1. Disable "net isolation" it does not work.
2. it's not necessary to set additional dnsmasq option, the dhcp server can be fully configured in the "networking" tab.
3. the DHCP server in the tab "basic setup" should be disabled because it is provided by your main router.
4. it is recommended to enable "DHCP authoritative" (it will be used for the VAPs).
5. enable SSID broadcasting (disabling the SSID does not help at all from the security point of view, because your clients will broadcast the SSID, the client will ask loud and clear if the SSID "xyz" is somewhere, otherwise it would not be able to connect to the router)
Merry xMas to you all guys. Thanks a lot for taking the troubles to help me out. Thanks for the background explanation about disabling the SSID. Even though this has no effects on security. I still prefer my neighbors not knowing about my SSID.
Done all the above (+reboot the WAP) except:
In the latest firmware I used. There is no "DHCP authoritative". Only DHCP Forwarder. Which I configure the IP address to the main router. Below screenshot show firmware version (top right) and the Setup/Basic setup.
Result: The phone seems to connect to the Guest network, but no Internet. Then Android switches to the home WiFi which connects OK to Internet.
I have tried to SSH into the WAP, hoping to check connectivity with the DHCP version. Not sure if it's correct. But if you need me to run some cmd line toi gather diagnostic info, please let me know
default via 192.168.1.250 dev br0
127.0.0.0/8 dev lo scope link
192.168.1.0/24 dev br0 scope link src 192.168.1.251
192.168.22.0/24 dev wl0.1 scope link src 192.168.22.1
I have changed the DHCP settings to match what you advised. Also emptied all the Additional options in DNSMasq service. Still not working. EXCEPT if I go to DDWRT WebUI, Setup, Basic Setup, and click "Apply Settings" WITHOUT changing anything.
So it looks like clicking "Apply Settings" started something which could not start properly when the WAP device finished its reboot. I have attempted to add various startup commands. Which amount to "sleep 10; startservice wlconf; startservice dnsmasq". Even SSH into the WAP after reboot to run various service restarts. None of this work. But as soon as I click that "Apply Settings" button described above, Guest network works OK.
Not sure what is going on, maybe a bug in the firmware?
Regarding the STP option. It was enabled Spanning Tree Protocol when I was doing experiment with mesh WiFi network.
This STP setting has no impact on the Guest Network. Enabled or Disabled gives same test results (with and without reboot of the WAP device)
Well, activate the SSID broadcasting for a test.
Maybe there is a bug.
Just tested. SSID Broadcast enable or disabled changed nothing. After rebooting the WAP device, I must use DDWRT WebUI to click on the "Apply Settings" somewhere, without doing any change.
This time, I click "Apply Settings" in the Menu "Wireless/Basic Settings" (instead of Setup/Basic Setup). Then a few seconds later, the phone could connect in the Guest network.
Indeed I read about the DDWRT Wiki, Guest network / No VAP at boot (Broadcom). I had adapted the instructions of that guide to my device. Also tried starting various service like wlconf or dnsmasq. NONE of that worked.
Fortunately I rarely reboot the WAP device so I can live with that manual workaround for now.
A lot of the things you read and are referencing are outdated.
Recent builds do not need any workaround and are just working.
Using and mixing instructions from different sources often does not lead to the desired result.
My advice reset to defaults and only use my instructions
But it is a free world so do as you please
I actually only wanted to use only your guide. Exactly to avoid reading too many different guides. One thing I didn't attempt was to reconfigure from scratch after a reset. Will do that later and keep you posted.
I have polished my notes a bit so try with the latest version 5, which can be downloaded earlier in this thread
Would like to let you know that the guide v5, works impeccable, right at the first try! This time I flash latest DDWRT + factory reset. Then apply all the config from your guide.
Indeed you were right. There was some crappy config in my Wifi AP which I restored over an over each time I upgrade DDWRT. But at one point some inconsistencies happened in the config. Actually to the point of bricking my Netgear R7000, for which I had to spend almost a day to unbrick. Discussed in bricked Netgear R7000 after update to 2023-01-15
Can you please give your opinion on this scenario, not covered by your guide. The idea is to enable both 2.4GHz and 5GHz in the Guest WiFi.
Create TWO unbridged Virtual Access Point, on a WAP (Wireless Access Point, no router function). Each VAP has different IP address, different subnet than home network.
- wl0.1 (2.4 GHz) - 192.168.22.1
- wl1.1 (5 GHz) - 192.168.22.2
- Both VAP have the same SSID
- Wireless Security: same config for both VAPs: WPA2-PSK, CCMP-128 (AES), same password
- new DHCP server, bound to wl0.1
Firewall rules modified to accommodate both VAPs
Code:
# Allow Internet access to clients attached to the Virtual AccessPoint
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
for GUEST_IF in "wl0.1" "wl1.1"
do
# Block the Virtual AccessPoint from accessing known subnets:
iptables -I FORWARD -i $GUEST_IF -d 192.168.0.0/16 -m state --state NEW -j REJECT
# isolate the WAP itself from the guest network
iptables -I INPUT -i $GUEST_IF -m state --state NEW -j REJECT
Trying the above, I have noticed the Guest WiFi is unreliable, and mostly non-functional
- Can only connect ONE client. The 2nd client can connect to Guest network, have proper IP address but cannot access internet
- 1st client although could connect to Internet, took about 30 seconds. First it could obtain IP address. Then Android notifies "could not connect to Internet". Then shortly after, Android reports "Connected"
QUESTION: is it because of incorrect firewall rule? Because your guide seems to indicate that multiple VAPs is possible.