Two Netgear R7000 how to setup Guest WiFi on 2nd

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page 1, 2, 3  Next
Author Message
Tectonic Plates
DD-WRT User


Joined: 02 Oct 2012
Posts: 65
Location: Canada

PostPosted: Fri Dec 23, 2022 18:16    Post subject: Two Netgear R7000 how to setup Guest WiFi on 2nd Reply with quote
Hi,

Two Netgear R7000, firmware 51024 from 2022-12-14

- R7000 #1 = Primary router, located in a corner in basement, WiFi disabled b/c too weak to reach other parts of the house
- R7000 #2 = WiFi Access Point, DHCP disabled, located in the middle of the house, connected to router 1 by Ethernet cable

WiFi & wired currently working perfectly. The guests just use the home WiFi. I would like to isolate the guest WiFi from the home network. The various documentations about setting up a Guest Wifi network I have found so far are quite different between each other.

- Doc1) How to Set Up a DD-WRT Guest Network Manually (from FlashRouter) shows a method which just needs a simple config using the DDWRT WebUI.

- Doc2) DDWRT Wiki, Guest Network show firewall rules and startup script

- Doc3) DDWRT Wiki, Guest WiFi + abuse control for beginners shows some additional steps, which I probably don't need.

- Doc4) Forum post, VAP on WAP for Guest Network which gives a link to @egc guide: DDWRT Virtual Access Point Public-3.doc have some overlap with previous docs, but seems quite complex.

Reading through those docs are quite intimidating. I would like to know if they are suitable for my config (two R7000, where the WiFi Access Point has no router function). Can you please give me some high level directions, so that I could lookup from the above docs to achieve this objective:

Add a Guest WiFi network in the Netgear R7000 #2 (no DHCP). The goal is just to enable a gateway to the Internet. Properties of the Guest WiFi network:

- Must be in a different subnet than my local network
- No sharing between subnets, guests don't event need to see each other
- No need to bandwidth control. Although if this is not too complicate, I would like to give this a try just for the sake of learning.




Thanks


Last edited by Tectonic Plates on Sat Dec 24, 2022 7:10; edited 3 times in total
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Fri Dec 23, 2022 18:40    Post subject: Reply with quote
It looks like you want a VAP (Virtual Access Point) on a WAP (Wireless Access Point) Smile

Attached my personal notes which describe how I do it.

First setup a proper WAP as described in the paragraph about a VAP on a WAP and then setup the *unbridged* VAP on the WAP Smile



DDWRT Virtual Access Point Public-5.pdf
 Description:

Download
 Filename:  DDWRT Virtual Access Point Public-5.pdf
 Filesize:  570.88 KB
 Downloaded:  155 Time(s)


_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


Last edited by egc on Wed Dec 28, 2022 9:20; edited 3 times in total
Tectonic Plates
DD-WRT User


Joined: 02 Oct 2012
Posts: 65
Location: Canada

PostPosted: Fri Dec 23, 2022 19:26    Post subject: Reply with quote
egc wrote:
It looks like you want a VAP on a WAP Smile


I went through the version3 of your doc file yesterday (mentioned in Doc4 link in initial post). To be honest, I was quite overwhelmed with all the acronyms in particular VAP, WAP which I am not familiar with the concept.

Thank you for putting up your doc, let's see how far I can go on this doc. Will report here in case of difficulty.
Tectonic Plates
DD-WRT User


Joined: 02 Oct 2012
Posts: 65
Location: Canada

PostPosted: Fri Dec 23, 2022 21:52    Post subject: Reply with quote
@egc, in DDWRT Virtual Access Point Public-4.doc, page 9 (VAP on WAP):

Quote:
Connect LAN <> LAN (do not use the WAN port unless you really need that extra port, for most routers traffic still must use the CPU so performance is lacklustre and there are some routers where the WAN port is not added to the br0 so the WAN port could be non-functional on some routers).


Q1. Where is the Connect LAN <> LAN option?
Q2. What is WAP? The primary router or the secondary device which is just Wireless access point?
Q3. In page 9, the instructions says


Quote:

You have to add the following rule to the firewall in order to get internet access from clients attached to the VAP/Bridge.
In the web-interface of the router (the WAP): Administration > Commands save Firewall:
#Always necessary (alternatively set static route on main router and NAT traffic from VAP/Bridge out via WAN):
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)


"the web-interface of the router (the WAP)" : so the whole time, we only configured the 2nd Netgear R7000 which has DHCP disabled and also firewall disabled (because no WAN) ???

Here is the Virtual Device I have added in the 2nd device. I don't know if this is called VAP or WAP. This is the Netgear R7000 which has WiFi enabled but DHCP disabled (it acquire network via Ethernet cable to the primary router):



The instructions on page 9, does not mention anything to do on the primary router. How would it know about the new guest subnet 192.168.22.1/24


Last edited by Tectonic Plates on Sat Dec 24, 2022 13:52; edited 4 times in total
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1899

PostPosted: Fri Dec 23, 2022 22:24    Post subject: Reply with quote
Tectonic Plates wrote:
Q1. Where is the Connect LAN <> LAN option?

This means you connect the routers via LAN ports, instead of the WAP's WAN port to the main router's LAN port. Network 101.

Tectonic Plates wrote:
Q2. What is WAP? The primary router or the secondary device which is just Wireless access point?

Wireless Access Point. WAP.

I'll let sir egc answer the rest since I am not feeling up to dealing with bedrock.

_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
Tectonic Plates
DD-WRT User


Joined: 02 Oct 2012
Posts: 65
Location: Canada

PostPosted: Fri Dec 23, 2022 23:17    Post subject: Reply with quote
dale_gribble39 wrote:
Tectonic Plates wrote:
Q1. Where is the Connect LAN <> LAN option?

This means you connect the routers via LAN ports, instead of the WAP's WAN port to the main router's LAN port. Network 101.


Oh this is how I connect my 2nd R7000 to the main router. The instructions were written as a set of config in DDWRT WebUI I didn't realize this means the physical cable connection between the two devices. Now this makes sense

If WAP = Wireless Access Point. I guess that VAP means "Virtual Access Point" ? Even though in DDWRT WebUI, Wireless/Basic Settings, the thing is called "Virtual Interfaces" with a name as wl0.1
Tectonic Plates
DD-WRT User


Joined: 02 Oct 2012
Posts: 65
Location: Canada

PostPosted: Fri Dec 23, 2022 23:25    Post subject: Reply with quote
@egc, still not working. here is how far I got:

- Followed instruction on page4, DDWRT WebUI, Setup/Networking, section "Multiple DHCP Servers". Added one, bound to the wl0.1 interface as in the screenshot in page 4 of your document.

- Reboot the Netgear R7000 (functioning as WAP). Connect my phone to the SSID of the Virtual Interface and the phone does acquire an IP address in the guest subnet 192.168.22.1/24. So DHCP works. But the phone cannot access Internet.

- DDWRT Virtual Access Point Public-4.doc, page 9 (VAP on WAP), I created the Firewall rules :




Code:
# Allow Internet access to clients attached to the Virtual AccessPoint
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)

# Block the Virtual AccessPoint from accessing the main network:
# wl0.1 = Virtual Wireless Interface: DDWRT WebUI, Wireless, Basic Settings
GUEST_IF="wl0.1"
iptables -I FORWARD -i $GUEST_IF -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT


The phone (Pixel3, Android 12) could connects to the Guest WiFi, but reported "no internet access". Then switched back to the home WiFi.


BTW, can you please explain in more details this section in page 9 of your doc?

Code:
#For isolating the WAP itself from the VAP/bridge:
iptables -I INPUT -i $GUEST_IF -m state --state NEW -j REJECT
iptables -I INPUT -i $GUEST_IF -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i $GUEST_IF -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i $GUEST_IF -p tcp --dport 53 -j ACCEPT
Tectonic Plates
DD-WRT User


Joined: 02 Oct 2012
Posts: 65
Location: Canada

PostPosted: Sat Dec 24, 2022 4:10    Post subject: Reply with quote
OMG, fixed, by using the DDWRT Wiki, Guest Network. The difference from egc's DDWRT Virtual Access Point Public-4.doc which fix my issue (clent on Guest Wifi network cannot access internet) are:

The Wireless Virtual Interface must have Forced DNS Redirection enabled. I think this is the main fix. The other settings are almost similar as egc's guide.




Maybe optional, but I added DNSMasq, Additional options as suggested in the Wiki guide. Personally I like to define the DHCP IP range.

Code:
interface=wl0.1
dhcp-option=wl0.1,3,192.168.22.1
dhcp-range=wl0.1,192.168.22.100,192.168.22.199,255.255.255.0,12h





Just for completeness here are the IPtables rules I use


Code:
# https://wiki.dd-wrt.com/wiki/index.php/Guest_Network#VAP_with_no_WAN
# wl0.1 = Virtual Wireless Interface: DDWRT WebUI, Wireless, Basic Settings
GUEST_IF="wl0.1"

# Allow Internet access to clients attached to the Virtual AccessPoint
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)

# Block the Virtual AccessPoint from accessing the main network:
iptables -I FORWARD -i $GUEST_IF -d $(nvram get lan_ipaddr)/$(nvram get lan_netmask) -m state --state NEW -j REJECT

# isolate the WAP itself from the guest network
iptables -I INPUT -i $GUEST_IF -m state --state NEW -j REJECT
iptables -I INPUT -i $GUEST_IF -p udp -m multiport --dports 53,67 -j ACCEPT




Last edited by Tectonic Plates on Sat Dec 24, 2022 13:54; edited 1 time in total
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sat Dec 24, 2022 6:58    Post subject: Reply with quote
That is all wrong.

My notes clearly state you should keep DNSMasq enabled.
Quote:
• Keep DNSMasq enabled (both on Basic Setup page and Services page)


DHCP is set via the GUI as stated on page 4:
Quote:
Now head over to the Setup/Networking tab , scroll to the bottom and click on Add to add a DHCP server, which you bind to wl0.1 (for Atheros routers it is wlan0.1).
For easier use with CIDR notation set the start address at 64 for a max number of users of 64.


A WAP:
Quote:
VAP on WAP
If you place the unbridged VAP on a Wireless Access Point (note for Broadcom routers for best throughput enable CTF):
A secondary router connected wired LAN<>LAN on the same subnet as the primary router.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087


Last edited by egc on Sat Dec 24, 2022 7:13; edited 1 time in total
Tectonic Plates
DD-WRT User


Joined: 02 Oct 2012
Posts: 65
Location: Canada

PostPosted: Sat Dec 24, 2022 7:23    Post subject: Reply with quote
egc wrote:
That is all wrong.

My notes clearly state you should keep DNSMasq enabled.
Quote:
• Keep DNSMasq enabled (both on Basic Setup page and Services page)


DHCP is set via the GUI as stated on page 4:
Quote:
Now head over to the Setup/Networking tab , scroll to the bottom and click on Add to add a DHCP server, which you bind to wl0.1 (for Atheros routers it is wlan0.1).
For easier use with CIDR notation set the start address at 64 for a max number of users of 64.


A WAP:
Quote:
VAP on WAP
If you place the unbridged VAP on a Wireless Access Point (note for Broadcom routers for best throughput enable CTF):
A secondary router connected wired LAN<>LAN on the same subnet as the primary router.


I did exactly ALL the above. The clients of the Guest network does acquire the IP address of the guest subnet (192.168.22.1/24 in my case). But could not connect to the Internet. Only when I configure the Virtual Interface wl0.1 with "Forced DNS Redirection = enabled" that the guest clients could connect to Internet. This is indicated in DDWRT Wiki, Guest network

The screenshots in my post above does show than DNSMasq is enabled. Otherwise the "Additional Options" would not be visible.

I did follow exactly your guide. The post above (2 above this one) was NOT meant to replace your guide. It just show the part where there are difference compared to yours. The most notable one which fixed my issue was the "Forced DNS Redirection = enabled" in Wireless Virtual Interface config. The other differences are probably cosmetic.
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sat Dec 24, 2022 8:34    Post subject: Reply with quote
I just setup from scratch using my own notes and had no problem.

If I connect to my VAP on a WAP I have internet access.

The router is the DNS server and if you followed the instructions and have set on Basic Setup page Local DNS and Gateway pointing to the main router than DNSMasq running on this WAP will query your main router for DNS.

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Sat Dec 24, 2022 8:46    Post subject: Reply with quote
If you have to enable "force dns redirection" so that your VAP clients can resolve dns queries then you have clearly configured something wrong - period.

by the way i run 2 WAPs with VAPs myself and configured them within 5min with no problems and no questions based on egc's original notes.

Thanks for the good guide!

Tectonic Plates wrote:
The screenshots in my post above does show than DNSMasq is enabled. Otherwise the "Additional Options" would not be visible.


No the screenshot does not show that, because dnsmasq can also be disabled in the basic setup tab.
The guide also states that dnsmasq must remain activated in both tabs.

Tectonic Plates wrote:
Code:
# https://wiki.dd-wrt.com/wiki/index.php/Guest_Network#VAP_with_no_WAN
# isolate the WAP itself from the guest network
iptables -I INPUT -i $GUEST_IF -m state --state NEW -j REJECT
iptables -I INPUT -i $GUEST_IF -p udp -m multiport --dports 53,67 -j ACCEPT


This is a bad rule, because DNS uses not only UDP but also TCP.

UDP is used for short queries but as soon as the packets exceed a certain size it is switched to TCP (often happens when using IPv6 or DNSSEC).

egc's rules are already correct


also, the guide says to leave "network isolation" disabled because it doesn't work on a WAP.

egc wrote:
#Net Isolation does not work on a WAP so keep it disabled
Tectonic Plates
DD-WRT User


Joined: 02 Oct 2012
Posts: 65
Location: Canada

PostPosted: Sat Dec 24, 2022 14:04    Post subject: Reply with quote
egc wrote:
I just setup from scratch using my own notes and had no problem.


ho1Aetoo wrote:
by the way i run 2 WAPs with VAPs myself and configured them within 5min with no problems and no questions based on egc's original notes.

...
This is a bad rule, because DNS uses not only UDP but also TCP.

UDP is used for short queries but as soon as the packets exceed a certain size it is switched to TCP (often happens when using IPv6 or DNSSEC).
egc's rules are already correct


Thanks gentlemen, this gives some courage. I will replay egc guide again today and will keep you posted.
Tectonic Plates
DD-WRT User


Joined: 02 Oct 2012
Posts: 65
Location: Canada

PostPosted: Sat Dec 24, 2022 16:54    Post subject: Reply with quote
Oh, now I could get Guest WiFi working exactly as egc's guide:

- ie putting back "Forced DNS Redirection = disabled" in Wireless Virtual Interface
- use egc's firewall rules

Code:
# wl0.1 = Virtual Wireless Interface: DDWRT WebUI, Wireless, Basic Settings
GUEST_IF="wl0.1"

# Allow Internet access to clients attached to the Virtual AccessPoint
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)

# Block the Virtual AccessPoint from accessing known subnets:
iptables -I FORWARD -i $GUEST_IF -d 192.168.0.0/16 -m state --state NEW -j REJECT

# isolate the WAP itself from the guest network
iptables -I INPUT -i $GUEST_IF -m state --state NEW -j REJECT
iptables -I INPUT -i $GUEST_IF -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i $GUEST_IF -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i $GUEST_IF -p tcp --dport 53 -j ACCEPT



The additional change I have made was ENABLE DHCP Server in the Setup/Basic Setup (previously DHCP was disabled). The option "Use DNSMasq for DNS was already enabled as instructed in egc's guide.

Not sure why a Wireless Access Point needs to have its DHCP server enabled.

There is one weird stuff. When the WAP is rebooted. My phone cannot connect to the guest network. But if I open the DDWRT WebUI, Setup, Basic Setup. Click "Apply Settings" WITHOUT changing anything. Then the phone can connect to Guest network right at the first try. And I did check that the phone did acquire an IP address of the Guest subnet.


ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Sat Dec 24, 2022 17:23    Post subject: Reply with quote
1. Disable "net isolation" it does not work.
2. it's not necessary to set additional dnsmasq option, the dhcp server can be fully configured in the "networking" tab.
3. the DHCP server in the tab "basic setup" should be disabled because it is provided by your main router.
4. it is recommended to enable "DHCP authoritative" (it will be used for the VAPs).

5. enable SSID broadcasting (disabling the SSID does not help at all from the security point of view, because your clients will broadcast the SSID, the client will ask loud and clear if the SSID "xyz" is somewhere, otherwise it would not be able to connect to the router)
Goto page 1, 2, 3  Next Display posts from previous:    Page 1 of 3
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum