one way to iot vap

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
wystewart
DD-WRT Novice


Joined: 21 Mar 2015
Posts: 2

PostPosted: Mon Sep 05, 2022 4:11    Post subject: one way to iot vap Reply with quote
I have a R7000 configured as an access point (WAN disabled, external router providing DHCP). I have two wireless networks wl0 (2.4G) and wl1 (5G) which get IP addresses of the main LAN 192.168.1.x

I have configured two virtual networks wl0.1 (guest) and wl0.2 for IOT devices that I want to have internet access but be isolated from the main lan. That isolation works fine with the config below (except that I have to add some rules to block access to dd-wrt at some point). Both networks can't access 192.168.1.x and do have internet access.

But I want to have one way access from the main lan 192.168.1.x to wl0.2 (192.168.4.x) to be able to stream camera streams locally to home assistant and eventually a frigate server on the main lan.

I've tried various combinations such as
iptables -I FORWARD -s `nvram get lan_ipaddr`/`nvram get lan_netmask` -o wl0.2 -m state --state NEW -j ACCEPT or just -j ACCEPT
adding a bridge br1, connecting wl0.2 to that and then
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j ACCEPT or just -j ACCEPT


I just can't seem to get it to work. Not sure what I could do differently to make the one way access work. What I've tried, access from the main lan 192.168.1.x to the 192.168.4.x net is blocked. Suggestions please? Any help would be really appreciated.


Config:
Build: 48425

dnsmasq
Quote:
interface=wl0.1
dhcp-option=wl0.1,3,192.168.3.1
dhcp-range=wl0.1,192.168.3.10,192.168.3.100,255.255.255.0,12h
interface=wl0.2
dhcp-option=wl0.2,3,192.168.4.1
dhcp-range=wl0.2,192.168.4.10,192.168.4.100,255.255.255.0,12h


firewall
Quote:
iptables -I FORWARD -i wl0.1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -I FORWARD -i wl0.2 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`


Last edited by wystewart on Mon Sep 05, 2022 12:23; edited 1 time in total
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12812
Location: Netherlands

PostPosted: Mon Sep 05, 2022 7:56    Post subject: Reply with quote
I attached my notes for basic setup of a VAP on a WAP, see that paragraph.

But your basic setup looks OK.

Try to add this rule to the WAP, add as last rule below the other rules you have made
Code:
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT


I have no WAP running at this moment so cannot test, and I am travelling so this is the best I can do.
But I am sure someone will chime in to give the correct solution Smile


P.S you forgot to mention the build number you are running there have been some safety issues so you better run a recent build, latest is 50057, although with a WAP which is isolated from the internet you have less to fear Smile

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


Last edited by egc on Sun Oct 30, 2022 7:06; edited 1 time in total
wystewart
DD-WRT Novice


Joined: 21 Mar 2015
Posts: 2

PostPosted: Tue Sep 06, 2022 2:15    Post subject: Reply with quote
thanks so much for the guide and the suggestion. Unfortunately it did not work. Still cannot access the 192.168.4.x net from 192.168.1.x. I also upgraded to 50057 at the same time.
jacdc
DD-WRT Novice


Joined: 19 May 2021
Posts: 37

PostPosted: Mon Sep 19, 2022 23:40    Post subject: Unable to isolate VAP guest wifi networks from private LAN Reply with quote
Hi - I followed your attached guide @egc - thank you for posting this. Here is my setup:

Netgear R7000 (x2)

Main R7000 (private LAN 192.168.100.1/32) --> port 1 ethernet <> port 4 ethernet on second R7000.

Second R7000 (static LAN IP assigned --> 192.168.100.5) with Gateway IP 192.168.100.1 and DNS of private DNS server(dnsproxy) running on 192.168.100.1.

Both R7000 have 2 VAPs (unbridged) and 1 bridged Wifi network as follows:
VAP 1 - 192.168.1.1/24 - wl0.1
VAP 2 - 172.16.1.1/24 - wl1.1
Bridged Wifi (internal) - 192.168.100.x/32


*Main R7000 router firmware version (r47206 - old yes, but reluctant to update until I can figure out how to secure VAP access to my private LAN and also have NAT port forwarding work with switched LAN devices connected on second R7000 router here)

*Second R7000 (WAP) router firmware - r49976

I verified configuration steps for both routers wifi/VAPs using the guide @egc attached in this thread
- no issues following the steps and am getting assigned IPs and able to access the internet from VAP guest networks whether associated at the main router AP or secondary R7000.


ISSUE: When connected to the secondary R7000 VAP wifi guest networks (both 192.168.1.XXX or 172.16.1.XXX) - I am still able to access systems on the LAN (192.168.100.XXX) as well as the primary router interface Admin. UI at 192.168.100.1:443

I am NOT able to login though to the secondary router's Admin UI (get a 401 access error which seems to be a new custom error page from recent ddwrt builds)? I believe I get this page because in both VAPs I have disabled the option - 'Web UI Access'.

WHAT STILL WORKS: When associated with the primary router's VAPs (identical VAP configuration so that I can roam between the 2 routers) is that my access to the private LAN IP address space IS BLOCKED (I get a timeout in my browser when trying to connect to 192.168.100.1 for example. GOOD/WORKING.

I have enabled/disabled Net Isolation for both VAPs on the secondary router to match the primary router and as @egc's guide suggests, this option doesn't seem to do anything.

However, when adding the following iptables rules to the secondary router (command line to test rather than through the Web UI) as soon as I add the following:
iptables -I INPUT -i wl0.1 -m state --state NEW -j REJECT
iptables -I INPUT -i wl1.1 -m state --state NEW -j REJECT

output of iptables -L after adding these rules (above):

Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere state NEW reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere state NEW reject-with icmp-port-unreachable


I lose internet access when connected to the secondary router VAPs which is not what I want. I thought the point of these rules was to block access to the private LAN that the secondary router was connected to (192.168.100.1)? It doesn't appear that passing the interface name
(-i) in this iptables command is interpreted to be specific to that interface (at according to that
iptables -L output above.

Further, to ensure I was using the correct interface name in the iptables commands, this is what the interface names are in the second router's nvram:
nvram show |grep ifname:
>>>
wl0_ifname=eth1
NC_extifname=auto
wl1_ifname=eth2
wan_ifname2=
pppd_pppifname=
wl0.1_ifname=wl0.1
wl1.1_ifname=wl1.1

lan_ifnames=vlan1 vlan2 eth1 eth2
pppoe_ifname=
wan_ifnames=
lan_ifname=br0
wl_ifname=
wan_ifname=
>>>


Is network isolation/blocking access to the private LAN for a connected WAP not possible (still)?

NOTE: After resetting the iptables in the second R7000 router, I added this rule back in to get internet access restored:

iptables -t nat -I POSTROUTING -o br0 -j SNAT --to 192.168.100.5[code]


Thank you - please let me know if additional information is needed or if this is still a known issue (unable to block VAP networks from the private LAN).

For reference, here are the only 2 rules (custom) in the primary R7000 router Firewall (192.168.100.1):
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`

doing a compare between the primary and secondary router iptables - there appear to be a lot more (internal - not configured from the Admin UI) rules. Maybe this is why the primary router's VAP network isolation functionality is working and the secondary router 'Net isolation' is not for my VAPs - maybe these rules got taken out in more recent builds of ddwrt?

Could this behavior be caused by the fact that I 'Disable' the WAN port in the Basic Setup page of the Admin UI in the secondary R7000 WAP?

J
jacdc
DD-WRT Novice


Joined: 19 May 2021
Posts: 37

PostPosted: Tue Sep 20, 2022 17:11    Post subject: Re: Unable to isolate VAP guest wifi networks from private L Reply with quote
jacdc wrote:
Hi - I followed your attached guide @egc - thank you for posting this. Here is my setup:

Netgear R7000 (x2)

Main R7000 (private LAN 192.168.100.1/32) --> port 1 ethernet <> port 4 ethernet on second R7000.

Second R7000 (static LAN IP assigned --> 192.168.100.5) with Gateway IP 192.168.100.1 and DNS of private DNS server(dnsproxy) running on 192.168.100.1.

Both R7000 have 2 VAPs (unbridged) and 1 bridged Wifi network as follows:
VAP 1 - 192.168.1.1/24 - wl0.1
VAP 2 - 172.16.1.1/24 - wl1.1
Bridged Wifi (internal) - 192.168.100.x/32


*Main R7000 router firmware version (r47206 - old yes, but reluctant to update until I can figure out how to secure VAP access to my private LAN and also have NAT port forwarding work with switched LAN devices connected on second R7000 router here)

*Second R7000 (WAP) router firmware - r49976

I verified configuration steps for both routers wifi/VAPs using the guide @egc attached in this thread
- no issues following the steps and am getting assigned IPs and able to access the internet from VAP guest networks whether associated at the main router AP or secondary R7000.


ISSUE: When connected to the secondary R7000 VAP wifi guest networks (both 192.168.1.XXX or 172.16.1.XXX) - I am still able to access systems on the LAN (192.168.100.XXX) as well as the primary router interface Admin. UI at 192.168.100.1:443

I am NOT able to login though to the secondary router's Admin UI (get a 401 access error which seems to be a new custom error page from recent ddwrt builds)? I believe I get this page because in both VAPs I have disabled the option - 'Web UI Access'.

WHAT STILL WORKS: When associated with the primary router's VAPs (identical VAP configuration so that I can roam between the 2 routers) is that my access to the private LAN IP address space IS BLOCKED (I get a timeout in my browser when trying to connect to 192.168.100.1 for example. GOOD/WORKING.

I have enabled/disabled Net Isolation for both VAPs on the secondary router to match the primary router and as @egc's guide suggests, this option doesn't seem to do anything.

However, when adding the following iptables rules to the secondary router (command line to test rather than through the Web UI) as soon as I add the following:
iptables -I INPUT -i wl0.1 -m state --state NEW -j REJECT
iptables -I INPUT -i wl1.1 -m state --state NEW -j REJECT

output of iptables -L after adding these rules (above):

Chain INPUT (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere state NEW reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere state NEW reject-with icmp-port-unreachable


I lose internet access when connected to the secondary router VAPs which is not what I want. I thought the point of these rules was to block access to the private LAN that the secondary router was connected to (192.168.100.1)? It doesn't appear that passing the interface name
(-i) in this iptables command is interpreted to be specific to that interface (at according to that
iptables -L output above.

Further, to ensure I was using the correct interface name in the iptables commands, this is what the interface names are in the second router's nvram:
nvram show |grep ifname:
>>>
wl0_ifname=eth1
NC_extifname=auto
wl1_ifname=eth2
wan_ifname2=
pppd_pppifname=
wl0.1_ifname=wl0.1
wl1.1_ifname=wl1.1

lan_ifnames=vlan1 vlan2 eth1 eth2
pppoe_ifname=
wan_ifnames=
lan_ifname=br0
wl_ifname=
wan_ifname=
>>>


Is network isolation/blocking access to the private LAN for a connected WAP not possible (still)?

NOTE: After resetting the iptables in the second R7000 router, I added this rule back in to get internet access restored:

iptables -t nat -I POSTROUTING -o br0 -j SNAT --to 192.168.100.5[code]


Thank you - please let me know if additional information is needed or if this is still a known issue (unable to block VAP networks from the private LAN).

For reference, here are the only 2 rules (custom) in the primary R7000 router Firewall (192.168.100.1):
iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`

doing a compare between the primary and secondary router iptables - there appear to be a lot more (internal - not configured from the Admin UI) rules. Maybe this is why the primary router's VAP network isolation functionality is working and the secondary router 'Net isolation' is not for my VAPs - maybe these rules got taken out in more recent builds of ddwrt?

Could this behavior be caused by the fact that I 'Disable' the WAN port in the Basic Setup page of the Admin UI in the secondary R7000 WAP?

J


Just an update on this - found the following thread here:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=326565&sid=34df0028902f21d4b2def1f498ed4ef6


and added the following iptables rules in my secondary router (192.168.100.5):
#allow DNS lookup for all clients
iptables -I INPUT -i br0 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br0 -p tdp --dport 53 -j ACCEPT
#Block access to LAN (192.168.100.xxx) for all guest wifi clients
iptables -A FORWARD -o br0 -d 192.168.100.0/24 -j DROP

I confirmed that my bridged wifi on this router is working still too - can access internal LAN, browse web, access admin UI etc. I am still able to connect to the secondary router's IP but that access gets blocked by the "Web UI Access" feature in ddwrt (good).

This appears to be a working solution so might make sense to add to your guide @egc? 'Net Isolation' has no apparent effect at all at least for this Primary/Secondary WAP setup.

Will update here if I run into any issues with the guest wifi etc. but for now seems like a good solution Smile

J
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum