br1? If you're setting the R6250 up as a WAP with guest wi-fi, most everything you should need to do is in the webUI. Are you sure you're not supposed to be specifying the upstream router as gateway?
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
InfoCGagn
DD-WRT Novice


Joined: 15 Jul 2021
Posts: 34

PostPosted: Thu Jul 15, 2021 18:39    Post subject: Reply with quote
Wow you replied so fast thank you!

Yes I have internet access on br0 it works perfectly just like an access point so I have hope for DD-WRT I dont want to give up on DD-WRT.

Now I changed my Firewall rules to:

iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)

I rebooted the router and tried to ping many things but nothing happens.

Under multiple dhcp I re-added br0 and disabled dhcp on it then I noticed that the ip address of br1 was 0.0.0.0/24 it seemed weird to me so I specified 192.168.1.1/24 under br1 network interface and now it says 192.168.1.1/24 instead of 0.0.0.0/24 so now it makes more sense but still no internet access on br1.

Im not sure what this means and how I can do this?:
"Are you sure you're not supposed to be specifying the upstream router as gateway?"

What is the difference between these two firewall rules:

iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`

and

iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)

I also noticed something when I connect my pc via lan port 1 or 2 (br1 guest network) my pc doesn't automatically get an IP address in the 192.168.1.10/24 range so it seems like the DHCP server on br1 it not working for some reasons I dont know so I just used a static ip address 192.168.1.17 to ping things but still nothing.

Thanks!



Capture1.PNG
 Description:
 Filesize:  42.01 KB
 Viewed:  2281 Time(s)

Capture1.PNG


kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14102
Location: Texas, USA

PostPosted: Thu Jul 15, 2021 19:02    Post subject: Reply with quote
You don't need br0 under multiple dhcp servers. It is the default listening interface, and you have the dhcp server disabled on the main setup tab. You are being redundant. All you should have to add is br1 with the proper information. And I was asking if option 3 under additional dhcp options should be the same address as your gateway specified on the main setup tab... and why are we worried about br0 in the firewall rules and not br1?
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
InfoCGagn
DD-WRT Novice


Joined: 15 Jul 2021
Posts: 34

PostPosted: Thu Jul 15, 2021 19:59    Post subject: Reply with quote
Thank you you're right I removed br0 from Multiple DHCP Server only br1 is left.

br1 must have internet and be isolated from br0 because I connect untrusted computers on br1 these are often full of malwares and viruses of all kinds and I dont my computers on br0 being infected by those. Also my printers on br0 will automatically install on any connected computers since they can detect my devices on my main network unless I disable it in windows 10 everytime... I set this up as an access point cause I want all my computers to be on the same netwok, same subnet, same ssids etc... cause I use tightvnc vncviewer and many windows smb shares on several computers I sync with freefilesync accross the same network.

It worked because on an old unsupported router running an old version of tomato by shibby 1.28 so im pretty it can work on it too somehow.

sorry but "option 3 under additional dhcp options" in which tab? In Service tab then under DHCP Server is Additional DHCPd Options or Forced DNS Redirection under Network Configuration br1 in the Networking tab?



Capture2.PNG
 Description:
 Filesize:  42.98 KB
 Viewed:  2261 Time(s)

Capture2.PNG


InfoCGagn
DD-WRT Novice


Joined: 15 Jul 2021
Posts: 34

PostPosted: Fri Jul 16, 2021 5:45    Post subject: Reply with quote
I gave up on DD-WRT for now and switched back to Tomato by shibby and it works again just like on my old router. The latest build is from 2017 but it works!

That's unfortunate I had much higher expectations with DD-WRT but I hope someday I will find a guide like this one but for DD-WRT:

https://zedt.eu/tech/hardware/setting-up-guest-wireless-access-on-tomato/

Thanks for your help anyway.
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14102
Location: Texas, USA

PostPosted: Fri Jul 16, 2021 13:44    Post subject: Reply with quote
Additional DNSMasq options where you input option 3 on the Services tab... you cannot even follow your own steps. If you're going to tap out, at least use FreshTomato since it's still being developed. Sorry if the DD-WRT webUI and configuration process is not intuitive to you (or 100% identical to Tomato).
Quote:
It did nothing then I added this in Additional Dnsmasq Options:
interface=br1
dhcp-option=br1,3,192.168.1.1
dhcp-range=br1,192.168.1.10,192.168.1.254,255.255.255.0,24h

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
InfoCGagn
DD-WRT Novice


Joined: 15 Jul 2021
Posts: 34

PostPosted: Fri Jul 16, 2021 22:00    Post subject: Reply with quote
Please dont take it too personnal I know DD-WRT is the best router Firmware out there but I just expected it to work out of the box as easily as Tomato. It didn't work on FreshTomato as well for some reasons even if it is very similar, FreshTomato still use the same old linux kernel and probably all the same old security patches than Tomato so there is no use switching to FreshTomato instead.

I dont even know how DNSMasq works at all I just copied the lines I found in a guide then switched the ip addresses for my own ip addresses.

How do you think my Additional Dnsmasq Options should look like at this point knowing that my guest network is br1 192.168.1.1/24, my main network is br0 192.168.0.1/24, the IP address of my DD-WRT AP is 192.168.0.2 and it is connected via lan to my main router 192..168.0.1 which provides internet etc.?

So you think I should replace 192.168.1.1 by 192.168.0.1 (uplink bell home hub 3000 router) at option 3?

There is so many easy step by step guides and videos on how to setup guest network on a DD-WRT router working as a main router with DHCP enabled but basically none for DD-WRT routers working as an access point with dhcp disabled. So with all you knowledge could you make one please? Cause I just browsed the website and I'm definetly not alone with this issue. I think it may help a lot of people actually. If you find one like this one but for DD-WRT please let me know:
https://zedt.eu/tech/hardware/setting-up-guest-wireless-access-on-tomato/

Thanks!
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14102
Location: Texas, USA

PostPosted: Sat Jul 17, 2021 1:27    Post subject: Reply with quote
This is not on a Broadcom, but may get you sorted. This post is 6 years old, not sure if it will work, and it's on a TL-WR1043ND*.

https://stackoverflow.com/questions/31391724/dd-wrt-virtualap-with-guest-and-private-wifi-access-on-2nd-router

You should've been able to do things fairly straightforward according to the wiki. I may find the mood and time to take one of my Broadcom routers out of service and look into this. We try to maintain the wikis with correct information as best we can.

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
InfoCGagn
DD-WRT Novice


Joined: 15 Jul 2021
Posts: 34

PostPosted: Sat Jul 17, 2021 10:40    Post subject: Reply with quote
Thank you I just did everything from these links:
https://stackoverflow.com/questions/31391724/dd-wrt-virtualap-with-guest-and-private-wifi-access-on-2nd-router
https://wiki.dd-wrt.com/wiki/index.php/Wireless_Access_Point

Im so close now I got a different result than my last attempts, the guest network's dhcp works! When I connect my pc via a guest lan port 1 or 2 my PC automatically get an IP address in the guest network's subnet! But still no internet.

When I check all my settings in the access point everyting seems fine makes sense I really dont know what is missing at this point.

However I noticed something when my pc is connected to the guest network I that see gateway and dns are 192.168.2.1 so how it is supposed to get internet if gateway and dns are not 192.168.1.1 (my main router ip address).

*Yes I just changed all my ip addresses so everything is the same as in the links.



20210717_061850.jpg
 Description:
 Filesize:  772.14 KB
 Viewed:  2113 Time(s)

20210717_061850.jpg


kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14102
Location: Texas, USA

PostPosted: Sat Jul 17, 2021 14:41    Post subject: Reply with quote
DNSMasq by default hands out the router's IP address as dns and gateway; this is known behavior. There is a wiki on using dnsmasq as dhcp server, but there is some old information in there that no longer applies.
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum