[SOLVED] Netgear R8000 as WAP + Guest Wifi (br1) no internet

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
Tectonic Plates
DD-WRT User


Joined: 02 Oct 2012
Posts: 65
Location: Canada

PostPosted: Sun Jan 22, 2023 19:48    Post subject: [SOLVED] Netgear R8000 as WAP + Guest Wifi (br1) no internet Reply with quote
Hi,


EDIT: Problem solved. The setting below works perfectly. Embarrassingly I made a typo in the Network, Basic Settings. When setting the Local IP Address. For Gateway and Local DNS, instead of the IP address of the primary router. I made a typo on the last digit and set these 2 values to a non-existing IP address. Not sure how the device was able to route traffic of the home network with that typo. After setting the correct IP (ie the IP addr of the primary router), the guest wifi network works OK right at the first try


Using Netgear X6 R8000 with latest firmware 01-19-2023-r51440/netgear-r8000/netgear-r7000-webflash.bin. Updated from firmware 2022-12-14, then Factory Reset.

The device is set as a Wireless Access Point, no WAN, no DHCP. Then add a Guest Wifi using a new bridge br1, which has 3 VAPs assigned. Clients connecting to home Wifi works OK. But when connecting to Guest Wifi, client could acquire the IP address but cannot connect to Internet.

Summary of Guest network config
:

I would like to add a Guest network to be totally isolated from the home network. Following egc's guide DDWRT Virtual Access Point Public-5.pdf discussed in this thread Two Netgear R7000 how to setup Guest WiFi on 2nd. I confirm egc's is working OK on the Netgear R7000. With two unbridged VAPs. This time I would like to repeat the experience on a Netgear X6 R8000, AC3200 WiFi5, Tri-Band, 4Gbps

The R8000 has 3 physical wifi network interfaces, 1x 2.4GHz, 2x 5Ghz. I created 3 VAPs, one for each physical wifi interface. As there are too many VAPs, I derive from egc's guide by using a bridge br1:

- Create 3 bridged VAPs
- Create a new bridge br1 with IP 192.168.77.1/24 which is separated from the primary router subnet 192.168.1.1/24.
- Create new DHCP server, bound to the br1 bridge + reboot
- Assign the 3 VAPs wl0.1, wl1.1, wl2.1 to the bridge br1 + reboot

Create firewall rules + reboot

Code:
# Enable NAT routing outbound traffic to br0 so that br1 (used by all the VAPs) has connectivity
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr)

# Block home network and guest network from seeing each other
iptables -I FORWARD 2 -i br0 -o br1 -j REJECT
iptables -I FORWARD 2 -i br1 -o br0 -j REJECT

# Restrict br1 from accessing the router's local sockets (services on router: ssh, www, telnet)
iptables -I INPUT -i br1 -m state --state NEW -j REJECT

# Allow request of type DNS (port 53), DHCP (port 67)
iptables -I INPUT -i br1 -p udp --dport 67 -j ACCEPT
iptables -I INPUT -i br1 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i br1 -p tcp --dport 53 -j ACCEPT


QUESTION1: Clients to Guest network can get IP address in the same subnet as the br1 bridge but cannot connect to the Internet. Why?

QUESTION1: On a device with multiple wifi network intefaces (the Netgear R8000 has 3: wl0, wl1, wl2). Is it necessary to create a VAP for each interface?

Thanks in advance for any help.

Not sure if this is useful but here is a screenshot showing the br1 bridge nd the 3 VAPs



Last edited by Tectonic Plates on Tue Jan 24, 2023 6:22; edited 1 time in total
Sponsor
Tectonic Plates
DD-WRT User


Joined: 02 Oct 2012
Posts: 65
Location: Canada

PostPosted: Mon Jan 23, 2023 4:40    Post subject: Reply with quote
Also replicated the config of unbridged VAPs (no br1 bridge) exactly as egc's guide DDWRT Virtual Access Point Public-5.pdf. This config works OK on an R7000. But not on R8000, same pb than the previous post using br1 bridge. Client can acquire IP address but cannot connect to Internet.

Maybe the R8000 has some hardware issues with regards to VAPs. Or maybe because it is tri-bands?
strange
DD-WRT User


Joined: 18 Jun 2006
Posts: 229

PostPosted: Mon Jan 23, 2023 17:56    Post subject: Reply with quote
Is NAT Enabled in the guest networks? Here is the guide that I use when setting up my guest network.

https://forum.dd-wrt.com/wiki/index.php/Guest_WiFi_%2B_abuse_control_for_beginners

Maybe there is something in there that might help you.

_________________
Netgear XR500 - Gateway
R6700 v3 - Station Bridge
Tectonic Plates
DD-WRT User


Joined: 02 Oct 2012
Posts: 65
Location: Canada

PostPosted: Tue Jan 24, 2023 2:52    Post subject: Reply with quote
strange wrote:
Is NAT Enabled in the guest networks? Here is the guide that I use when setting up my guest network.

https://forum.dd-wrt.com/wiki/index.php/Guest_WiFi_%2B_abuse_control_for_beginners

Maybe there is something in there that might help you.


Yes "Masquerade / NAT" enabled. I was told the guide you linked is obsolete. For example, There is no need to enable "Forced DNS Redirection". I believe thanks to firewall rules to allow DNS and DHCP requests.
strange
DD-WRT User


Joined: 18 Jun 2006
Posts: 229

PostPosted: Tue Jan 24, 2023 3:36    Post subject: Reply with quote
It is a very old guide but it works just fine on my XR500. Yeah, I know it's an Atheros chip and your router is a Broadcom chip but, just trying to help.
_________________
Netgear XR500 - Gateway
R6700 v3 - Station Bridge
Tectonic Plates
DD-WRT User


Joined: 02 Oct 2012
Posts: 65
Location: Canada

PostPosted: Tue Jan 24, 2023 6:24    Post subject: Reply with quote
strange wrote:
It is a very old guide but it works just fine on my XR500. Yeah, I know it's an Atheros chip and your router is a Broadcom chip but, just trying to help.


Found issue, an embarrassing typo. See the red message I have edited in original post.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum