Posted: Sun Jan 22, 2023 19:48 Post subject: [SOLVED] Netgear R8000 as WAP + Guest Wifi (br1) no internet
Hi,
EDIT: Problem solved. The setting below works perfectly. Embarrassingly I made a typo in the Network, Basic Settings. When setting the Local IP Address. For Gateway and Local DNS, instead of the IP address of the primary router. I made a typo on the last digit and set these 2 values to a non-existing IP address. Not sure how the device was able to route traffic of the home network with that typo. After setting the correct IP (ie the IP addr of the primary router), the guest wifi network works OK right at the first try
The device is set as a Wireless Access Point, no WAN, no DHCP. Then add a Guest Wifi using a new bridge br1, which has 3 VAPs assigned. Clients connecting to home Wifi works OK. But when connecting to Guest Wifi, client could acquire the IP address but cannot connect to Internet.
Summary of Guest network config:
The R8000 has 3 physical wifi network interfaces, 1x 2.4GHz, 2x 5Ghz. I created 3 VAPs, one for each physical wifi interface. As there are too many VAPs, I derive from egc's guide by using a bridge br1:
- Create 3 bridged VAPs
- Create a new bridge br1 with IP 192.168.77.1/24 which is separated from the primary router subnet 192.168.1.1/24.
- Create new DHCP server, bound to the br1 bridge + reboot
- Assign the 3 VAPs wl0.1, wl1.1, wl2.1 to the bridge br1 + reboot
Create firewall rules + reboot
Code:
# Enable NAT routing outbound traffic to br0 so that br1 (used by all the VAPs) has connectivity
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)
# Block home network and guest network from seeing each other
iptables -I FORWARD 2 -i br0 -o br1 -j REJECT
iptables -I FORWARD 2 -i br1 -o br0 -j REJECT
# Restrict br1 from accessing the router's local sockets (services on router: ssh, www, telnet)
iptables -I INPUT -i br1 -m state --state NEW -j REJECT
QUESTION1: Clients to Guest network can get IP address in the same subnet as the br1 bridge but cannot connect to the Internet. Why?
QUESTION1: On a device with multiple wifi network intefaces (the Netgear R8000 has 3: wl0, wl1, wl2). Is it necessary to create a VAP for each interface?
Thanks in advance for any help.
Not sure if this is useful but here is a screenshot showing the br1 bridge nd the 3 VAPs
Last edited by Tectonic Plates on Tue Jan 24, 2023 6:22; edited 1 time in total
Also replicated the config of unbridged VAPs (no br1 bridge) exactly as egc's guide DDWRT Virtual Access Point Public-5.pdf. This config works OK on an R7000. But not on R8000, same pb than the previous post using br1 bridge. Client can acquire IP address but cannot connect to Internet.
Maybe the R8000 has some hardware issues with regards to VAPs. Or maybe because it is tri-bands?
Maybe there is something in there that might help you.
Yes "Masquerade / NAT" enabled. I was told the guide you linked is obsolete. For example, There is no need to enable "Forced DNS Redirection". I believe thanks to firewall rules to allow DNS and DHCP requests.
It is a very old guide but it works just fine on my XR500. Yeah, I know it's an Atheros chip and your router is a Broadcom chip but, just trying to help. _________________ Netgear XR500 - Gateway
R6700 v3 - Station Bridge
It is a very old guide but it works just fine on my XR500. Yeah, I know it's an Atheros chip and your router is a Broadcom chip but, just trying to help.
Found issue, an embarrassing typo. See the red message I have edited in original post.