I have to apologize, this gateway is already behind a firewall and I forget to activate the firewall on that router.
now the result locks differently
Code:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2 847 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- vlan2 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 dpt:68
0 0 ACCEPT tcp -- vlan2 * 0.0.0.0/0 10.0.11.1 tcp dpt:22
0 0 ACCEPT icmp -- vlan2 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 2 -- vlan2 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- vlan2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
3 116 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT udp -- br30 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
0 0 ACCEPT udp -- br30 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- br30 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
4 128 DROP all -- br30 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT all -- br30 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- br30 * 0.0.0.0/0 0.0.0.0/0
5 615 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
not to be confused, this double NAT situation is just for testing/setting up for a different location _________________ VLANs, Wireguard Site to Site, OpenVPN Client, WDS
TP-Link Archer C7 V4, V5
TP-Link Archer A7 V5
TP-Link WR1043 V4
Unifi UAP-AC-M
How to isolate on a WAP is also discussed in my notes, in that case you have to manually set the iptables rules
Hello again.
so I read your document in the chapter "VAP on WAP"
privat WiFi is working without any issues.
on the VAP for the Guest Network I again have troubles
the VAP is bridged to br50
I added the following Firewall Rule as mentioned in your document:
Code:
#Always necessary (alternatively set static route on main router and NAT traffic from VAP/Bridge out via WAN):
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
I can ping www.google.com but I am not able to browse to any page on the internet in my browser, there seems to be an issue with the DNS
if I set the my Br50 to "Force DNS Redirection" to 8.8.8.8 I get the ping from google.com and can brows any page in my browser
whats here the issue?
what is the reason not to set WAN connection to VAPs on WAPs by default?
thanks again for your support! _________________ VLANs, Wireguard Site to Site, OpenVPN Client, WDS
TP-Link Archer C7 V4, V5
TP-Link Archer A7 V5
TP-Link WR1043 V4
Unifi UAP-AC-M
Joined: 18 Mar 2014 Posts: 12837 Location: Netherlands
Posted: Wed Nov 02, 2022 7:18 Post subject:
An unbridged VAP (of Bridge) will send a DNS address from DNSmasq, by default DNSMasq will send the IP address of the VAP/Bridge as DNS address to the attached clients (you can check you clients what DNS address they receive).
DNSMasq will query upstream servers in this case (a WAP) DNSMasq is querying the primary router if you have set up according to the documentation which states that you should set the primary routers address in Local DNS.
This all assumes you have setup according to instructions (e.g. left DNSMasq enabled etc.)
ok you were right, on my gateway the box "Use dnsmasq for DNS" was not ticked, afterwards the WAP had also DNS on the VAP _________________ VLANs, Wireguard Site to Site, OpenVPN Client, WDS
TP-Link Archer C7 V4, V5
TP-Link Archer A7 V5
TP-Link WR1043 V4
Unifi UAP-AC-M
Net isolation seems not to work on the VAP of the WAP
I added the following rule to the firewall from your guidline:
Code:
#Replace with the appropriate interface of your VAP, e.g. wl0.1, wlan0.1 etc:
GUEST_IF="wlan0.1"
#Net Isolation does not work on a WAP so keep it disabled, add for isolating VAP from main network:
iptables -I FORWARD -i $GUEST_IF -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT
iptables -vnL INPUT reports nothing back:
Code:
Chain INPUT (policy ACCEPT 9 packets, 1665 bytes)
pkts bytes target prot opt in out source destination
any ideas whats wrong with the rules? _________________ VLANs, Wireguard Site to Site, OpenVPN Client, WDS
TP-Link Archer C7 V4, V5
TP-Link Archer A7 V5
TP-Link WR1043 V4
Unifi UAP-AC-M