- R7000 #1 = Primary router, located in a corner in basement, WiFi disabled b/c too weak to reach other parts of the house
- R7000 #2 = WiFi Access Point, DHCP disabled, located in the middle of the house, connected to router 1 by Ethernet cable
WiFi & wired currently working perfectly. The guests just use the home WiFi. I would like to isolate the guest WiFi from the home network. The various documentations about setting up a Guest Wifi network I have found so far are quite different between each other.
Reading through those docs are quite intimidating. I would like to know if they are suitable for my config (two R7000, where the WiFi Access Point has no router function). Can you please give me some high level directions, so that I could lookup from the above docs to achieve this objective:
Add a Guest WiFi network in the Netgear R7000 #2 (no DHCP). The goal is just to enable a gateway to the Internet. Properties of the Guest WiFi network:
- Must be in a different subnet than my local network
- No sharing between subnets, guests don't event need to see each other
- No need to bandwidth control. Although if this is not too complicate, I would like to give this a try just for the sake of learning.
Thanks
Last edited by Tectonic Plates on Sat Dec 24, 2022 7:10; edited 3 times in total
I went through the version3 of your doc file yesterday (mentioned in Doc4 link in initial post). To be honest, I was quite overwhelmed with all the acronyms in particular VAP, WAP which I am not familiar with the concept.
Thank you for putting up your doc, let's see how far I can go on this doc. Will report here in case of difficulty.
Connect LAN <> LAN (do not use the WAN port unless you really need that extra port, for most routers traffic still must use the CPU so performance is lacklustre and there are some routers where the WAN port is not added to the br0 so the WAN port could be non-functional on some routers).
Q1. Where is the Connect LAN <> LAN option?
Q2. What is WAP? The primary router or the secondary device which is just Wireless access point?
Q3. In page 9, the instructions says
Quote:
You have to add the following rule to the firewall in order to get internet access from clients attached to the VAP/Bridge.
In the web-interface of the router (the WAP): Administration > Commands save Firewall:
#Always necessary (alternatively set static route on main router and NAT traffic from VAP/Bridge out via WAN):
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
"the web-interface of the router (the WAP)" : so the whole time, we only configured the 2nd Netgear R7000 which has DHCP disabled and also firewall disabled (because no WAN) ???
Here is the Virtual Device I have added in the 2nd device. I don't know if this is called VAP or WAP. This is the Netgear R7000 which has WiFi enabled but DHCP disabled (it acquire network via Ethernet cable to the primary router):
The instructions on page 9, does not mention anything to do on the primary router. How would it know about the new guest subnet 192.168.22.1/24
Last edited by Tectonic Plates on Sat Dec 24, 2022 13:52; edited 4 times in total
This means you connect the routers via LAN ports, instead of the WAP's WAN port to the main router's LAN port. Network 101.
Tectonic Plates wrote:
Q2. What is WAP? The primary router or the secondary device which is just Wireless access point?
Wireless Access Point. WAP.
I'll let sir egc answer the rest since I am not feeling up to dealing with bedrock. _________________ "The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost
"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio
This means you connect the routers via LAN ports, instead of the WAP's WAN port to the main router's LAN port. Network 101.
Oh this is how I connect my 2nd R7000 to the main router. The instructions were written as a set of config in DDWRT WebUI I didn't realize this means the physical cable connection between the two devices. Now this makes sense
If WAP = Wireless Access Point. I guess that VAP means "Virtual Access Point" ? Even though in DDWRT WebUI, Wireless/Basic Settings, the thing is called "Virtual Interfaces" with a name as wl0.1
- Followed instruction on page4, DDWRT WebUI, Setup/Networking, section "Multiple DHCP Servers". Added one, bound to the wl0.1 interface as in the screenshot in page 4 of your document.
- Reboot the Netgear R7000 (functioning as WAP). Connect my phone to the SSID of the Virtual Interface and the phone does acquire an IP address in the guest subnet 192.168.22.1/24. So DHCP works. But the phone cannot access Internet.
# Allow Internet access to clients attached to the Virtual AccessPoint
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
# Block the Virtual AccessPoint from accessing the main network:
# wl0.1 = Virtual Wireless Interface: DDWRT WebUI, Wireless, Basic Settings
GUEST_IF="wl0.1"
iptables -I FORWARD -i $GUEST_IF -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT
The phone (Pixel3, Android 12) could connects to the Guest WiFi, but reported "no internet access". Then switched back to the home WiFi.
BTW, can you please explain in more details this section in page 9 of your doc?
The Wireless Virtual Interface must have Forced DNS Redirection enabled. I think this is the main fix. The other settings are almost similar as egc's guide.
Maybe optional, but I added DNSMasq, Additional options as suggested in the Wiki guide. Personally I like to define the DHCP IP range.
# Allow Internet access to clients attached to the Virtual AccessPoint
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
# Block the Virtual AccessPoint from accessing the main network:
iptables -I FORWARD -i $GUEST_IF -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT
# isolate the WAP itself from the guest network
iptables -I INPUT -i $GUEST_IF -m state --state NEW -j REJECT
iptables -I INPUT -i $GUEST_IF -p udp -m multiport --dports 53,67 -j ACCEPT
Last edited by Tectonic Plates on Sat Dec 24, 2022 13:54; edited 1 time in total
Joined: 18 Mar 2014 Posts: 12873 Location: Netherlands
Posted: Sat Dec 24, 2022 6:58 Post subject:
That is all wrong.
My notes clearly state you should keep DNSMasq enabled.
Quote:
• Keep DNSMasq enabled (both on Basic Setup page and Services page)
DHCP is set via the GUI as stated on page 4:
Quote:
Now head over to the Setup/Networking tab , scroll to the bottom and click on Add to add a DHCP server, which you bind to wl0.1 (for Atheros routers it is wlan0.1).
For easier use with CIDR notation set the start address at 64 for a max number of users of 64.
A WAP:
Quote:
VAP on WAP
If you place the unbridged VAP on a Wireless Access Point (note for Broadcom routers for best throughput enable CTF):
A secondary router connected wired LAN<>LAN on the same subnet as the primary router.
My notes clearly state you should keep DNSMasq enabled.
Quote:
• Keep DNSMasq enabled (both on Basic Setup page and Services page)
DHCP is set via the GUI as stated on page 4:
Quote:
Now head over to the Setup/Networking tab , scroll to the bottom and click on Add to add a DHCP server, which you bind to wl0.1 (for Atheros routers it is wlan0.1).
For easier use with CIDR notation set the start address at 64 for a max number of users of 64.
A WAP:
Quote:
VAP on WAP
If you place the unbridged VAP on a Wireless Access Point (note for Broadcom routers for best throughput enable CTF):
A secondary router connected wired LAN<>LAN on the same subnet as the primary router.
I did exactly ALL the above. The clients of the Guest network does acquire the IP address of the guest subnet (192.168.22.1/24 in my case). But could not connect to the Internet. Only when I configure the Virtual Interface wl0.1 with "Forced DNS Redirection = enabled" that the guest clients could connect to Internet. This is indicated in DDWRT Wiki, Guest network
The screenshots in my post above does show than DNSMasq is enabled. Otherwise the "Additional Options" would not be visible.
I did follow exactly your guide. The post above (2 above this one) was NOT meant to replace your guide. It just show the part where there are difference compared to yours. The most notable one which fixed my issue was the "Forced DNS Redirection = enabled" in Wireless Virtual Interface config. The other differences are probably cosmetic.
If you have to enable "force dns redirection" so that your VAP clients can resolve dns queries then you have clearly configured something wrong - period.
by the way i run 2 WAPs with VAPs myself and configured them within 5min with no problems and no questions based on egc's original notes.
Thanks for the good guide!
Tectonic Plates wrote:
The screenshots in my post above does show than DNSMasq is enabled. Otherwise the "Additional Options" would not be visible.
No the screenshot does not show that, because dnsmasq can also be disabled in the basic setup tab.
The guide also states that dnsmasq must remain activated in both tabs.
Tectonic Plates wrote:
Code:
# https://wiki.dd-wrt.com/wiki/index.php/Guest_Network#VAP_with_no_WAN
# isolate the WAP itself from the guest network
iptables -I INPUT -i $GUEST_IF -m state --state NEW -j REJECT
iptables -I INPUT -i $GUEST_IF -p udp -m multiport --dports 53,67 -j ACCEPT
This is a bad rule, because DNS uses not only UDP but also TCP.
UDP is used for short queries but as soon as the packets exceed a certain size it is switched to TCP (often happens when using IPv6 or DNSSEC).
egc's rules are already correct
also, the guide says to leave "network isolation" disabled because it doesn't work on a WAP.
egc wrote:
#Net Isolation does not work on a WAP so keep it disabled
I just setup from scratch using my own notes and had no problem.
ho1Aetoo wrote:
by the way i run 2 WAPs with VAPs myself and configured them within 5min with no problems and no questions based on egc's original notes.
...
This is a bad rule, because DNS uses not only UDP but also TCP.
UDP is used for short queries but as soon as the packets exceed a certain size it is switched to TCP (often happens when using IPv6 or DNSSEC).
egc's rules are already correct
Thanks gentlemen, this gives some courage. I will replay egc guide again today and will keep you posted.
The additional change I have made was ENABLE DHCP Server in the Setup/Basic Setup (previously DHCP was disabled). The option "Use DNSMasq for DNS was already enabled as instructed in egc's guide.
Not sure why a Wireless Access Point needs to have its DHCP server enabled.
There is one weird stuff. When the WAP is rebooted. My phone cannot connect to the guest network. But if I open the DDWRT WebUI, Setup, Basic Setup. Click "Apply Settings" WITHOUT changing anything. Then the phone can connect to Guest network right at the first try. And I did check that the phone did acquire an IP address of the Guest subnet.
1. Disable "net isolation" it does not work.
2. it's not necessary to set additional dnsmasq option, the dhcp server can be fully configured in the "networking" tab.
3. the DHCP server in the tab "basic setup" should be disabled because it is provided by your main router.
4. it is recommended to enable "DHCP authoritative" (it will be used for the VAPs).
5. enable SSID broadcasting (disabling the SSID does not help at all from the security point of view, because your clients will broadcast the SSID, the client will ask loud and clear if the SSID "xyz" is somewhere, otherwise it would not be able to connect to the router)