DDWRT guest network

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2, 3  Next
Author Message
mafkikker
DD-WRT Novice


Joined: 08 Nov 2021
Posts: 12

PostPosted: Mon Nov 08, 2021 12:50    Post subject: DDWRT guest network Reply with quote
Hello,

I have a DDWRT ifrmware based linksys e3000 with lan connected to my modem from my provider. The version I use is "Firmware: DD-WRT v3.0-r47608 mega (10/28/21)".
Config of the DDWRT router is as follow :
- two wireless networks in bridged mode
- dhcp is disabled
- wan port is connected to the internetmodem by cable
- operation mode is Router
I followed this https://wiki.dd-wrt.com/wiki/index.php/Wireless_Access_Point during the installation

Now I want to create a guest netwwork on the ddwrt router so that the guests connected to the guest network cannot acces my devices on my private lan.
I'v tried https://wiki.dd-wrt.com/wiki/index.php/Guest_WiFi_+_abuse_control_for_beginners, https://wiki.dd-wrt.com/wiki/index.php/Guest_Network and https://support.flashrouters.com/setup-guides/advanced-wireless-setup/wireless-guest-network-setup-bridged-advanced/ but they don't work for me.
I get messages like "cannot get ip-adres" or "cannot cannect to the network" on my client.

Does anyone have a solution on how to set up a guest network so that network traffic is seperated?
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10788
Location: Netherlands

PostPosted: Mon Nov 08, 2021 13:20    Post subject: Reply with quote
So actually you have set up the router as a WAP:
https://wiki.dd-wrt.com/wiki/index.php/Wireless_access_point
(I always leave the router in gateway mode but that does not matter in this case)

I am not sure if there are mega K2.6 builds but if that is what you are using then I recommend to use a K3 build:
https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2021/11-05-2021-r47618/broadcom_K3X/

See the following thread post 7 and 10:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1248905#1248905

Especially take note of VAP on a WAP in the attached document of post 7

Hope that helps Smile

_________________
Routers:Netgear R7800, R7000, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
mafkikker
DD-WRT Novice


Joined: 08 Nov 2021
Posts: 12

PostPosted: Mon Nov 08, 2021 13:35    Post subject: Reply with quote
egc wrote:

I am not sure if there are mega K2.6 builds but if that is what you are using then I recommend to use a K3 build:
https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2021/11-05-2021-r47618/broadcom_K3X/
Hope that helps Smile


Thank you for your answer.. is "DD-WRT v3.0-r47608 mega (10/28/21" not the mega 3 build for my router from 01/28/2021 ?

I will try the mentioned posts and then report the results back here Smile.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10788
Location: Netherlands

PostPosted: Mon Nov 08, 2021 13:48    Post subject: Reply with quote
mafkikker wrote:
egc wrote:

I am not sure if there are mega K2.6 builds but if that is what you are using then I recommend to use a K3 build:
https://download1.dd-wrt.com/dd-wrtv2/downloads/betas/2021/11-05-2021-r47618/broadcom_K3X/
Hope that helps Smile


Thank you for your answer.. is "DD-WRT v3.0-r47608 mega (10/28/21" not the mega 3 build for my router from 01/28/2021 ?

I will try the mentioned posts and then report the results back here Smile.


In the upper right hand corner of the GUI you can see the used kernel the K3X builds are actually using Kernel 4.4 (for most routers) so that should be listed for you.
If it shows K2.6 then get the K3X build

_________________
Routers:Netgear R7800, R7000, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 13112
Location: Texas, USA

PostPosted: Mon Nov 08, 2021 15:58    Post subject: Reply with quote
That info will be on the main router status page. I don't think the linked information in the upper right corner for firmware revision will show that in the popup?
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
At some point, people just get plain tired of this place.
Because they are tired of bottom-feeders and the same old hat.

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
mafkikker
DD-WRT Novice


Joined: 08 Nov 2021
Posts: 12

PostPosted: Mon Nov 08, 2021 16:02    Post subject: Reply with quote
I followed the directions from the word document section "Separate (unbridged) VAP".
I disabled network isolation because that does not work.
Added dhcp to wl0.1.

Then followed these instructions :
VAP on WAP
If you place the unbridged VAP on a wireless access point (a secondary router with a disabled WAN, no DHCP and on the same subnet as a the primary router) then you have to add the following rule to the firewall in order to get internet access from the VAP.
In the web-interface of the router: Administration/Commands save Firewall:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
Net Isolation does not work on a WAP so just keep it disabled and add the following line to the firewall:
iptables -I FORWARD -i wl0.1 -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT

For isolating the WAP itself from the guest network:
iptables -I INPUT -i wl0.1 -m state --state NEW -j REJECT
iptables -I INPUT -i wl0.1 -p udp -m multiport --dports 53,67 -j ACCEPT
(note: not all firmwares have the multiport directive)

Reboot the router.
Tried Setup/commands/run command to try this out.
sleep 20; stopservice nas; wlconf eth1 down; wlconf eth2 down; wlconf eth1 up; wlconf eth2 up; startservice nas; logger "VAP workaround executed";

Client cannot get an ip-adres.
mafkikker
DD-WRT Novice


Joined: 08 Nov 2021
Posts: 12

PostPosted: Tue Nov 09, 2021 14:06    Post subject: Reply with quote
Here are the sesstings from my VAP fot guest network.
Can someone explain why under status/lan the dhcp range shown is from 192.168.1.100 to 192.168.1.149 and not from 192.168.20.100 to 192.168.20.149 ?

My clients don't get ip-adresses when connecting to the vap guste network.[/code]



ddwrt-GuestNetwork_DHCPD_scope.JPG
 Description:
 Filesize:  20.87 KB
 Viewed:  2628 Time(s)

ddwrt-GuestNetwork_DHCPD_scope.JPG



ddwrt-GuestNetwork_DHCPD.JPG
 Description:
 Filesize:  21.41 KB
 Viewed:  2628 Time(s)

ddwrt-GuestNetwork_DHCPD.JPG



ddwrt-GuestNetworkIP.JPG
 Description:
 Filesize:  23.08 KB
 Viewed:  2628 Time(s)

ddwrt-GuestNetworkIP.JPG


bushant
DD-WRT Guru


Joined: 18 Nov 2015
Posts: 1845
Location: WCentral Indiana USA

PostPosted: Tue Nov 09, 2021 15:21    Post subject: Reply with quote
mafkikker wrote:
Tried Setup/commands/run command to try this out.
sleep 20; stopservice nas; wlconf eth1 down; wlconf eth2 down; wlconf eth1 up; wlconf eth2 up; startservice nas; logger "VAP workaround executed";

Client cannot get an ip-adres.

The GUI command box is hit or miss when it comes to running commands like this. The "sleep 20" probably defeats it.
Save as Startup
reboot

mafkikker wrote:
Can someone explain why under status/lan the dhcp range shown is from 192.168.1.100 to 192.168.1.149 and not from 192.168.20.100 to 192.168.20.149 ?

Is this not the range for your lan as defined at Setup>Basic Setup>Network Address Server Settings (DHCP)?

_________________
Forum Guide Lines (Please read!) --- How to get help the right way----Before asking for help - Read the forum guidelines AND Upgrade DD-WRT!
mafkikker
DD-WRT Novice


Joined: 08 Nov 2021
Posts: 12

PostPosted: Tue Nov 09, 2021 15:45    Post subject: Reply with quote
@bushant
bushant wrote:

The GUI command box is hit or miss when it comes to running commands like this. The "sleep 20" probably defeats it.
Save as Startup
reboot
Is this not the range for your lan as defined at Setup>Basic Setup>Network Address Server Settings (DHCP)?


DHCP server of ddwrt router is disabled (WAN port disabled, outer internet provider connected with cable). DHCP server is router internet provider.

See attachment for commands Administration/commands.



ddwrt-DHCP_server_disable.JPG
 Description:
 Filesize:  32 KB
 Viewed:  2605 Time(s)

ddwrt-DHCP_server_disable.JPG



ddwrt-Commands.JPG
 Description:
 Filesize:  53.35 KB
 Viewed:  2605 Time(s)

ddwrt-Commands.JPG


egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 10788
Location: Netherlands

PostPosted: Tue Nov 09, 2021 16:10    Post subject: Reply with quote
Remove everything which you added to the Firewall except the nat rule

Maybe it will start to work then after a reboot and it is even possible that you do not need the VAP workaround at all (to be tested if it works)

_________________
Routers:Netgear R7800, R7000, R6400v1, R6400v2, Linksys EA8500, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 13112
Location: Texas, USA

PostPosted: Tue Nov 09, 2021 17:04    Post subject: Reply with quote
1) You have to be careful how you copy and paste into the webUI.
2) Syntax and escape characters do apply as far as the webUI functionality. What works via telnet/ssh doesn't always work via that input box, save and except for saving scripts.

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
At some point, people just get plain tired of this place.
Because they are tired of bottom-feeders and the same old hat.

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
mafkikker
DD-WRT Novice


Joined: 08 Nov 2021
Posts: 12

PostPosted: Tue Nov 09, 2021 19:14    Post subject: Reply with quote
egc wrote:
Remove everything which you added to the Firewall except the nat rule

Maybe it will start to work then after a reboot and it is even possible that you do not need the VAP workaround at all (to be tested if it works)

Done that ... clients still dont get an ip-address.
jwh7
DD-WRT Guru


Joined: 25 Oct 2013
Posts: 2666
Location: Indy

PostPosted: Tue Nov 09, 2021 20:49    Post subject: Reply with quote
I would reset and start over using the WAP wiki (as you did) and the dnsmasq VAP setup (it's what I use for all my WAP/CM+VAP's. No dhcpd.
https://wiki.dd-wrt.com/wiki/index.php/Guest_Network#DNSMasq_method

Note: I don't know this device's switch/cpu architecture (the WAN might be a special switch port, different switch, or on the cpu itself), but you could be limiting your speed/latency if connecting (a non-gateway) via WAN. I only use WAN ports for lower speed/importance things (doorbell cam, A/V Rx to stream Pandora, testing older 100Mb PCs, telnet/ssh admin access, etc). If you know the architecture and that it isn't an issue, then nm me. Wink

_________________
# NAT/SFE/CTF: limited speed w/ DD # Repeater issues # DD-WRT info: FAQ, Builds, Types, Modes, Changes, Demo #
OPNsense x64 5050e ITX|DD: DIR-810L, 2*EA6900@1GHz, R6300v1, RT-N66U@663, WNDR4000@533, E1500@353,
WRT54G{Lv1.1,Sv6}@250
|FreshTomato: F7D8302@532|OpenWRT: F9K1119v1, RT-ACRH13, R6220, WNDR3700v4
mafkikker
DD-WRT Novice


Joined: 08 Nov 2021
Posts: 12

PostPosted: Sat Nov 13, 2021 22:30    Post subject: Reply with quote
jwh7 wrote:
I would reset and start over using the WAP wiki (as you did) and the dnsmasq VAP setup (it's what I use for all my WAP/CM+VAP's. No dhcpd.
https://wiki.dd-wrt.com/wiki/index.php/Guest_Network#DNSMasq_method

Note: I don't know this device's switch/cpu architecture (the WAN might be a special switch port, different switch, or on the cpu itself), but you could be limiting your speed/latency if connecting (a non-gateway) via WAN. I only use WAN ports for lower speed/importance things (doorbell cam, A/V Rx to stream Pandora, testing older 100Mb PCs, telnet/ssh admin access, etc). If you know the architecture and that it isn't an issue, then nm me. Wink


Reset the router, and created a new guest network with the dnsmasq option. No Firewall settings in administration/commands.

This is the dnsmasq entry :
interface=wl0.1
dhcp-option=wl0.1,3,192.168.10.1
dhcp-option=6,192.168.178.1,84.116.46.22,84.116.46.23
dhcp-range=wl0.1,192.168.10.100,192.168.10.200,255.255.255.0,12h

The ip-address of the vap is 192.168.10.1
The ip-address of the internet router is 192.168.178.1

Clients of guest network get an ip-adres but no internet.
Any suggestions?
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 13112
Location: Texas, USA

PostPosted: Sat Nov 13, 2021 23:23    Post subject: Reply with quote
Why are you passing the upstream router IP as a DNS server? Do you still have E3000 WAN connected to upstream router's LAN? This may not work, might require LAN to LAN. Do the main AP interfaces work properly? Wondering if you need to set upstream router IP as gateway (option 3)...

That "DNSMasq method" makes me wonder if the process of a WAP configuration is counter-intuitive and should be done in a specific order so that disabling the WAN is the last step.

_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
At some point, people just get plain tired of this place.
Because they are tired of bottom-feeders and the same old hat.

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
Goto page 1, 2, 3  Next Display posts from previous:    Page 1 of 3
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum